CVE-2025-62519: phpMyFAQ has Authenticated SQL Injection in Configuration Update Functionality

November 17, 2025

An authenticated SQL injection vulnerability in the main configuration update functionality of phpMyFAQ (v4.0.13 and prior) allows a privileged user with ‘Configuration Edit’ permissions to execute arbitrary SQL commands. Successful exploitation can lead to a full compromise of the database, including reading, modifying, or deleting all data, as well as potential remote code execution depending on the database configuration.

References

github.com/advisories/GHSA-fxm2-cmwj-qvx4
github.com/thorsten/phpMyFAQ
github.com/thorsten/phpMyFAQ/compare/4.0.13...4.0.14
github.com/thorsten/phpMyFAQ/security/advisories/GHSA-fxm2-cmwj-qvx4
nvd.nist.gov/vuln/detail/CVE-2025-62519

Code Behaviors & Features

Detect and mitigate CVE-2025-62519 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →