CVE-2025-62519
HIGHphpmyfaq < 4.0.14 - Authenticated SQL Injection in Configuration Update
Title source: llmDescription
phpMyFAQ is an open source FAQ web application. Prior to version 4.0.14, an authenticated SQL injection vulnerability in the main configuration update functionality of phpMyFAQ allows a privileged user with 'Configuration Edit' permissions to execute arbitrary SQL commands. Successful exploitation can lead to a full compromise of the database, including reading, modifying, or deleting all data, as well as potential remote code execution depending on the database configuration. This issue has been patched in version 4.0.14.
References (2)
Core 2
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-fxm2-cmwj-qvx4
Release Notes x_refsource_misc
https://github.com/thorsten/phpMyFAQ/compare/4.0.13...4.0.14
Scores
CVSS v3
7.2
EPSS
0.0070
EPSS Percentile
48.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (3)
phpmyfaq/phpmyfaq
< 4.0.14
phpmyfaq/phpmyfaq
0 - 4.0.14Packagist
thorsten/phpmyfaq
0 - 4.0.14Packagist
Published
Nov 17, 2025
Tracked Since
Feb 18, 2026