VYPR
Critical severity9.1NVD Advisory· Published May 15, 2026· Updated May 28, 2026

CVE-2026-45010

CVE-2026-45010

Description

phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or rate limiting. Unauthenticated attackers can brute-force any user's six-digit TOTP code by submitting POST requests with sequential token values, bypassing two-factor authentication to gain full administrative access.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
thorsten/phpmyfaqPackagist
< 4.1.24.1.2
phpmyfaq/phpmyfaqPackagist
< 4.1.24.1.2

Affected products

1

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.