CVE-2026-35676

Name of the Vulnerable Software and Affected Versions phpMyFAQ versions prior to 4.1.3

Description An unauthenticated password reset issue exists in the user password update API endpoint. The application allows the password to be changed immediately upon a match of a valid username and email pair without requiring token validation, a confirmation link, or proof of mailbox control. This allows attackers to enumerate valid username and email pairs based on the difference in API responses and force immediate password changes for other users, resulting in account disruption and the invalidation of legitimate credentials. The issue is located in the updatePassword() function within the phpmyfaq/src/phpMyFAQ/Controller/Frontend/Api/UnauthorizedUserController.php file. The affected API endpoint is "/api/index.php/user/password/update" using the PUT method, where the username and email variables are processed.

Recommendations Update to version 4.1.3. As a temporary workaround, restrict access to the "/api/index.php/user/password/update" endpoint to minimize the risk of exploitation.