CVE-2026-45010
CriticalSummary
phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or rate limiting. Unauthenticated attackers can brute-force any user's six-digit TOTP code by submitting POST requests with sequential token values, bypassing two-factor authentication to gain full administrative access.
Risk Assessment
Organizations are at risk of unauthorized access to administrative accounts, which can lead to serious security breaches and data loss.
Recommendation
It is recommended to update phpMyFAQ to version 4.1.2 or later and implement additional security measures such as rate limiting for login attempts.
Original NVD description (English source)
phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or rate limiting. Unauthenticated attackers can brute-force any user's six-digit TOTP code by submitting POST requests with sequential token values, bypassing two-factor authentication to gain full administrative access.

