Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
CVE-2026-45010: phpMyFAQ: Unauthenticated Access to Admin Panel
CVE-2026-45010
Summary
An attacker can try many different passwords for a user's two-factor authentication code, eventually guessing it correctly and gaining full access to the admin panel. This is a serious issue because an attacker could make changes to the site that affect everyone who uses it. To fix this, update to phpMyFAQ version 4.1.2 or later.
Original title
phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session bi...
Original description
phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or rate limiting. Unauthenticated attackers can brute-force any user's six-digit TOTP code by submitting POST requests with sequential token values, bypassing two-factor authentication to gain full administrative access.
nvd CVSS3.1
9.1
Vulnerability type
CWE-307
Published: 15 May 2026 · Updated: 28 May 2026 · First seen: 15 May 2026