CVE-2026-35671 HIGH

CVE-2026-35671: phpMyFAQ - Insecure Direct Object Reference in User Password API

Vendor Thorsten

Product phpMyFAQ

Weakness CWE-266

Published May 28, 2026

Last update May 30, 2026

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

Description

phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user's password without authorization verification. An attacker with low-privilege admin credentials can escalate to SuperAdmin by modifying the userId parameter in the overwrite-password API request.

Key dates

Disclosure timeline

May 28, 2026 CVE published

May 30, 2026 Record updated