CVE-2026-35675 thorsten CVE debrief

Who should care

Organizations running phpMyFAQ instances for knowledge base or FAQ management, particularly those exposing administrative interfaces to the internet. Security teams responsible for web application security and identity management infrastructure. Hosting providers and managed service providers with phpMyFAQ deployments in their customer environments.

Technical summary

The vulnerability exists in the password reset API endpoint of phpMyFAQ versions prior to 4.1.3. The endpoint fails to validate password reset tokens or confirm email ownership before applying password changes. An unauthenticated attacker can submit arbitrary username values to the endpoint, triggering password resets without proper authorization checks. The system sends the new plaintext password to the registered email address, but the attacker-controlled password change succeeds regardless. This enables username enumeration through differential responses, credential interception if email is compromised, and full account compromise including privileged administrative accounts. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, and high impact to integrity.

Defensive priority

critical

Recommended defensive actions

• Upgrade phpMyFAQ to version 4.1.3 or later immediately
• Review authentication logs for suspicious password reset activity targeting administrative accounts
• Implement network-level access controls to restrict exposure of phpMyFAQ admin interfaces
• Enable multi-factor authentication for all administrative accounts where supported
• Monitor for unauthorized password change notifications sent to user email addresses
• Conduct account access review to identify any compromised accounts requiring credential rotation

Evidence notes

Vulnerability disclosed via GitHub Security Advisory GHSA-w9xh-5f39-vq89 and Vulncheck advisory. NVD status marked as 'Deferred' at time of publication.

Official resources