CVE-2026-35671
HIGHphpMyFAQ - Insecure Direct Object Reference in User Password API
Title source: cnaDescription
phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user's password without authorization verification. An attacker with low-privilege admin credentials can escalate to SuperAdmin by modifying the userId parameter in the overwrite-password API request.
References (2)
Core 2
Core References
Third Party Advisory third-party-advisory
GHSA Advisory GHSA-xvp4-phqj-cjr3
https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-xvp4-phqj-cjr3
Third Party Advisory third-party-advisory
VulnCheck Advisory: phpMyFAQ - Insecure Direct Object Reference in User Password API
https://www.vulncheck.com/advisories/phpmyfaq-insecure-direct-object-reference-in-user-password-api
Scores
CVSS v3
8.8
EPSS
0.0030
EPSS Percentile
21.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-266
Status
published
Products (4)
phpmyfaq/phpmyfaq
0 - 4.1.3Packagist
thorsten/phpMyFAQ
< 4.1.3
thorsten/phpmyfaq
0 - 4.1.3Packagist
thorsten/phpMyFAQ
4.1.3
Published
May 28, 2026
Tracked Since
May 28, 2026