SQL Injection Affecting phpmyfaq/phpmyfaq package, versions <4.0.14
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PHP-PHPMYFAQPHPMYFAQ-14040985
- published18 Nov 2025
- disclosed17 Nov 2025
- creditXY20130630
Introduced: 17 Nov 2025
NewCVE-2025-62519 (opens in a new tab)How to fix?
Upgrade phpmyfaq/phpmyfaq to version 4.0.14 or higher.
Overview
phpmyfaq/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases
Affected versions of this package are vulnerable to SQL Injection in the update() method in Configuration.php. A user with 'Configuration Edit' permissions can execute arbitrary SQL commands by submitting crafted input for the $newConfigValues array, which is passed in as the name parameter. Successful exploitation can result in full compromise of the database, including reading, modifying, or deleting all data, and may potentially allow remote code execution depending on the database configuration.