High severity8.8GHSA Advisory· Published May 28, 2026· Updated May 30, 2026
CVE-2026-35671
CVE-2026-35671
Description
phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user's password without authorization verification. An attacker with low-privilege admin credentials can escalate to SuperAdmin by modifying the userId parameter in the overwrite-password API request.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
thorsten/phpmyfaqPackagist | < 4.1.3 | 4.1.3 |
phpmyfaq/phpmyfaqPackagist | < 4.1.3 | 4.1.3 |
Affected products
3- Range: < 4.1.3
- ghsa-coords2 versions
< 4.1.3+ 1 more
- (no CPE)range: < 4.1.3
- (no CPE)range: < 4.1.3
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.