← Voltar para CVEs
CVE-2026-27836
HIGH7.5
Descricao
phpMyFAQ is an open source FAQ web application. Prior to version 4.0.18, the WebAuthn prepare endpoint (`/api/webauthn/prepare`) creates new active user accounts without any authentication, CSRF protection, captcha, or configuration checks. This allows unauthenticated attackers to create unlimited user accounts even when registration is disabled. Version 4.0.18 fixes the issue.
Detalhes CVE
Pontuacao CVSS v3.17.5
SeveridadeHIGH
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosNONE
Interacao do usuarioNONE
Publicado2/27/2026
Ultima modificacao3/4/2026
Fontenvd
Avistamentos honeypot0
Produtos afetados
phpmyfaq:phpmyfaq
Fraquezas (CWE)
CWE-862
Referencias
https://github.com/thorsten/phpMyFAQ/commit/f2ab673f0668753cd0f7c7c8bc7fd2304dcf5cb1(security-advisories@github.com)
https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-w22q-m2fm-x9f4(security-advisories@github.com)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.