Cyber Resilience

CVE-2026-24422

MediumPublic PoC

Published: 24 January 2026

Published
24 January 2026
Modified
28 January 2026
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0002 6.2th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24422 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Phpmyfaq Phpmyfaq. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-22 (Publicly Accessible Content).

Deeper analysis

CVE-2026-24422 is an information disclosure vulnerability in phpMyFAQ, an open source FAQ web application, affecting versions 4.0.16 and below. Multiple public API endpoints lack sufficient access controls, exposing sensitive user information. Specifically, the OpenQuestionController::list() endpoint calls Question::getAll() with showAll=true by default, returning non-public records (isVisible=false) alongside user email addresses. Similar issues exist in the comment, news, and FAQ APIs, as classified under CWE-200 with a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

Unauthenticated attackers can exploit this over the network with low complexity and no user interaction. By querying the affected endpoints, they can harvest email addresses for phishing campaigns or access content explicitly marked as private, enabling targeted social engineering or unauthorized data collection.

The vulnerability has been fixed in phpMyFAQ version 4.0.17. Additional details on the patch and remediation are available in the GitHub security advisory at https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-j4rc-96xj-gvqc.

EU & UK References

Vulnerability details

phpMyFAQ is an open source FAQ web application. In versions 4.0.16 and below, multiple public API endpoints improperly expose sensitive user information due to insufficient access controls. The OpenQuestionController::list() endpoint calls Question::getAll() with showAll=true by default, returning records marked as…

more

non-public (isVisible=false) along with user email addresses, with similar exposures present in comment, news, and FAQ APIs. This information disclosure vulnerability could enable attackers to harvest email addresses for phishing campaigns or access content that was explicitly marked as private. This issue has been fixed in version 4.0.17.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct unauthenticated exploitation of public-facing web API endpoints in phpMyFAQ leading to information disclosure (CWE-200).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-27836Same product: Phpmyfaq Phpmyfaq
CVE-2026-34728Same product: Phpmyfaq Phpmyfaq
CVE-2024-56199Same product: Phpmyfaq Phpmyfaq
CVE-2024-13796Shared CWE-200
CVE-2025-25975Shared CWE-200
CVE-2024-12142Shared CWE-200
CVE-2025-25951Shared CWE-200
CVE-2026-34297Shared CWE-200
CVE-2024-26480Shared CWE-200
CVE-2026-24498Shared CWE-200

Affected Assets

phpmyfaq
phpmyfaq
≤ 4.0.17

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces access control decisions on API endpoints so that non-public records (isVisible=false) and user emails are never returned to unauthenticated callers.

prevent

Requires explicit control over what content is made publicly accessible, preventing the default exposure of private FAQ, comment, and news records through the affected endpoints.

prevent

Enforces information-flow rules that would block the unintended release of sensitive attributes (emails, private flags) from Question::getAll() and similar methods to public API consumers.

References