Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Wed, 15 Jul 2026 12:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | phpMyFAQ before 4.1.5 contains a privilege escalation vulnerability in the user/add API endpoint that allows non-SuperAdmin administrators to create SuperAdmin accounts. A delegated administrator with USER_ADD/EDIT/DELETE permissions can call POST /admin/api/user/add with isSuperAdmin: true and attacker-chosen credentials to create a SuperAdmin account, then authenticate as that account to achieve full instance takeover. | |
| Title | phpMyFAQ - Privilege Escalation via Missing SuperAdmin Guard in user/add Endpoint | |
| First Time appeared |
Phpmyfaq
Phpmyfaq phpmyfaq |
|
| Weaknesses | CWE-269 | |
| CPEs | cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Phpmyfaq
Phpmyfaq phpmyfaq |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-15T11:25:33.496Z
Reserved: 2026-06-26T17:58:05.796Z
Link: CVE-2026-57996
No data.
No data.
No data.
OpenCVE Enrichment
No data.