Skip to main content

phpMyFAQ CVE-2026-45010

| EUVDEUVD-2026-30595 CRITICAL
Improper Restriction of Excessive Authentication Attempts (CWE-307)
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
May 28, 2026 - 16:29 vuln.today
v3 (cvss_changed)
Analysis Updated
May 28, 2026 - 16:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 28, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
May 28, 2026 - 16:22 NVD
9.1 (CRITICAL) 9.3 (CRITICAL)
Patch available
May 15, 2026 - 20:02 EUVD
Source Code Evidence Fetched
May 15, 2026 - 19:30 vuln.today
Analysis Generated
May 15, 2026 - 19:30 vuln.today

DescriptionCVE.org

phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or rate limiting. Unauthenticated attackers can brute-force any user's six-digit TOTP code by submitting POST requests with sequential token values, bypassing two-factor authentication to gain full administrative access.

AnalysisAI

Two-factor authentication bypass in phpMyFAQ before 4.1.2 lets unauthenticated remote attackers brute-force any administrator's six-digit TOTP code by submitting sequential POST requests to the /admin/check endpoint, which lacks session binding and rate limiting. CVSS 4.0 scores this 9.3 with no public exploit identified at time of analysis, though a proof-of-concept is described in the GHSA advisory and SSVC marks exploitation as 'poc' with total technical impact. EPSS is low at 0.12%, reflecting limited observed scanning despite the trivial 10^6 keyspace exhaustible in minutes.

Technical ContextAI

phpMyFAQ is a PHP-based open-source FAQ management platform identified by CPE cpe:2.3:a:thorsten:phpmyfaq. The flaw is rooted in CWE-307 (Improper Restriction of Excessive Authentication Attempts) and stems from a Symfony controller design choice: AuthenticationController in phpmyfaq/src/phpMyFAQ/Controller/Administration/AuthenticationController.php implements the SkipsAuthenticationCheck marker interface, so the ControllerContainerListener bypasses session enforcement on every route in that controller. The /admin/check action reads the user-id field directly from the POST body, instantiates the target user via getUserById, and calls TwoFactor::validateToken without verifying that the caller completed the prior password phase or limiting attempt frequency, collapsing the second factor into a guessable secret.

RemediationAI

Vendor-released patch: phpMyFAQ 4.1.2 - upgrade the Composer package thorsten/phpmyfaq (or phpmyfaq/phpmyfaq) to 4.1.2 or later per GHSA-9pq7-mfwh-xx2j (https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9pq7-mfwh-xx2j). Until upgrading is possible, block external access to the /admin/ path tree at the reverse proxy or web server (this is acceptable for most deployments since administration is rarely public, but will break legitimate remote admin workflows and any embedded admin tooling), or insert a WAF/Nginx rate-limit rule that caps POST requests to /admin/check at single-digit attempts per minute per source IP and per user-id parameter (note that distributed sources can still defeat IP-only limits, so per-user-id limiting is preferable). As a defense-in-depth step, temporarily disable TOTP-based 2FA and require password resets, accepting that this removes the second factor entirely - only a stopgap until 4.1.2 is deployed.

CVE-2023-5865 CRITICAL POC
9.8 Oct 31

Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2. Rated critical severity (CVSS 9.8

CVE-2023-1886 CRITICAL POC
9.8 Apr 05

Authentication Bypass by Capture-replay in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated critical severity

CVE-2023-1753 CRITICAL POC
9.8 Mar 31

Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated critical severity (CVSS 9.8), t

CVE-2022-3754 CRITICAL POC
9.8 Oct 29

Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.8. Rated critical severity (CVSS 9.8), th

CVE-2026-46364 CRITICAL POC
9.3 May 15

Unauthenticated SQL injection in phpMyFAQ before 4.1.2 allows remote attackers to extract credentials, admin tokens, and

CVE-2017-15730 HIGH POC
8.8 Oct 22

In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.ratings.php. Rated high severity (CVS

CVE-2017-15808 HIGH POC
8.8 Oct 23

In phpMyFaq before 2.9.9, there is CSRF in admin/ajax.config.php. Rated high severity (CVSS 8.8), this vulnerability is

CVE-2017-15735 HIGH POC
8.8 Oct 22

In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) for modifying a glossary. Rated high severity (CVSS

CVE-2017-15734 HIGH POC
8.8 Oct 22

In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.main.php. Rated high severity (CVSS 8

CVE-2024-28107 HIGH POC
8.8 Mar 25

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Rated high severi

CVE-2024-27299 HIGH POC
8.8 Mar 25

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Rated high severi

CVE-2023-1762 HIGH POC
8.8 Mar 31

Improper Privilege Management in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated high severity (CVSS 8.8), th

Share

CVE-2026-45010 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy