CVE-2026-35676

phpMyFAQ - Unauthenticated Password Reset via User Password Update Endpoint

CVSS 8.8 HIGHEPSS 0.2%CWE-640

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 8.8EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Lifecycle

28 May 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

phpMyFAQ before 4.1.3 contains an unauthenticated password reset vulnerability in the user password update API endpoint that allows attackers to change account passwords without token validation. Attackers can enumerate valid username and email pairs and force immediate password changes by sending PUT requests to the /api/index.php/user/password/update endpoint, causing account disruption and invalidating legitimate user credentials.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Affected products

thorsten · phpMyFAQ

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9qv9-8xv6-5p35 https://www.vulncheck.com/advisories/phpmyfaq-unauthenticated-password-reset-via-user-password-update-endpoint