Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or rate limiting. Unauthenticated attackers can brute-force any user's six-digit TOTP code by submitting POST requests with sequential token values, bypassing two-factor authentication to gain full administrative access.
AnalysisAI
Two-factor authentication bypass in phpMyFAQ before 4.1.2 lets unauthenticated remote attackers brute-force any administrator's six-digit TOTP code by submitting sequential POST requests to the /admin/check endpoint, which lacks session binding and rate limiting. CVSS 4.0 scores this 9.3 with no public exploit identified at time of analysis, though a proof-of-concept is described in the GHSA advisory and SSVC marks exploitation as 'poc' with total technical impact. EPSS is low at 0.12%, reflecting limited observed scanning despite the trivial 10^6 keyspace exhaustible in minutes.
Technical ContextAI
phpMyFAQ is a PHP-based open-source FAQ management platform identified by CPE cpe:2.3:a:thorsten:phpmyfaq. The flaw is rooted in CWE-307 (Improper Restriction of Excessive Authentication Attempts) and stems from a Symfony controller design choice: AuthenticationController in phpmyfaq/src/phpMyFAQ/Controller/Administration/AuthenticationController.php implements the SkipsAuthenticationCheck marker interface, so the ControllerContainerListener bypasses session enforcement on every route in that controller. The /admin/check action reads the user-id field directly from the POST body, instantiates the target user via getUserById, and calls TwoFactor::validateToken without verifying that the caller completed the prior password phase or limiting attempt frequency, collapsing the second factor into a guessable secret.
RemediationAI
Vendor-released patch: phpMyFAQ 4.1.2 - upgrade the Composer package thorsten/phpmyfaq (or phpmyfaq/phpmyfaq) to 4.1.2 or later per GHSA-9pq7-mfwh-xx2j (https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9pq7-mfwh-xx2j). Until upgrading is possible, block external access to the /admin/ path tree at the reverse proxy or web server (this is acceptable for most deployments since administration is rarely public, but will break legitimate remote admin workflows and any embedded admin tooling), or insert a WAF/Nginx rate-limit rule that caps POST requests to /admin/check at single-digit attempts per minute per source IP and per user-id parameter (note that distributed sources can still defeat IP-only limits, so per-user-id limiting is preferable). As a defense-in-depth step, temporarily disable TOTP-based 2FA and require password resets, accepting that this removes the second factor entirely - only a stopgap until 4.1.2 is deployed.
Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2. Rated critical severity (CVSS 9.8
Authentication Bypass by Capture-replay in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated critical severity
Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated critical severity (CVSS 9.8), t
Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.8. Rated critical severity (CVSS 9.8), th
Unauthenticated SQL injection in phpMyFAQ before 4.1.2 allows remote attackers to extract credentials, admin tokens, and
In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.ratings.php. Rated high severity (CVS
In phpMyFaq before 2.9.9, there is CSRF in admin/ajax.config.php. Rated high severity (CVSS 8.8), this vulnerability is
In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) for modifying a glossary. Rated high severity (CVSS
In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.main.php. Rated high severity (CVSS 8
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Rated high severi
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Rated high severi
Improper Privilege Management in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated high severity (CVSS 8.8), th
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30595
GHSA-6626-79jh-5ccr