CVE-2026-35676
CVE-2026-35676 affects phpMyFAQ before 4.1.3. An unauthenticated password-reset flow allows changing a user’s password via the PUT /api/index.php/user/password/update endpoint without token validation. Attackers can enumerate valid username/email pairs and force immediate password changes, potent...