| CVE-2026-35671 |
high |
8.8 |
8.8 |
|
|
|
7h ago |
phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user's password without… |
| CVE-2026-35676 |
high |
8.2 |
8.2 |
|
|
|
7h ago |
phpMyFAQ before 4.1.3 contains an unauthenticated password reset vulnerability in the user password update API endpoint that allows attackers to change account passwords without token validation. Att… |
| CVE-2026-35675 |
high |
8.2 |
8.2 |
|
|
|
7h ago |
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verificatio… |
| CVE-2026-35672 |
high |
7.5 |
7.5 |
|
|
|
7h ago |
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers c… |
| CVE-2026-46365 |
medium |
5.4 |
5.4 |
|
|
|
13d ago |
phpMyFAQ before 4.1.2 contains a missing authorization vulnerability in the DELETE /admin/api/content/tags/{tagId} endpoint that allows any authenticated user to delete tags. Any logged-in user, incl… |
| CVE-2026-46363 |
medium |
5.4 |
5.4 |
|
|
|
13d ago |
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in FAQ creation and update endpoints that bypass sanitization through encode-decode cycles. The vulnerability allows authent… |
| CVE-2026-46360 |
medium |
5.4 |
5.4 |
|
|
|
13d ago |
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in SvgSanitizer::decodeAllEntities() that limits recursive entity decoding to 5 iterations, allowing attackers to bypass san… |
| CVE-2026-45009 |
medium |
4.3 |
4.3 |
|
|
|
13d ago |
phpMyFAQ before 4.1.2 contains an insufficient authorization vulnerability in admin-api routes that allows authenticated ordinary users to access administrative endpoints by only checking login statu… |