CVE-2026-24422
Published: 24 January 2026
Summary
CVE-2026-24422 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Phpmyfaq Phpmyfaq. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-22 (Publicly Accessible Content).
Deeper analysis
CVE-2026-24422 is an information disclosure vulnerability in phpMyFAQ, an open source FAQ web application, affecting versions 4.0.16 and below. Multiple public API endpoints lack sufficient access controls, exposing sensitive user information. Specifically, the OpenQuestionController::list() endpoint calls Question::getAll() with showAll=true by default, returning non-public records (isVisible=false) alongside user email addresses. Similar issues exist in the comment, news, and FAQ APIs, as classified under CWE-200 with a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
Unauthenticated attackers can exploit this over the network with low complexity and no user interaction. By querying the affected endpoints, they can harvest email addresses for phishing campaigns or access content explicitly marked as private, enabling targeted social engineering or unauthorized data collection.
The vulnerability has been fixed in phpMyFAQ version 4.0.17. Additional details on the patch and remediation are available in the GitHub security advisory at https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-j4rc-96xj-gvqc.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4257
Vulnerability details
phpMyFAQ is an open source FAQ web application. In versions 4.0.16 and below, multiple public API endpoints improperly expose sensitive user information due to insufficient access controls. The OpenQuestionController::list() endpoint calls Question::getAll() with showAll=true by default, returning records marked as…
more
non-public (isVisible=false) along with user email addresses, with similar exposures present in comment, news, and FAQ APIs. This information disclosure vulnerability could enable attackers to harvest email addresses for phishing campaigns or access content that was explicitly marked as private. This issue has been fixed in version 4.0.17.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated exploitation of public-facing web API endpoints in phpMyFAQ leading to information disclosure (CWE-200).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access control decisions on API endpoints so that non-public records (isVisible=false) and user emails are never returned to unauthenticated callers.
Requires explicit control over what content is made publicly accessible, preventing the default exposure of private FAQ, comment, and news records through the affected endpoints.
Enforces information-flow rules that would block the unintended release of sensitive attributes (emails, private flags) from Question::getAll() and similar methods to public API consumers.