Which versions of phpMyFAQ are affected by EUVD-2026-32904?

Any unauthenticated attacker can forcibly reset phpMyFAQ administrator passwords in versions before 4.1.3, granting complete control of affected systems with no authentication barriers.. A patch is available.

How to fix or mitigate EUVD-2026-32904?

24 hours: Identify all phpMyFAQ instances running versions before 4.1.3; audit SuperAdmin accounts for unauthorized password changes. Immediately isolate affected systems or implement emergency network access controls if upgrade is not immediately possible. 7 days: Determine upgrade feasibility to phpMyFAQ 4.1.3 or assess product discontinuation. If upgrading is not feasible, deploy web application firewall rules blocking PUT requests to /api/user/password/update and restrict administrative access to trusted networks. 30 days: Complete upgrade to phpMyFAQ 4.1.3 or remove affected systems from production.

phpMyFAQ EUVD-2026-32904

Q: What is the CVSS score of EUVD-2026-32904?

EUVD-2026-32904 has a CVSS 4.0 base score of 8.8 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

| CVE-2026-35675 HIGH

Improper Restriction of Excessive Authentication Attempts (CWE-307)

2026-05-28 VulnCheck

GHSA-w9xh-5f39-vq89

Authentication Bypass

8.8

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Patch available

May 28, 2026 - 17:01 EUVD

Analysis Updated

May 28, 2026 - 16:33 vuln.today

v3 (cvss_changed)

Analysis Updated

May 28, 2026 - 16:32 vuln.today

v2 (cvss_changed)

Re-analysis Queued

May 28, 2026 - 16:22 vuln.today

cvss_changed

CVSS changed

May 28, 2026 - 16:22 NVD

8.2 (HIGH) 8.8 (HIGH)

Source Code Evidence Fetched

May 28, 2026 - 15:53 vuln.today

Analysis Generated

May 28, 2026 - 15:53 vuln.today

DescriptionNVD

phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Attackers can enumerate valid usernames, obtain plaintext passwords via email, and achieve complete account takeover including administrative access.

AnalysisAI

Authentication bypass in phpMyFAQ before 4.1.3 lets any unauthenticated remote attacker reset arbitrary user passwords - including SuperAdmin - by sending a PUT request to /api/user/password/update with only a valid username/email pair, with no token, rate limit, or out-of-band confirmation. The vendor-issued GHSA-w9xh-5f39-vq89 advisory and VulnCheck disclosure document the flaw, and publicly available exploit code exists in the form of a PoC curl invocation; no CISA KEV listing or EPSS score is provided in the input.

RemediationAI

24 hours: Identify all phpMyFAQ instances running versions before 4.1.3; audit SuperAdmin accounts for unauthorized password changes. Immediately isolate affected systems or implement emergency network access controls if upgrade is not immediately possible. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-32904 vulnerability details – vuln.today

Back

phpMyFAQ EUVD-2026-32904

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

phpMyFAQ EUVD-2026-32904

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code