phpMyFAQ before 4.1.5 contains a privilege escalation vulnerability in GroupController::updatePermissions that allows GROUP_EDIT administrators to grant arbitrary rights to groups without verifying they hold those rights themselves. A delegated administrator can exploit this by assigning high-value permissions to a group they belong to, inheriting those rights and escalating privileges up to full administrative control.
References
Configurations
No configuration.
History
30 Jun 2026, 23:17
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-30 23:17
Updated : 2026-06-30 23:17
NVD link : CVE-2026-57995
Mitre link : CVE-2026-57995
CVE.ORG link : CVE-2026-57995
JSON object : View
Products Affected
No product.
CWE
CWE-269
Improper Privilege Management
