CVE-2026-35675: phpMyFAQ: Missing Password Reset Token Allows Account Takeover via Username/Email Enumeration

May 20, 2026 (updated May 31, 2026)

An authentication bypass vulnerability in phpMyFAQ allows any unauthenticated attacker to reset the password of any user account, including SuperAdmin accounts. By sending a PUT request with just a valid username and associated email address to /api/user/password/update, an attacker receives a new plaintext password via email without any token verification, rate limiting, or email confirmation. This enables complete account takeover of any user, including full administrative access.

References

github.com/advisories/GHSA-w9xh-5f39-vq89
github.com/thorsten/phpMyFAQ/security/advisories/GHSA-w9xh-5f39-vq89
nvd.nist.gov/vuln/detail/CVE-2026-35675

Code Behaviors & Features

Detect and mitigate CVE-2026-35675 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →