Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
7.2

CVE-2025-62519: phpMyFAQ Configuration Update Allows Privileged User to Access Database

GHSA-fxm2-cmwj-qvx4 CVE-2025-62519
Summary

A security flaw in phpMyFAQ's configuration update tool lets a user with permission to edit the config access and potentially delete all database data. This is a serious issue for anyone using phpMyFAQ, as it could allow an attacker to read, modify, or delete sensitive information. Update to version 4.0.14 or later to fix this issue.

What to do
  • Update thorsten phpmyfaq to version 4.0.14.
  • Update phpmyfaq phpmyfaq to version 4.0.14.
Affected software
Ecosystem VendorProductAffected versions
composer thorsten phpmyfaq <= 4.0.13
Fix: upgrade to 4.0.14
composer phpmyfaq phpmyfaq <= 4.0.13
Fix: upgrade to 4.0.14
– phpmyfaq phpmyfaq < 4.0.14
cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:*
Original title
phpMyFAQ is an open source FAQ web application. Prior to version 4.0.14, an authenticated SQL injection vulnerability in the main configuration update functionality of phpMyFAQ allows a privileged ...
Original description
phpMyFAQ is an open source FAQ web application. Prior to version 4.0.14, an authenticated SQL injection vulnerability in the main configuration update functionality of phpMyFAQ allows a privileged user with 'Configuration Edit' permissions to execute arbitrary SQL commands. Successful exploitation can lead to a full compromise of the database, including reading, modifying, or deleting all data, as well as potential remote code execution depending on the database configuration. This issue has been patched in version 4.0.14.
ghsa CVSS3.1 7.2
Vulnerability type
CWE-89 SQL Injection
Published: 17 Nov 2025 · Updated: 16 Jun 2026 · First seen: 6 Mar 2026