What is the severity of CVE-2026-24422?

CVE-2026-24422 has a CVSS v3 score of 5.3, which is classified as Medium severity.

Is there an exploit available for CVE-2026-24422?

No known public exploits are currently available for CVE-2026-24422.

Is there a patch available for CVE-2026-24422?

No official patches have been released yet for CVE-2026-24422. Consider implementing workarounds or mitigations.

CVE-2026-24422 - CVE Details, Severity, and Analysis

Q: What is CVE-2026-24422?

### Summary Several public API endpoints return email addresses and non‑public records (e.g. open questions with isVisible=false). ### Details OpenQuestionController::list() calls Question::getAll() with the default showAll=true, returning invisible questions and their emails. Similar exposures exist in comment/news/faq APIs. ### PoC ``` curl -i -H 'Accept-Language: en' \ http://192.168.40.16/phpmyfaq/api/v3.0/open-questions ``` ### Impact Privacy exposure of email addresses and non‑public content; increased risk of phishing/scraping.

Summary

Several public API endpoints return email addresses and non‑public records (e.g. open questions with isVisible=false).

Details

OpenQuestionController::list() calls Question::getAll() with the default showAll=true, returning invisible questions and their emails. Similar exposures exist in comment/news/faq APIs.

PoC

curl -i -H 'Accept-Language: en' \
  http://192.168.40.16/phpmyfaq/api/v3.0/open-questions

Impact

Privacy exposure of email addresses and non‑public content; increased risk of phishing/scraping.