phpMyFAQ versions before 4.1.3 contain a critical unauthenticated password reset vulnerability in the user password update API endpoint. The flaw allows attackers to change account passwords without proper token validation by sending PUT requests to /api/index.php/user/password/update. Attackers can enumerate valid username and email combinations and force immediate password changes, leading to account disruption and invalidation of legitimate user credentials. This vulnerability enables complete account takeover without authentication.