CVE-2026-46365: Missing Authorization in thorsten phpmyfaq
phpMyFAQ versions before 4. 1. 2 have a missing authorization vulnerability in the DELETE /admin/api/content/tags/{tagId} endpoint. This flaw allows any authenticated user, including regular frontend users, to delete arbitrary tags by sending a DELETE request with a valid session cookie. Exploitation results in permanent data loss and disruption of FAQ organization. The vulnerability has a CVSS score of 5. 4, indicating medium severity. No official patch or remediation guidance is currently provided by the vendor. The product is not a cloud service, so remediation depends on vendor updates or user-applied fixes.
AI Analysis
Technical Summary
The vulnerability CVE-2026-46365 in phpMyFAQ before version 4.1.2 is due to missing authorization checks on the DELETE /admin/api/content/tags/{tagId} API endpoint. This allows any authenticated user to delete tags regardless of their privilege level. The issue can lead to permanent deletion of tags, impacting the organization and integrity of FAQ content. The CVSS 3.1 vector indicates network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, no confidentiality impact, limited integrity impact, and high availability impact.
Potential Impact
Any logged-in user can delete arbitrary tags, causing permanent data loss and disruption of FAQ organization. This can degrade the usability and management of the FAQ system but does not directly impact confidentiality. The availability of FAQ content is affected due to tag deletions.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict authenticated user access to trusted users only and monitor for unauthorized tag deletions. Avoid granting unnecessary login permissions to untrusted users.
CVE-2026-46365: Missing Authorization in thorsten phpmyfaq
Description
phpMyFAQ versions before 4. 1. 2 have a missing authorization vulnerability in the DELETE /admin/api/content/tags/{tagId} endpoint. This flaw allows any authenticated user, including regular frontend users, to delete arbitrary tags by sending a DELETE request with a valid session cookie. Exploitation results in permanent data loss and disruption of FAQ organization. The vulnerability has a CVSS score of 5. 4, indicating medium severity. No official patch or remediation guidance is currently provided by the vendor. The product is not a cloud service, so remediation depends on vendor updates or user-applied fixes.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-46365 in phpMyFAQ before version 4.1.2 is due to missing authorization checks on the DELETE /admin/api/content/tags/{tagId} API endpoint. This allows any authenticated user to delete tags regardless of their privilege level. The issue can lead to permanent deletion of tags, impacting the organization and integrity of FAQ content. The CVSS 3.1 vector indicates network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, no confidentiality impact, limited integrity impact, and high availability impact.
Potential Impact
Any logged-in user can delete arbitrary tags, causing permanent data loss and disruption of FAQ organization. This can degrade the usability and management of the FAQ system but does not directly impact confidentiality. The availability of FAQ content is affected due to tag deletions.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict authenticated user access to trusted users only and monitor for unauthorized tag deletions. Avoid granting unnecessary login permissions to untrusted users.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-05-13T19:40:27.809Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a076ec4ec166c07b0830abb
Added to database: 5/15/2026, 7:06:44 PM
Last enriched: 5/15/2026, 7:22:23 PM
Last updated: 5/15/2026, 9:17:28 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.