top of page
perceptive_background_267k.jpg

phpMyFAQ before 4.1.3 contains an unauthenticated password reset vulnerability in the user password update API endpoint that allows attackers to change account …

Published:

27 mei 2026 om 22:00:00

Alert date:

28 mei 2026 om 17:06:19

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies

phpMyFAQ versions before 4.1.3 contain a critical unauthenticated password reset vulnerability in the user password update API endpoint. The flaw allows attackers to change account passwords without proper token validation by sending PUT requests to /api/index.php/user/password/update. Attackers can enumerate valid username and email combinations and force immediate password changes, leading to account disruption and invalidation of legitimate user credentials. This vulnerability enables complete account takeover without authentication.

Technical details

Mitigation steps:

Affected products:

phpMyFAQ

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-35676
https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9qv9-8xv6-5p35
https://www.vulncheck.com/advisories/phpmyfaq-unauthenticated-password-reset-via-user-password-update-endpoint

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page