CVE Catalog

CVE-2026-35672

High
Published: Translated: NVD NIST

Summary

phpMyFAQ before version 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries.

Risk Assessment

Attackers can exploit this vulnerability to inject malicious content, potentially leading to serious data security breaches within the organization.

Recommendation

It is recommended to update phpMyFAQ to version 4.1.3 or later and implement additional authentication mechanisms for the API.

Original NVD description (English source)

phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers can send an empty x-pmf-token header to bypass token validation and inject malicious content via POST endpoints /api/v4.0/faq/create, /api/v4.0/category, and /api/v4.0/question.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS