Listen to this Post
How the CVE Works:
The vulnerability exists in multiple public API endpoints (e.g., /api/open-questions, /api/comments). The `OpenQuestionController::list()` method directly calls `Question::getAll()` with its default parameter $showAll = true. This flag bypasses the intended visibility filter (isVisible = false), causing the API to return all question records, including those marked as non-public. These records contain sensitive fields, primarily user email addresses. Similarly structured endpoints for comments, news, and FAQs exhibit the same flaw, where methods fail to enforce proper access controls or filter sensitive data before serializing the API response. This leads to unauthorized disclosure of private information through what should be public-facing interfaces.
DailyCVE Form:
Platform: phpMyFAQ
Version: (Pre-patch versions)
Vulnerability : API data exposure
Severity: Moderate
Date: 2026-01-23
Prediction: 2026-02-13
What Undercode Say:
Analytics:
curl -s "https://target.com/api/open-questions" | jq '.[] | .email'
grep -r "getAll.true" /path/to/phpMyFAQ/
// Vulnerable code pattern:
public function list()
{
$questions = $this->question->getAll(true); // Parameter forces showAll
return $this->json($questions);
}
How Exploit:
Attacker sends GET requests to vulnerable public API endpoints to harvest email addresses and read content intended to be private.
Protection from this CVE:
Update phpMyFAQ. Implement strict access controls and data filtering in API controllers. Ensure `isVisible` and other privacy flags are respected in all queries.
Impact:
Privacy violation. Phishing risk. Data scraping.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

