Skip to main content

phpMyFAQ CVE-2026-35672

| EUVDEUVD-2026-32903 HIGH
Initialization of a Resource with an Insecure Default (CWE-1188)
2026-05-28 VulnCheck GHSA-gp95-j463-vv28
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Patch available
May 28, 2026 - 17:01 EUVD
Analysis Updated
May 28, 2026 - 16:33 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 28, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
May 28, 2026 - 16:22 NVD
7.5 (HIGH) 8.7 (HIGH)
Source Code Evidence Fetched
May 28, 2026 - 15:53 vuln.today
Analysis Generated
May 28, 2026 - 15:53 vuln.today

DescriptionCVE.org

phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers can send an empty x-pmf-token header to bypass token validation and inject malicious content via POST endpoints /api/v4.0/faq/create, /api/v4.0/category, and /api/v4.0/question.

AnalysisAI

Authentication bypass in phpMyFAQ versions prior to 4.1.3 lets remote unauthenticated attackers create and modify FAQ entries, categories, and questions through the REST API v4.0 by submitting an empty x-pmf-token header that matches the default empty api.apiClientToken value. The flaw stems from strict string comparison logic that cannot distinguish an unconfigured token from an attacker-supplied empty one, exposing every default installation. No public exploit identified at time of analysis, but the GHSA advisory includes a detailed proof-of-concept walkthrough.

Technical ContextAI

phpMyFAQ is a widely deployed open-source PHP FAQ management system (CPE cpe:2.3:a:thorsten:phpmyfaq) maintained by Thorsten Rinne. The defect maps to CWE-1188 (Insecure Default Initialization of a Resource): the installer's DefaultDataSeeder.php seeds the api.apiClientToken configuration value with an empty string, and AbstractController::hasValidToken() uses a strict ! comparison against the inbound x-pmf-token HTTP header. Because '' ! '' evaluates false, the default empty token both satisfies the comparison and bypasses the only authentication guard protecting POST /api/v4.0/faq/create, PUT /api/v4.0/faq/update, POST /api/v4.0/category, and POST /api/v4.0/question - endpoints the OpenAPI annotations explicitly mark as authenticated.

RemediationAI

Vendor-released patch: upgrade phpMyFAQ to 4.1.3 or later, which corrects the seeded default and the comparison logic per the GHSA-gp95-j463-vv28 advisory (https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-gp95-j463-vv28). If immediate upgrade is not possible, set api.apiClientToken to a long random secret in the admin configuration so the strict comparison no longer accepts an empty header - this is the lowest-impact workaround and breaks only existing API clients that were relying on the (insecure) empty token. Alternatively, block POST /api/v4.0/faq/create, PUT /api/v4.0/faq/update, POST /api/v4.0/category, and POST /api/v4.0/question at the reverse proxy or WAF, or disable the REST API entirely by setting api.enableAccess to false; both options disable legitimate API-driven content management until reverted.

CVE-2023-5865 CRITICAL POC
9.8 Oct 31

Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2. Rated critical severity (CVSS 9.8

CVE-2023-1886 CRITICAL POC
9.8 Apr 05

Authentication Bypass by Capture-replay in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated critical severity

CVE-2023-1753 CRITICAL POC
9.8 Mar 31

Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated critical severity (CVSS 9.8), t

CVE-2022-3754 CRITICAL POC
9.8 Oct 29

Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.8. Rated critical severity (CVSS 9.8), th

CVE-2026-46364 CRITICAL POC
9.3 May 15

Unauthenticated SQL injection in phpMyFAQ before 4.1.2 allows remote attackers to extract credentials, admin tokens, and

CVE-2017-15730 HIGH POC
8.8 Oct 22

In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.ratings.php. Rated high severity (CVS

CVE-2017-15808 HIGH POC
8.8 Oct 23

In phpMyFaq before 2.9.9, there is CSRF in admin/ajax.config.php. Rated high severity (CVSS 8.8), this vulnerability is

CVE-2017-15735 HIGH POC
8.8 Oct 22

In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) for modifying a glossary. Rated high severity (CVSS

CVE-2017-15734 HIGH POC
8.8 Oct 22

In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.main.php. Rated high severity (CVSS 8

CVE-2024-28107 HIGH POC
8.8 Mar 25

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Rated high severi

CVE-2024-27299 HIGH POC
8.8 Mar 25

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Rated high severi

CVE-2023-1762 HIGH POC
8.8 Mar 31

Improper Privilege Management in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated high severity (CVSS 8.8), th

Share

CVE-2026-35672 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy