{"vulnerability": "cve-2026-3567", "sightings": [{"uuid": "b37ca49e-fcdf-41b3-a63d-a6a056f699f2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-3567", "type": "seen", "source": "https://www.incibe.es/incibe-cert/alerta-temprana/vulnerabilidades/cve-2026-3567", "content": "", "creation_timestamp": "2026-03-20T23:16:28.000000Z"}, {"uuid": "d1bc9f6d-67d8-4aa1-9153-bf7c606b9eb2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-35679", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mirve3gxle2g", "content": "", "creation_timestamp": "2026-04-05T23:22:50.167649Z"}, {"uuid": "29aed55e-66e9-47d6-9d0f-adc4ccb0e0a0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-35670", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mj5xyakirt2z", "content": "", "creation_timestamp": "2026-04-10T18:41:50.981369Z"}, {"uuid": "2d166b6c-e78d-47e1-9c5e-2feb7ea4b29a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-35678", "type": "seen", "source": "https://t.me/GithubRedTeam/79091", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a CVE-2026-35678\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a sharma19d\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a None\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-04-06 12:59:07\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\n\u65e0\u63cf\u8ff0\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-04-06T13:00:04.000000Z"}, {"uuid": "50ada469-c3b5-4513-9081-4f726902fe15", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-35678", "type": "published-proof-of-concept", "source": "Telegram/vk3FldMzdx_13t7ttv05ttLKGzStNIAl9gbsU1WEL8nWdI0", "content": "", "creation_timestamp": "2026-04-06T15:00:15.000000Z"}, {"uuid": "ce08d61a-c40a-4eca-8395-b408d874d3c3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-35675", "type": "published-proof-of-concept", "source": "https://github.com/advisories/GHSA-w9xh-5f39-vq89", "content": "", "creation_timestamp": "2026-05-20T15:46:55.000000Z"}, {"uuid": "bc273f40-29b8-4139-ae0b-0ada874f4975", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-35676", "type": "published-proof-of-concept", "source": "https://github.com/advisories/GHSA-9qv9-8xv6-5p35", "content": "", "creation_timestamp": "2026-05-20T15:45:53.000000Z"}, {"uuid": "e7e68e98-7127-4929-a875-7d62970bc902", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-35672", "type": "published-proof-of-concept", "source": "https://github.com/advisories/GHSA-gp95-j463-vv28", "content": "", "creation_timestamp": "2026-05-20T15:46:42.000000Z"}, {"uuid": "3addc85b-58c8-45a0-b5fb-f3790f3cce80", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-35675", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mmwjubgrpa2h", "content": "CVE-2026-35675 - phpMyFAQ - Authentication Bypass via Missing Password Reset Token in /api/user/password/update\nCVE ID : CVE-2026-35675\n \n Published : May 28, 2026, 4:16 p.m. | 15\u00a0minutes ago\n \n Description : phpMyFAQ before 4.1.3 contains an authentication bypass vulnerabilit...", "creation_timestamp": "2026-05-28T17:21:13.475037Z"}, {"uuid": "de7cb34f-175c-497c-9ae0-1a8bb6c67643", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-35676", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mmwklaw3se2c", "content": "CVE-2026-35676 - phpMyFAQ - Unauthenticated Password Reset via User Password Update Endpoint\nCVE ID : CVE-2026-35676\n \n Published : May 28, 2026, 4:16 p.m. | 15\u00a0minutes ago\n \n Description : phpMyFAQ before 4.1.3 contains an unauthenticated password reset vulnerability in the u...", "creation_timestamp": "2026-05-28T17:34:05.894065Z"}, {"uuid": "dd9b0907-0b35-4a71-b3aa-7b9e7ffae136", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-35671", "type": "published-proof-of-concept", "source": "https://github.com/advisories/GHSA-xvp4-phqj-cjr3", "content": "", "creation_timestamp": "2026-05-20T15:46:17.000000Z"}, {"uuid": "cdbb7868-2974-46d4-a132-4b1e386a6d19", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-35674", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mmyza6ggmm2p", "content": "\ud83d\udfe0 CVE-2026-35674 - High (8.8)\n\nOpenClaw before 2026.5.18 contains a scope bypass vulnerability in the Gateway chat.send route th...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-35674/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-05-29T17:01:39.369004Z"}, {"uuid": "32483219-ed1b-4926-8e2a-fdcbd3b5006d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-35674", "type": "seen", "source": "https://bsky.app/profile/cyberhub.blog/post/3mnaydvpfyc2r", "content": "\ud83d\udccc CVE-2026-35674 - OpenClaw before 2026.5.18 contains a scope bypass vulnerability in the Gateway chat.send route that allows scoped clients to execute privileged comman... https://www.cyberhub.blog/cves/CVE-2026-35674", "creation_timestamp": "2026-06-01T21:07:07.932153Z"}, {"uuid": "1cb45ea4-fe97-44a1-81fe-452e5adf9377", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-35671", "type": "seen", "source": "https://gist.github.com/alon710/e9c21cf2a4b3d2c5f2db0a4799f8c878", "content": "# GHSA-985R-Q3QP-299H: GHSA-985R-Q3QP-299H: Incomplete Fix in phpMyFAQ Admin API Enables Privilege Escalation and Account Takeover\n\n&gt; **CVSS Score:** 8.8\n&gt; **Published:** 2026-06-26\n&gt; **Full Report:** https://cvereports.com/reports/GHSA-985R-Q3QP-299H\n\n## Summary\nAn incomplete mitigation of a predecessor vulnerability (GHSA-xvp4-phqj-cjr3 / CVE-2026-35671) in phpMyFAQ leaves sister administrative API endpoints vulnerable to Insecure Direct Object Reference (IDOR). Specifically, the `editUser` and `updateUserRights` endpoints lack object-level access controls, permitting authenticated low-privilege administrators to escalate their privileges or hijack SuperAdmin accounts.\n\n## TL;DR\nAn incomplete security patch in phpMyFAQ allows low-privilege administrative accounts to bypass authorization controls. By submitting crafted requests to vulnerable API endpoints, attackers can modify SuperAdmin account profiles or elevate their own privileges, resulting in full application takeover.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-639\n- **Attack Vector**: Network\n- **CVSS v3.1 Score**: 8.8\n- **EPSS Score**: Not Available\n- **Vulnerability Type**: Insecure Direct Object Reference (IDOR)\n- **Impact**: Privilege Escalation &amp; Account Takeover\n- **Exploit Status**: poc\n- **KEV Status**: No\n\n## Affected Systems\n\n- phpMyFAQ deployments with administrative API routes enabled\n- **phpMyFAQ**: &lt;= 4.1.3\n\n## Mitigation\n\n- Restrict network access to the admin panel via IP blocklists or VPN gateways.\n- Enable query-level logging to monitor parameters passed to user-modification endpoints.\n- Deploy WAF rules to detect and alert on unauthorized PUT requests containing administrative user IDs in the JSON payload.\n\n**Remediation Steps:**\n1. Identify the current phpMyFAQ deployment version.\n2. Download and install the updated PHP package containing the complete authorization validation logic for UserController.\n3. Audit the administrative user list to verify that no unauthorized low-privilege users have changed their associated email addresses or group roles.\n4. Invalidate all active administrative sessions post-upgrade to enforce new access-control checks.\n\n## References\n\n- [GHSA-985R-Q3QP-299H Advisory Page](https://github.com/advisories/GHSA-985R-Q3QP-299H)\n- [Predecessor Advisory (GHSA-xvp4-phqj-cjr3)](https://github.com/advisories/GHSA-xvp4-phqj-cjr3)\n- [Vendor Code Repository](https://github.com/thorsten/phpMyFAQ)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-985R-Q3QP-299H) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-26T21:42:10.233338Z"}]}