CVE-2026-35671— phpMyFAQ - Insecure Direct Object Reference in User Password API
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-35671
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
phpMyFAQ - Insecure Direct Object Reference in User Password API
Source: NVD (National Vulnerability Database)
Vulnerability Description
phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user's password without authorization verification. An attacker with low-privilege admin credentials can escalate to SuperAdmin by modifying the userId parameter in the overwrite-password API request.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
特权授予不正确
Source: NVD (National Vulnerability Database)
Vulnerability Title
phpMyFAQ 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
phpMyFAQ是Thorsten Rinne个人开发者的一个多语言、完全由数据库驱动的常见问题解答系统。 phpMyFAQ 4.1.3之前版本存在安全漏洞,该漏洞源于管理API用户密码端点存在不安全的直接对象引用,使得经过身份验证的管理员可在未授权验证的情况下更改任意用户密码,导致低权限管理员可通过修改userId参数提升至超级管理员权限。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-35671
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-35671
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-35671 (2)
Same Patch Batch · thorsten · 2026-05-28 · 4 CVEs total
| CVE-2026-35675 | 8.2 HIGH | phpMyFAQ - Authentication Bypass via Missing Password Reset Token in /api/user/password/up |
| CVE-2026-35676 | 8.2 HIGH | phpMyFAQ - Unauthenticated Password Reset via User Password Update Endpoint |
| CVE-2026-35672 | 7.5 HIGH | phpMyFAQ - Authentication Bypass via Empty API Token |
IV. Related Vulnerabilities
Same product: phpMyFAQ
- CVE-2026-35676
phpMyFAQ - Unauthenticated Password Reset via User Password - CVE-2026-35672
phpMyFAQ - Authentication Bypass via Empty API Token - CVE-2026-35675
phpMyFAQ - Authentication Bypass via Missing Password Reset - CVE-2026-46367
phpMyFAQ - Stored XSS via Utils::parseUrl() in Comment Rende - CVE-2026-46366
phpMyFAQ - Unauthenticated Information Disclosure via getIdF
Same vendor: thorsten
- CVE-2026-35676
phpMyFAQ - Unauthenticated Password Reset via User Password - CVE-2026-35675
phpMyFAQ - Authentication Bypass via Missing Password Reset - CVE-2026-35672
phpMyFAQ - Authentication Bypass via Empty API Token - CVE-2026-46367
phpMyFAQ - Stored XSS via Utils::parseUrl() in Comment Rende - CVE-2026-46366
phpMyFAQ - Unauthenticated Information Disclosure via getIdF
Same weakness: CWE-266
- CVE-2026-9795
Keycloak: keycloak: privilege escalation via improper scope - CVE-2026-42758
WordPress WebinarIgnition plugin < 4.08.253 - Privilege Esca - CVE-2026-42731
WordPress miniorange otp verification plugin <= 5.4.9 - Priv - CVE-2026-45216
WordPress Smart Manager plugin <= 8.85.0 - Privilege Escalat - CVE-2025-32747
Dell PowerFlex Manager 安全漏洞
V. Comments for CVE-2026-35671
No comments yet