CVE-2026-56396

HIGH NVD

CVSS Score 8.8

Severity HIGH

Published Jun 21, 2026

Vendor unknown

Description

phpMyFAQ before 4.1.4 contains missing authorization vulnerabilities in editUser() and updateUserRights() endpoints that allow authenticated administrators to escalate privileges. Non-SuperAdmin users with edit_user permission can set is_superadmin flag or grant arbitrary rights to escalate to SuperAdmin access.

References

https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-985r-q3qp-299h
https://www.vulncheck.com/advisories/phpmyfaq-privilege-escalation-via-missing-authorization-in-edituser-and-updateuserrights