CVE Catalog

CVE-2026-45010

Critical
Published: Translated: NVD NIST

Summary

phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or rate limiting. Unauthenticated attackers can brute-force any user's six-digit TOTP code by submitting POST requests with sequential token values, bypassing two-factor authentication to gain full administrative access.

Risk Assessment

Organizations are at risk of unauthorized access to administrative accounts, which can lead to serious security breaches and data loss.

Recommendation

It is recommended to update phpMyFAQ to version 4.1.2 or later and implement additional security measures such as rate limiting for login attempts.

Original NVD description (English source)

phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or rate limiting. Unauthenticated attackers can brute-force any user's six-digit TOTP code by submitting POST requests with sequential token values, bypassing two-factor authentication to gain full administrative access.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS