HIGH 8.2

CVE-2026-35675

phpMyFAQ versions before 4.1.3 contain a critical flaw in their password reset mechanism that completely bypasses authentication checks. An attacker does not need valid credentials or access to a victim's email to reset passwords—they can simply request a password reset for any user account, and the system grants it without verification. This means attackers can take over any account, including administrator accounts, giving them full control of the FAQ system and potentially the underlying server.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Weaknesses (CWE)
CWE-307
Affected products
0 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Attackers can enumerate valid usernames, obtain plaintext passwords via email, and achieve complete account takeover including administrative access.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the password reset endpoint of phpMyFAQ prior to version 4.1.3. The flaw stems from improper implementation of the account recovery flow: the endpoint fails to enforce token-based validation or require email confirmation before accepting password reset requests. An attacker can enumerate valid usernames through the reset interface and trigger password changes that deliver plaintext credentials via email or directly update the account. This combines weak authentication controls (CWE-307: Improper Restriction of Rendered UI Layers or Frames) with a complete absence of out-of-band verification, allowing unauthenticated, unauthorized password resets.

Business impact

Compromise of phpMyFAQ installations exposes significant operational and data risks. Attackers gain direct access to FAQ content management, customer knowledge bases, and support workflows. If phpMyFAQ integrates with user directories or shares credentials across systems, lateral movement becomes possible. Administrative takeover permits modification of system configuration, installation of backdoors, or destruction of FAQ content. Organizations relying on phpMyFAQ as a customer-facing system face reputational damage, data breach exposure if user information is stored, and potential service disruption. The ease of exploitation and breadth of impact justify immediate remediation.

Affected systems

All phpMyFAQ installations running versions prior to 4.1.3 are affected. This includes self-hosted deployments across on-premises and cloud environments. The vendor metadata provided does not specify which earlier versions are vulnerable; organizations should consult the phpMyFAQ project advisory to determine precise version ranges. Any instance exposed to network access—whether internal or internet-facing—can be exploited without authentication.

Exploitability

This vulnerability is trivial to exploit. No special tooling, authentication, or user interaction is required. An attacker needs only network access to the phpMyFAQ instance and can automate attacks across multiple accounts using basic HTTP requests. The lack of rate limiting or CAPTCHA on password reset endpoints (a common pattern) means attackers can rapidly enumerate usernames and reset passwords at scale. The network vector (AV:N), low complexity (AC:L), no privilege requirement (PR:N), and no user interaction (UI:N) underscore the severe exploitability profile. Active exploitation in the wild should be assumed likely given the simplicity.

Remediation

Upgrade phpMyFAQ to version 4.1.3 or later immediately. Patch vendors have addressed this by implementing proper token-based password reset flows with mandatory email verification or out-of-band confirmation. Organizations unable to patch immediately should implement network-level access controls to restrict the password reset endpoint to trusted IP ranges, disable password reset functionality if not required, or place phpMyFAQ behind a Web Application Firewall (WAF) configured to rate-limit or block suspicious reset patterns.

Patch guidance

Apply phpMyFAQ version 4.1.3 or later. Verify the installed version in the phpMyFAQ administrative interface or by checking the version file (typically in /includes/Version.php or equivalent). After patching, test the password reset flow to confirm that legitimate reset requests now require email verification or token validation. Additionally, audit recent password reset logs to identify any suspicious account takeovers that may have occurred prior to patching. Consider forcing a password reset for all administrative accounts as a precaution.

Detection guidance

Monitor phpMyFAQ password reset endpoint logs for unusual patterns: rapid successive requests from a single IP, requests for non-existent usernames, or password resets followed immediately by login attempts. Web server access logs should be reviewed for POST requests to password reset endpoints without corresponding user sessions. Implement alerting on administrative account password changes, especially those occurring outside business hours or from unfamiliar IP addresses. Check for signs of account takeover: unexpected administrative login events, system configuration changes, or modifications to FAQ content by unauthorized accounts. If forensic investigation is needed, examine the application's user audit log for password reset events and correlate with network traffic.

Why prioritize this

This vulnerability merits immediate prioritization due to the combination of unauthenticated access, complete account takeover capability, and trivial exploitability. The CVSS score of 8.2 (HIGH) reflects the severity: attackers can compromise administrative accounts and gain full control of the phpMyFAQ system without any barriers. The attack requires no special knowledge and can be automated at scale. Unlike vulnerabilities requiring specific preconditions, this flaw is universally exploitable against any unpatched instance. Organizations should treat this as a critical issue and prioritize patching within 24–48 hours, especially for internet-facing installations.

Risk score, explained

The CVSS v3.1 score of 8.2 is justified by: (1) network-accessible attack vector requiring no authentication, (2) high integrity impact—attackers can modify accounts and system state, (3) low attack complexity with no prerequisites, (4) wide scope of impact affecting confidentiality (plaintext password exposure) and integrity (account takeover). The score does not include availability impact because the vulnerability does not directly cause service disruption, though attackers could indirectly cause it through malicious actions post-compromise. This places the vulnerability squarely in the HIGH severity category, warranting urgent remediation.

Frequently asked questions

Can this vulnerability be exploited if phpMyFAQ is behind a firewall or on an internal network?

Yes. While network exposure amplifies risk, the vulnerability is still exploitable on internal networks. Any attacker with network access to the phpMyFAQ instance—including insider threats, compromised internal systems, or lateral movement from other breaches—can reset passwords without authentication. The lack of network segmentation should not be relied upon as a control.

Will upgrading to 4.1.3 reverse or undo legitimate password resets that happened before patching?

No. Upgrading fixes the vulnerability prospectively but does not audit or reverse password changes that occurred while the system was vulnerable. Organizations should manually review account access logs for the period before patching and consider forcing administrative password resets as a precautionary measure. Compromised accounts may have been used for unauthorized actions and should be investigated.

If we don't run phpMyFAQ, are we at risk?

This vulnerability is specific to phpMyFAQ installations. If your organization does not deploy phpMyFAQ, you are not directly affected. However, if you use third-party applications or services that embed or depend on phpMyFAQ, verify their status with vendors. Self-hosted FAQ or knowledge base solutions from other vendors should be independently assessed for similar password reset vulnerabilities.

What should we do if we suspect unauthorized account access before we can patch?

Immediately disable or restrict access to the password reset endpoint at the firewall or load balancer level. Audit login logs for all user accounts, especially administrative ones, to identify suspicious access. Revoke active sessions and force a password reset for all users after access is secured. Preserve logs for forensic investigation. If you suspect data exfiltration, initiate your incident response plan and notify affected users according to regulatory requirements.

This analysis is based on CVE-2026-35675 data published as of the modification date (2026-06-17). Verify all technical details and patch availability against official phpMyFAQ vendor advisories and release notes. SEC.co does not provide legal, compliance, or insurance guidance. Organizations must assess risk and remediation timelines according to their own risk tolerance, regulatory obligations, and asset criticality. Exploit code and detailed attack methodology are intentionally omitted; security teams should engage reputable vulnerability research and penetration testing resources for authorized testing. No guarantee is made regarding the completeness or real-time accuracy of this intelligence. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Weaknesses (CWE)

Related vulnerabilities

  • CVE-2026-36607HIGH

    CVE-2026-36607: Mercusys AC12G Router Brute-Force Vulnerability – Rate Limiting Bypass

  • CVE-2026-10216LOW

    CVE-2026-10216: Weak Authentication Rate-Limiting in unitedbyai Droidclaw

  • CVE-2026-36612MEDIUM

    CVE-2026-36612: Mercusys AC12G Weak WPS Lockout Policy Enables Router Compromise

  • CVE-2018-25382HIGH

    CVE-2018-25382: Zechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access

  • CVE-2018-25383HIGH

    CVE-2018-25383: Free MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk

  • CVE-2018-25385HIGH

    CVE-2018-25385: Unauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10

  • CVE-2018-25386HIGH

    CVE-2018-25386: SQL Injection in HaPe PKH 1.1 Admin Interface

  • CVE-2018-25388HIGH

    CVE-2018-25388: HaPe PKH 1.1 Arbitrary File Upload Vulnerability (CVSS 8.8)