By weakness (CWE)
CWE-640: related vulnerabilities
CVEs classified under CWE-640. Understanding the weakness class helps prioritize systemic fixes over one-off patches.
2 published vulnerabilities
- CVE-2026-35676HIGH 8.2
phpMyFAQ versions before 4.1.3 contain a critical flaw that allows anyone on the internet to reset user account passwords without authentication. An attacker can enumerate valid usernames and email addresses, then forcibly change passwords by sending direct API requests. This bypasses normal security controls and immediately locks legitimate users out of their accounts.
- CVE-2026-10169LOW 3.7
A weakness in the password recovery feature of OUSL-GROUP-BrinaryBrains School Student Management System allows an attacker to manipulate the email parameter in the forgot password function, potentially leading to unauthorized password resets or account takeover. The vulnerability exists in the Login.php controller's ajax_forgot_password endpoint. While exploitable remotely, the attack requires specific conditions and is considered of low severity. Exploit code is publicly available, increasing risk of opportunistic attacks.