Which versions of phpMyFAQ are affected by CVE-2026-35672?

phpMyFAQ installations running versions prior to 4.1.3 are vulnerable to unauthenticated remote modification of FAQ content through an API token validation bypass affecting default configurations.. A patch is available.

phpMyFAQ CVE-2026-35672

Q: What is the CVSS score of CVE-2026-35672?

CVE-2026-35672 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

EUVD-2026-32903 HIGH

Initialization of a Resource with an Insecure Default (CWE-1188)

2026-05-28 VulnCheck

GHSA-gp95-j463-vv28

Authentication Bypass

8.7

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Patch available

May 28, 2026 - 17:01 EUVD

Analysis Updated

May 28, 2026 - 16:33 vuln.today

v2 (cvss_changed)

Re-analysis Queued

May 28, 2026 - 16:22 vuln.today

cvss_changed

CVSS changed

May 28, 2026 - 16:22 NVD

7.5 (HIGH) 8.7 (HIGH)

Source Code Evidence Fetched

May 28, 2026 - 15:53 vuln.today

Analysis Generated

May 28, 2026 - 15:53 vuln.today

DescriptionNVD

phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers can send an empty x-pmf-token header to bypass token validation and inject malicious content via POST endpoints /api/v4.0/faq/create, /api/v4.0/category, and /api/v4.0/question.

AnalysisAI

Authentication bypass in phpMyFAQ versions prior to 4.1.3 lets remote unauthenticated attackers create and modify FAQ entries, categories, and questions through the REST API v4.0 by submitting an empty x-pmf-token header that matches the default empty api.apiClientToken value. The flaw stems from strict string comparison logic that cannot distinguish an unconfigured token from an attacker-supplied empty one, exposing every default installation. …

RemediationAI

Within 24 hours: inventory all phpMyFAQ deployments and identify versions < 4.1.3; restrict network access to REST API v4.0 endpoints via firewall or reverse proxy. Within 7 days: evaluate upgrading to phpMyFAQ 4.1.3 or later; if upgrade is not feasible, deploy WAF rules to block requests with empty x-pmf-token headers, or disable the REST API v4.0 entirely if not operationally required. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-35672 vulnerability details – vuln.today

Back

phpMyFAQ CVE-2026-35672

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

phpMyFAQ CVE-2026-35672

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code