CRITICALCVE-2026-45010Published 2026-05-15Modified 2026-05-28CNA VulnCheck

CVE-2026-45010: phpMyFAQ - Unauthenticated Two-Factor Authentication Brute-Force via /admin/check Endpoint

phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or rate limiting. Unauthenticated attackers can brute-force any user's six-digit TOTP code by submitting POST requests with sequential token values, bypassing two-factor authentication to gain full administrative access.

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: 4.1.2
Affected Products: 1

Fix available

4.1.2

Affected packages

thorsten / phpmyfaq
< 4.1.2 (from 0)
Fixed in 4.1.2

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

GHSA Advisory GHSA-9pq7-mfwh-xx2j
VulnCheck Advisory: phpMyFAQ - Unauthenticated Two-Factor Authentication Brute-Force via /admin/check Endpoint

Metrics

Fix available