Description
phpMyFAQ is an open source FAQ web application. Prior to version 4.1.4, attachment passwords are hashed using SHA-1, a cryptographically broken algorithm. SHA-1 has been vulnerable to collision attacks since 2017 (SHAttered). Version 4.1.4 fixes the issue.
Published: 2026-06-08
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

phpMyFAQ uses SHA-1 to hash attachment passwords prior to version 4.1.4, a weak hash algorithm vulnerable to collision attacks. This weakness makes it easier for an attacker to forge or recover passwords, potentially allowing unauthorized access to protected attachments. The flaw is categorized as CWE-328, reflecting a broken cryptographic primitive.

Affected Systems

Industry‑wide, Thorsten’s phpMyFAQ application is affected in all releases before 4.1.4. Users of earlier versions must acknowledge the risk; newer releases are unaffected.

Risk and Exploitability

The CVSS score of 2.7 indicates low severity, and no EPSS score is available. The flaw lies in the password hashing layer, so exploitation requires access to the password storage or brute‑force attempts, not a remote attack vector. Because the vulnerability is not listed in CISA’s KEV catalog, widespread active exploitation is not known. The most likely threat comes from a local or privileged attacker who can obtain the hashed passwords and attempt to reverse them using the weakened SHA-1 hash.

Generated by OpenCVE AI on June 8, 2026 at 16:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade phpMyFAQ to version 4.1.4 or later to replace SHA-1 with a stronger hash function.
  • If an immediate upgrade is impossible, delete all existing attachment passwords and require users to set new, robust passwords.
  • As a temporary countermeasure, disable attachment password protection until the application can be updated.

Generated by OpenCVE AI on June 8, 2026 at 16:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Thorsten
Thorsten phpmyfaq
Vendors & Products Thorsten
Thorsten phpmyfaq

Mon, 08 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description phpMyFAQ is an open source FAQ web application. Prior to version 4.1.4, attachment passwords are hashed using SHA-1, a cryptographically broken algorithm. SHA-1 has been vulnerable to collision attacks since 2017 (SHAttered). Version 4.1.4 fixes the issue.
Title phpMyFAQ has Weak Cryptography - SHA1 for Password Hashing
Weaknesses CWE-328
References
Metrics cvssV4_0

{'score': 2.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Thorsten Phpmyfaq
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-09T14:36:01.366Z

Reserved: 2026-05-21T15:33:08.291Z

Link: CVE-2026-48488

cve-icon Vulnrichment

Updated: 2026-06-09T14:23:39.090Z

cve-icon NVD

Status : Deferred

Published: 2026-06-08T16:16:43.227

Modified: 2026-06-09T15:25:56.860

Link: CVE-2026-48488

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T16:45:26Z

Weaknesses