CVE-2026-35675

Name of the Vulnerable Software and Affected Versions phpMyFAQ versions prior to 4.1.3

Description An authentication bypass exists in the password reset mechanism that allows unauthenticated attackers to reset any user account password, including SuperAdmin accounts. By sending a PUT request to the "/api/user/password/update" endpoint with a valid username and associated email, an attacker can trigger a password reset without token verification, rate limiting, or email confirmation. The system then sends a new plaintext password via email, enabling complete account takeover and full administrative access. The issue is located in the updatePassword() function within the UnauthorizedUserController.php file. Attackers can also use this endpoint to enumerate valid usernames by analyzing the error responses when providing incorrect email addresses.

Recommendations Update to version 4.1.3 or later. As a temporary workaround, restrict access to the "/api/user/password/update" endpoint to minimize the risk of exploitation.