Main Vulnerability Database Vulnerabilities #VU131755

Weak Password Recovery Mechanism for Forgotten Password in phpMyFAQ - #VU131755

Published: May 18, 2026

Vulnerability identifier: #VU131755

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: N/A

CWE-ID: CWE-640

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Thorsten Rinne

Affected software:
phpMyFAQ

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to a weak password recovery mechanism in the password reset API endpoint when handling password reset requests with supplied username and email pairs. A remote attacker can send a specially crafted password reset request to disclose sensitive information.

The endpoint returns different responses for valid and invalid username and email pairs.

Remediation

Install security update from vendor's website.

Sources

https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9qv9-8xv6-5p35

Weak Password Recovery Mechanism for Forgotten Password in phpMyFAQ - #VU131755

Detailed vulnerability description

Remediation

Sources

Please verify you're human