Skip to main content

phpMyFAQ CVE-2026-35675

| EUVDEUVD-2026-32904 HIGH
Improper Restriction of Excessive Authentication Attempts (CWE-307)
2026-05-28 VulnCheck GHSA-w9xh-5f39-vq89
8.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Patch available
May 28, 2026 - 17:01 EUVD
Analysis Updated
May 28, 2026 - 16:33 vuln.today
v3 (cvss_changed)
Analysis Updated
May 28, 2026 - 16:32 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 28, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
May 28, 2026 - 16:22 NVD
8.2 (HIGH) 8.8 (HIGH)
Source Code Evidence Fetched
May 28, 2026 - 15:53 vuln.today
Analysis Generated
May 28, 2026 - 15:53 vuln.today

DescriptionCVE.org

phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Attackers can enumerate valid usernames, obtain plaintext passwords via email, and achieve complete account takeover including administrative access.

AnalysisAI

Authentication bypass in phpMyFAQ before 4.1.3 lets any unauthenticated remote attacker reset arbitrary user passwords - including SuperAdmin - by sending a PUT request to /api/user/password/update with only a valid username/email pair, with no token, rate limit, or out-of-band confirmation. The vendor-issued GHSA-w9xh-5f39-vq89 advisory and VulnCheck disclosure document the flaw, and publicly available exploit code exists in the form of a PoC curl invocation; no CISA KEV listing or EPSS score is provided in the input.

Technical ContextAI

phpMyFAQ is a PHP-based open-source FAQ/knowledge-base application (CPE cpe:2.3:a:thorsten:phpmyfaq:*). The defect lives in UnauthorizedUserController::updatePassword() (phpmyfaq/src/phpMyFAQ/Controller/Frontend/Api/UnauthorizedUserController.php lines 56-130), an endpoint mounted at PUT /api/user/password/update that is intentionally exposed to unauthenticated callers. The handler looks up the account by login, compares the supplied email to the stored email, and on match generates a new password via createPassword(), persists it with changePassword(), and emails it in plaintext - skipping the cryptographic reset token, the verification round-trip, and any throttling. The root-cause class is CWE-307 (Improper Restriction of Excessive Authentication Attempts), here manifested as both missing token-based proof of possession and missing rate limiting, which together collapse password reset into a one-shot oracle for username/email enumeration and takeover.

RemediationAI

Vendor-released patch: phpMyFAQ 4.1.3 - upgrade immediately via Composer (composer require thorsten/phpmyfaq:^4.1.3 or update phpmyfaq/phpmyfaq accordingly) per GHSA-w9xh-5f39-vq89. If upgrading cannot happen immediately, block or proxy-deny PUT requests to /api/user/password/update at the reverse proxy/WAF (this disables self-service password reset for legitimate users until patched) and restrict the entire /api/ path to known administrative IP ranges where feasible; rotate all existing user and SuperAdmin passwords after upgrading since pre-patch resets cannot be retroactively distinguished from attacker-triggered ones, and audit the mail-send logs for unexpected password-reset emails as an indicator of prior compromise.

CVE-2023-5865 CRITICAL POC
9.8 Oct 31

Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2. Rated critical severity (CVSS 9.8

CVE-2023-1886 CRITICAL POC
9.8 Apr 05

Authentication Bypass by Capture-replay in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated critical severity

CVE-2023-1753 CRITICAL POC
9.8 Mar 31

Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated critical severity (CVSS 9.8), t

CVE-2022-3754 CRITICAL POC
9.8 Oct 29

Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.8. Rated critical severity (CVSS 9.8), th

CVE-2026-46364 CRITICAL POC
9.3 May 15

Unauthenticated SQL injection in phpMyFAQ before 4.1.2 allows remote attackers to extract credentials, admin tokens, and

CVE-2017-15730 HIGH POC
8.8 Oct 22

In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.ratings.php. Rated high severity (CVS

CVE-2017-15808 HIGH POC
8.8 Oct 23

In phpMyFaq before 2.9.9, there is CSRF in admin/ajax.config.php. Rated high severity (CVSS 8.8), this vulnerability is

CVE-2017-15735 HIGH POC
8.8 Oct 22

In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) for modifying a glossary. Rated high severity (CVSS

CVE-2017-15734 HIGH POC
8.8 Oct 22

In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.main.php. Rated high severity (CVSS 8

CVE-2024-28107 HIGH POC
8.8 Mar 25

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Rated high severi

CVE-2024-27299 HIGH POC
8.8 Mar 25

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Rated high severi

CVE-2023-1762 HIGH POC
8.8 Mar 31

Improper Privilege Management in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated high severity (CVSS 8.8), th

Share

CVE-2026-35675 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy