Which versions of phpMyFAQ are affected by CVE-2026-35676?

phpMyFAQ versions before 4.1.3 contain an unauthenticated account takeover vulnerability allowing attackers to forcibly reset any user's password and enumerate valid accounts; publicly available…. A patch is available.

phpMyFAQ CVE-2026-35676

Q: What is the CVSS score of CVE-2026-35676?

CVE-2026-35676 has a CVSS 4.0 base score of 8.8 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

EUVD-2026-32905 HIGH

Weak Password Recovery Mechanism for Forgotten Password (CWE-640)

2026-05-28 VulnCheck

GHSA-9qv9-8xv6-5p35

PHP Information Disclosure

8.8

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Patch available

May 28, 2026 - 17:01 EUVD

Analysis Updated

May 28, 2026 - 16:31 vuln.today

v3 (cvss_changed)

Analysis Updated

May 28, 2026 - 16:31 vuln.today

v2 (cvss_changed)

Re-analysis Queued

May 28, 2026 - 16:22 vuln.today

cvss_changed

CVSS changed

May 28, 2026 - 16:22 NVD

8.2 (HIGH) 8.8 (HIGH)

Source Code Evidence Fetched

May 28, 2026 - 15:53 vuln.today

Analysis Generated

May 28, 2026 - 15:53 vuln.today

DescriptionNVD

phpMyFAQ before 4.1.3 contains an unauthenticated password reset vulnerability in the user password update API endpoint that allows attackers to change account passwords without token validation. Attackers can enumerate valid username and email pairs and force immediate password changes by sending PUT requests to the /api/index.php/user/password/update endpoint, causing account disruption and invalidating legitimate user credentials.

AnalysisAI

Unauthenticated account takeover in phpMyFAQ before 4.1.3 allows remote attackers to forcibly reset any user's password by sending a PUT request to the /api/index.php/user/password/update endpoint with a valid username and email pair. The endpoint also leaks valid credentials through response code differentials (200 vs 409), enabling username/email enumeration before the reset. …

RemediationAI

Within 24 hours: Restrict network access to /api/index.php/user/password/update endpoint via firewall or WAF; enable audit logging on all password reset events. Within 7 days: Force password reset for all administrative and privileged user accounts; audit logs for unauthorized password resets or account takeover attempts. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-35676 vulnerability details – vuln.today

Back

phpMyFAQ CVE-2026-35676

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

phpMyFAQ CVE-2026-35676

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code