By weakness (CWE)
CWE-1188: related vulnerabilities
CVEs classified under CWE-1188. Understanding the weakness class helps prioritize systemic fixes over one-off patches.
3 published vulnerabilities
- CVE-2026-35672HIGH 7.5
phpMyFAQ versions before 4.1.3 have a critical flaw in their API that allows anyone on the network to create and modify FAQ entries without logging in. The vulnerability exists because the system accepts an empty authentication token by default, meaning attackers can submit requests with no valid credentials and the API will process them anyway. This permits unauthorized content injection into your knowledge base, potentially spreading misinformation, malware links, or defacement across your FAQ system.
- CVE-2026-36612MEDIUM 6.4
The Mercusys AC12G (EU) router with firmware version AC12G(EU)_V1_200909 ships with Wi-Fi Protected Setup (WPS) enabled by default. WPS is a feature designed to simplify device pairing, but this implementation has a critical weakness: after just 10 failed PIN guesses, the device locks out for only 60 seconds. This short lockout window makes brute-force attacks against the WPS PIN feasible within a reasonable timeframe, potentially allowing an attacker within wireless range to gain administrative access to the router.
- CVE-2026-36616MEDIUM 5.9
Mercusys AC12G (EU) V1 routers contain hardcoded credentials baked directly into the firmware. A researcher can extract a WiFi driver password, RADIUS shared secret, WPS test key, and default network password from the device's production binary. This allows someone with network access to bypass WiFi protections and potentially reach internal network resources, though the attack requires being within radio range and some technical effort to extract and use these credentials.