What is CVE-2026-35672?

CVE-2026-35672 is a high-severity vulnerability in Thorsten Phpmyfaq, classified under Initialization of a Resource with an Insecure Default. CVSS score: 7.5/10. Published 2026-05-28.

How severe is CVE-2026-35672?

High severity. CVSS v3 base score is 7.5 out of 10.

RCE in Thorsten Phpmyfaq

CVE-2026-35672

phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers can send an empty x-pmf-token header to b…

EPSS: 0.001 (26.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N.

Affected products

Thorsten Phpmyfaq — versions 0, 4.1.3

Weakness classification (CWE)

CWE-1188 — Initialization of a Resource with an Insecure Default

References

disclosure@vulncheck.com (third-party-advisory)
disclosure@vulncheck.com (third-party-advisory)

Frequently asked questions

What is CVE-2026-35672?: CVE-2026-35672 is a high-severity vulnerability in Thorsten Phpmyfaq, classified under Initialization of a Resource with an Insecure Default. CVSS score: 7.5/10. Published 2026-05-28.
How severe is CVE-2026-35672?: High severity. CVSS v3 base score is 7.5 out of 10.