CVE-2026-24420
phpMyFAQ: Attachment download allowed without dlattachment right (broken access control)phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissions check. The presence of a right key is improperly validated as proof of authorization in attachment.php. Additionally, the group and user permission logic contains a flawed conditional expression that may allow unauthorized access. This issue has been fixed in version
We have discovered 213 live websites that are affected by CVE-2026-24420.
Affected Software
| Product | |
| Category | Miscellaneous |
| Vulnerable Domains | 213 live websites (100% of phpMyFAQ install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 43 versions ( 100% of all versions) |
Common Weakness Enumeration
CWE-284 Improper Access ControlDetails
- Published - Jan 24, 2026
- Updated - Jan 26, 2026
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2026-24420 United States | 41 websites |
 Germany | 91 websites |
 France | 11 websites |
 Japan | 10 websites |
 Netherlands | 6 websites |
 Switzerland | 6 websites |
 Brazil | 5 websites |
 Australia | 3 websites |
 GB | 3 websites |
 Singapore | 3 websites |
Website Distribution by TLD
Number of websites using CVE-2026-24420| .com | 59 websites |
| .de | 58 websites |
| .net | 14 websites |
| .org | 9 websites |
| .nl | 6 websites |
| .fr | 5 websites |
| .info | 5 websites |
| .com.br | 4 websites |
| .ch | 3 websites |
| .jp | 3 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-24420
Top websites that are affected by CVE-2026-24420. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***.*************.de | Germany | **,*** | |
| ***.********.de | Germany | ***,*** | |
| *************.org | United States | ***,*** | |
| ****.**********.com | United States | ***,*** | |
| ***.*******.**.th |  Thailand | ***,*** | |
| ***.*******.com | United States | ***,*** | |
| ***.****.de | Germany | ***,*** | |
| ***.***************.de | Germany | ***,*** | |
| *********.com |  Austria | *,***,*** | |
| ***.******.com | United States | *,***,*** |
FAQ
CVE-2026-24420 is Improper Access Control in phpMyFAQ
A total of 213 websites have been identified as vulnerable to CVE-2026-24420, based on global website indexing conducted by WebTechSurvey.
The phpMyFAQ is affected by the CVE-2026-24420 vulnerability.
phpMyFAQ versions up to 4.0.17 are vulnerable to CVE-2026-24420.
CVE-2026-24420 is resolved in version 4.0.17 of phpMyFAQ.