CVE-2026-27836

High CVSS: 7.5

phpMyFAQ is an open source FAQ web application. Prior to version 4.0.18, the WebAuthn prepare endpoint (`/api/webauthn/prepare`) creates new active user accounts without any authentication, CSRF protection, captcha, or configuration checks. This allows unauthenticated attackers to create unlimited user accounts even when registration is disabled. Version 4.0.18 fixes the issue.

Vendor

Phpmyfaq

Product

Phpmyfaq

CWE

CWE-862

Yayın Tarihi

2026-02-27 20:21:40

Güncelleme

2026-03-04 16:08:53

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-862 Phpmyfaq HIGH Phpmyfaq 2026

Referanslar

https://github.com/thorsten/phpMyFAQ/commit/f2ab673f0668753cd0f7c7c8bc7fd2304dcf5cb1 https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-w22q-m2fm-x9f4

Benzer Kayıtlar

Medium

CVE-2026-34973

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the searchCustomPages() method in phpmyfaq/src/p…

Medium

CVE-2026-34974

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the regex-based SVG sanitizer in phpMyFAQ (SvgSa…

Medium

CVE-2026-34729

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, there is a stored XSS vulnerability via Regex By…

High

CVE-2026-34728

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the MediaBrowserController::index() method handl…

Medium

CVE-2026-24422

phpMyFAQ is an open source FAQ web application. In versions 4.0.16 and below, multiple public API endpoints improperly e…

Medium

CVE-2026-24420

phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlatta…