CVE-2026-35675

Published: Mag 28, 2026 Last Modified: Mag 28, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 8,8

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

HIGH 8,2

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: low

Integrity: high

Availability: none

Description

AI Translation Available

phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Attackers can enumerate valid usernames, obtain plaintext passwords via email, and achieve complete account takeover including administrative access.

307

Improper Restriction of Excessive Authentication Attempts

Draft

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Access Control

Potential Impacts:

Bypass Protection Mechanism

Applicable Platforms

All platforms may be affected

View CWE Details

https://github.com/thorsten/phpMyFAQ/security/advisories/GH…

https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-w9xh-5f39-vq89

https://www.vulncheck.com/advisories/phpmyfaq-authenticatio…

https://www.vulncheck.com/advisories/phpmyfaq-authentication-bypass-via-missing…

CVE-2026-35675

Description

Improper Restriction of Excessive Authentication Attempts

Common Consequences

Applicable Platforms

Iscriviti alla newsletter