phpMyFAQ before version 4.1.3 contains a critical authentication bypass vulnerability in the password reset endpoint. The vulnerability allows unauthenticated attackers to reset any user account password without proper token verification or email confirmation. Attackers can exploit this flaw to enumerate valid usernames and obtain plaintext passwords via email. The vulnerability enables complete account takeover, including administrative access to the system. This represents a high-severity security flaw that could lead to complete compromise of affected phpMyFAQ installations.