CVE-2026-35672
HighSummary
phpMyFAQ before version 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries.
Risk Assessment
Attackers can exploit this vulnerability to inject malicious content, potentially leading to serious data security breaches within the organization.
Recommendation
It is recommended to update phpMyFAQ to version 4.1.3 or later and implement additional authentication mechanisms for the API.
Original NVD description (English source)
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers can send an empty x-pmf-token header to bypass token validation and inject malicious content via POST endpoints /api/v4.0/faq/create, /api/v4.0/category, and /api/v4.0/question.

