VulnerableCode Package Details - pkg:composer/phpmyfaq/phpmyfaq@4.1.3

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-jz15-nqr4-k3gh	phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user's password without authorization verification. An attacker with low-privilege admin credentials can escalate to SuperAdmin by modifying the userId parameter in the overwrite-password API request.	CVE-2026-35671 GHSA-xvp4-phqj-cjr3
VCID-mdxy-3bhf-6ybe	phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers can send an empty x-pmf-token header to bypass token validation and inject malicious content via POST endpoints /api/v4.0/faq/create, /api/v4.0/category, and /api/v4.0/question.	CVE-2026-35672 GHSA-gp95-j463-vv28
VCID-qhs7-chnh-47bd	phpMyFAQ before 4.1.3 contains an unauthenticated password reset vulnerability in the user password update API endpoint that allows attackers to change account passwords without token validation. Attackers can enumerate valid username and email pairs and force immediate password changes by sending PUT requests to the /api/index.php/user/password/update endpoint, causing account disruption and invalidating legitimate user credentials.	CVE-2026-35676 GHSA-9qv9-8xv6-5p35
VCID-xycj-87qb-pycz	phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Attackers can enumerate valid usernames, obtain plaintext passwords via email, and achieve complete account takeover including administrative access.	CVE-2026-35675 GHSA-w9xh-5f39-vq89

Vulnerability

Summary

Aliases

VCID-jz15-nqr4-k3gh

phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user's password without authorization verification. An attacker with low-privilege admin credentials can escalate to SuperAdmin by modifying the userId parameter in the overwrite-password API request.

CVE-2026-35671
GHSA-xvp4-phqj-cjr3

VCID-mdxy-3bhf-6ybe

phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers can send an empty x-pmf-token header to bypass token validation and inject malicious content via POST endpoints /api/v4.0/faq/create, /api/v4.0/category, and /api/v4.0/question.

CVE-2026-35672
GHSA-gp95-j463-vv28

VCID-qhs7-chnh-47bd

phpMyFAQ before 4.1.3 contains an unauthenticated password reset vulnerability in the user password update API endpoint that allows attackers to change account passwords without token validation. Attackers can enumerate valid username and email pairs and force immediate password changes by sending PUT requests to the /api/index.php/user/password/update endpoint, causing account disruption and invalidating legitimate user credentials.

CVE-2026-35676
GHSA-9qv9-8xv6-5p35

VCID-xycj-87qb-pycz

phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Attackers can enumerate valid usernames, obtain plaintext passwords via email, and achieve complete account takeover including administrative access.

CVE-2026-35675
GHSA-w9xh-5f39-vq89

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T07:52:01.788331+00:00	GithubOSV Importer	Fixing	VCID-qhs7-chnh-47bd	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-9qv9-8xv6-5p35/GHSA-9qv9-8xv6-5p35.json	38.6.0
2026-06-12T07:51:58.661216+00:00	GithubOSV Importer	Fixing	VCID-mdxy-3bhf-6ybe	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-gp95-j463-vv28/GHSA-gp95-j463-vv28.json	38.6.0
2026-06-12T07:51:39.975512+00:00	GithubOSV Importer	Fixing	VCID-jz15-nqr4-k3gh	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-xvp4-phqj-cjr3/GHSA-xvp4-phqj-cjr3.json	38.6.0
2026-06-12T07:51:18.043561+00:00	GithubOSV Importer	Fixing	VCID-xycj-87qb-pycz	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-w9xh-5f39-vq89/GHSA-w9xh-5f39-vq89.json	38.6.0
2026-06-11T20:38:47.407493+00:00	GHSA Importer	Fixing	VCID-xycj-87qb-pycz	https://github.com/advisories/GHSA-w9xh-5f39-vq89	38.6.0
2026-06-11T20:38:47.365273+00:00	GHSA Importer	Fixing	VCID-mdxy-3bhf-6ybe	https://github.com/advisories/GHSA-gp95-j463-vv28	38.6.0
2026-06-11T20:38:47.345548+00:00	GHSA Importer	Fixing	VCID-jz15-nqr4-k3gh	https://github.com/advisories/GHSA-xvp4-phqj-cjr3	38.6.0
2026-06-11T20:38:47.317922+00:00	GHSA Importer	Fixing	VCID-qhs7-chnh-47bd	https://github.com/advisories/GHSA-9qv9-8xv6-5p35	38.6.0