Headline
GHSA-j4rc-96xj-gvqc: phpMyFAQ: Public API endpoints expose emails and invisible questions
Summary
Several public API endpoints return email addresses and non‑public records (e.g. open questions with isVisible=false).
Details
OpenQuestionController::list() calls Question::getAll() with the default showAll=true, returning invisible questions and their emails. Similar exposures exist in comment/news/faq APIs.
PoC
curl -i -H 'Accept-Language: en' \
http://192.168.40.16/phpmyfaq/api/v3.0/open-questions
Impact
Privacy exposure of email addresses and non‑public content; increased risk of phishing/scraping.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2026-24422
phpMyFAQ: Public API endpoints expose emails and invisible questions
Moderate severity GitHub Reviewed Published Jan 23, 2026 in thorsten/phpMyFAQ • Updated Jan 23, 2026
Package
composer phpmyfaq/phpmyfaq (Composer)
Affected versions
<= 4.0.16
Summary
Several public API endpoints return email addresses and non‑public records (e.g. open questions with isVisible=false).
Details
OpenQuestionController::list() calls Question::getAll() with the default showAll=true, returning invisible questions and their emails. Similar exposures exist in comment/news/faq APIs.
PoC
curl -i -H 'Accept-Language: en' \
http://192.168.40.16/phpmyfaq/api/v3.0/open-questions
Impact
Privacy exposure of email addresses and non‑public content; increased risk of phishing/scraping.
References
- GHSA-j4rc-96xj-gvqc
Published to the GitHub Advisory Database
Jan 23, 2026
Last updated
Jan 23, 2026