VYPR
High severity8.8GHSA Advisory· Published May 28, 2026· Updated May 30, 2026

CVE-2026-35671

CVE-2026-35671

Description

phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user's password without authorization verification. An attacker with low-privilege admin credentials can escalate to SuperAdmin by modifying the userId parameter in the overwrite-password API request.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
thorsten/phpmyfaqPackagist
< 4.1.34.1.3
phpmyfaq/phpmyfaqPackagist
< 4.1.34.1.3

Affected products

3

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.