Insecure Default Initialization of Resource in phpMyFAQ - #VU131752
Published: May 18, 2026
Vulnerability identifier: #VU131752
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-1188
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Thorsten Rinne
Affected software:
phpMyFAQ
phpMyFAQ
Detailed vulnerability description
The vulnerability allows a remote attacker to modify FAQ entries, categories, and questions via the REST API without authentication.
The vulnerability exists due to initialization of a resource with an insecure default in the REST API token authentication check when handling requests with an empty x-pmf-token header. A remote attacker can send crafted API requests with an empty token header to modify FAQ entries, categories, and questions via the REST API without authentication.
The issue affects installations where the API client token remains unset in its default empty state, and the affected write endpoints rely on hasValidToken() as their only authentication check.
Remediation
Install security update from vendor's website.