SB2026051896 - Multiple vulnerabilities in phpMyFAQ
Published: May 18, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 vulnerabilities.
1) Insecure Default Initialization of Resource (CVE-ID: N/A)
CWE-ID: CWE-1188 - Insecure Default Initialization of Resource
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to modify FAQ entries, categories, and questions via the REST API without authentication.
The vulnerability exists due to initialization of a resource with an insecure default in the REST API token authentication check when handling requests with an empty x-pmf-token header. A remote attacker can send crafted API requests with an empty token header to modify FAQ entries, categories, and questions via the REST API without authentication.
The issue affects installations where the API client token remains unset in its default empty state, and the affected write endpoints rely on hasValidToken() as their only authentication check.
2) Authorization bypass through user-controlled key (CVE-ID: N/A)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to escalate privileges and take over arbitrary accounts.
The vulnerability exists due to authorization bypass through a user-controlled key in the overwritePassword() method of the admin API user controller when handling PUT requests to the /admin/api/user/overwrite-password endpoint. A remote user can modify the userId value in the request body to escalate privileges and take over arbitrary accounts.
Exploitation requires an authenticated admin session with USER_EDIT permission and a valid CSRF token.
3) Weak Password Recovery Mechanism for Forgotten Password (CVE-ID: N/A)
CWE-ID: CWE-640 - Weak password recovery mechanism
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to take over arbitrary user accounts.
The vulnerability exists due to a weak password recovery mechanism in the /api/user/password/update endpoint when handling password reset requests. A remote attacker can send a specially crafted PUT request containing a valid username and associated email address to take over arbitrary user accounts.
The issue can be used against administrative accounts, including SuperAdmin accounts, and no user interaction is required.
4) Weak Password Recovery Mechanism for Forgotten Password (CVE-ID: N/A)
CWE-ID: CWE-640 - Weak password recovery mechanism
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to a weak password recovery mechanism in the password reset API endpoint when handling password reset requests with supplied username and email pairs. A remote attacker can send a specially crafted password reset request to disclose sensitive information.
The endpoint returns different responses for valid and invalid username and email pairs.
5) Weak Password Recovery Mechanism for Forgotten Password (CVE-ID: N/A)
CWE-ID: CWE-640 - Weak password recovery mechanism
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to modify another user's password.
The vulnerability exists due to a weak password recovery mechanism in the UnauthorizedUserController password reset flow when processing unauthenticated password reset requests that only verify a username and email match. A remote attacker can send a password reset request for another user's account to modify another user's password.
The password is changed immediately before any out-of-band confirmation step occurs, which causes the victim's old password to stop working.
Remediation
Install update from vendor's website.
References
- https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-gp95-j463-vv28
- https://github.com/advisories/GHSA-gp95-j463-vv28
- https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-xvp4-phqj-cjr3
- https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-w9xh-5f39-vq89
- https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9qv9-8xv6-5p35