CVE Catalog

CVE-2026-35676

High
Published: Translated: NVD NIST

Summary

phpMyFAQ before 4.1.3 contains an unauthenticated password reset vulnerability in the user password update API endpoint that allows attackers to change account passwords without token validation.

Risk Assessment

Attackers can enumerate valid username and email pairs and force immediate password changes, causing account disruption and invalidating legitimate user credentials.

Recommendation

It is recommended to update phpMyFAQ to version 4.1.3 or later to mitigate this vulnerability and implement additional security measures such as token validation during password updates.

Original NVD description (English source)

phpMyFAQ before 4.1.3 contains an unauthenticated password reset vulnerability in the user password update API endpoint that allows attackers to change account passwords without token validation. Attackers can enumerate valid username and email pairs and force immediate password changes by sending PUT requests to the /api/index.php/user/password/update endpoint, causing account disruption and invalidating legitimate user credentials.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS