CVE-2026-35672 HIGH

CVE-2026-35672: phpMyFAQ - Authentication Bypass via Empty API Token

Vendor Thorsten

Product phpMyFAQ

Weakness CWE-1188

Published May 28, 2026

Last update May 28, 2026

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

Description

phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers can send an empty x-pmf-token header to bypass token validation and inject malicious content via POST endpoints /api/v4.0/faq/create, /api/v4.0/category, and /api/v4.0/question.

Key dates

Disclosure timeline

May 28, 2026 CVE published

May 28, 2026 Record updated