CVE-2026-35675 is a high-severity security vulnerability in thorsten/phpmyfaq (composer), affecting versions < 4.1.3. It is fixed in 4.1.3.
Summary An authentication bypass vulnerability in phpMyFAQ allows any unauthenticated attacker to reset the password of any user account, including SuperAdmin accounts. By sending a PUT request with just a valid username and associated email address to /api/user/password/update, an attacker receives a new plaintext password via email without any token verification, rate limiting, or email confirmation. This enables complete account takeover of any user, including full administrative access. Details File: phpmyfaq/src/phpMyFAQ/Controller/Frontend/Api/UnauthorizedUserController.php Lines: 56-130 The updatePassword() method at line 56 accepts PUT requests to /user/password/update with only username and email in the JSON body: #[Route(path: 'user/password/update', name: 'api.private.user.password', methods: ['PUT'])] Root Causes: No time-limited cryptographic token required for password reset No rate limiting on the endpoint (allows unlimited username/email enumeration) No verification email sent to original address before reset New password sent in plaintext email without any confirmation step PoC Prerequisites: None (unauthenticated attack) Step 1 - Username/Email Enumeration (no rate limiting): Test with wrong email - reveals if user exists Response: {"error":"The email doesn't exist..."} <- user exists but wrong email OR Response: {"error":"The user doesn't exist"} <- user doesn't exist Step 2 - Password Reset (no token required): Response: {"success":"Email has been sent."} The new plaintext password is sent to [email protected] Step 3 - Account Takeover: Attacker now has valid credentials and can log in as SuperAdmin. Impact Aspect Details Vulnerability Type Authentication Bypass / Weak Password Recovery Mechanism (CWE-640) Attack Vector Network (unauthenticated HTTP request) Privileges Required None User Interaction None Scope Full administrative access to phpMyFAQ Confidentiality High - attacker gains full access to all user data and FAQ content Integrity High - attacker can modify all content and settings Availability High - attacker can lock out legitimate users Who is Impacted: All phpMyFAQ administrators using default installations Any organization using phpMyFAQ for internal knowledge bases End users whose accounts could be compromised Organizations relying on phpMyFAQ for customer support FAQs Attack Complexity: Very Low - no special knowledge or conditions required beyond knowing/guessing a valid username and associated email address
CVE-2026-35675 has a CVSS score of 8.2 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (4.1.3). Upgrading removes the vulnerable code path.
composer
thorsten/phpmyfaq (< 4.1.3)phpmyfaq/phpmyfaq (< 4.1.3)thorsten/phpmyfaq → 4.1.3 (composer)phpmyfaq/phpmyfaq → 4.1.3 (composer)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-35675 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-35675 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-35675 in your environment →Upgrade the following packages to resolve this vulnerability:
thorsten/phpmyfaq to 4.1.3 or laterphpmyfaq/phpmyfaq to 4.1.3 or laterKodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-35675 is a high-severity security vulnerability in thorsten/phpmyfaq (composer), affecting versions < 4.1.3. It is fixed in 4.1.3.
CVE-2026-35675 has a CVSS score of 8.2 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
thorsten/phpmyfaq (composer) (versions < 4.1.3)phpmyfaq/phpmyfaq (composer) (versions < 4.1.3)Yes. CVE-2026-35675 is fixed in 4.1.3. Upgrade to this version or later.
Whether CVE-2026-35675 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
thorsten/phpmyfaq to 4.1.3 or laterphpmyfaq/phpmyfaq to 4.1.3 or later