[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-45010":6},{"stargazers_count":4,"fetched_at":5},6,"2026-05-16T00:33:26.750Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":346,"aliases":347,"duplicate_of":9,"upstream":348,"downstream":349,"duplicates":350,"related":351,"reserved_at":9,"published_at":352,"modified_at":353,"state":354,"summary":355,"references_raw":362,"kevs":374,"epss":9,"epss_history":375,"metrics":376,"affected":384},"CVE-2026-45010","phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or rate limiting. Unauthenticated attackers can brute-force any user's six-digit TOTP code by submitting POST requests with sequential token values, bypassing two-factor authentication to gain full administrative access.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":9,"capec":18},"CWE-307","Improper Restriction of Excessive Authentication Attempts","The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.","weakness","Draft","Base",[19,23,105,164,249,284,342],{"id":20,"name":21,"techniques":22},"CAPEC-16","Dictionary-based Password Attack",[],{"id":24,"name":25,"techniques":26},"CAPEC-49","Password Brute Forcing",[27],{"id":28,"name":29,"tactics":30,"countermeasures":34},"T1110.001","Password Guessing",[31],{"id":32,"name":33},"TA0031","Credential Access",[35,40,44,48,53,57,62,67,71,75,79,83,87,91,95,100],{"id":36,"name":37,"tactic":38},"D3-CCSA","Credential Compromise Scope Analysis",{"name":39},"Detect",{"id":41,"name":42,"tactic":43},"D3-AEM","Application Exception Monitoring",{"name":39},{"id":45,"name":46,"tactic":47},"D3-OPM","Operational Process Monitoring",{"name":39},{"id":49,"name":50,"tactic":51},"D3-CR","Credential Revocation",{"name":52},"Evict",{"id":54,"name":55,"tactic":56},"D3-ANCI","Authentication Cache Invalidation",{"name":52},{"id":58,"name":59,"tactic":60},"D3-DUC","Decoy User Credential",{"name":61},"Deceive",{"id":63,"name":64,"tactic":65},"D3-CH","Credential Hardening",{"name":66},"Harden",{"id":68,"name":69,"tactic":70},"D3-MFA","Multi-factor Authentication",{"name":66},{"id":72,"name":73,"tactic":74},"D3-CRO","Credential Rotation",{"name":66},{"id":76,"name":77,"tactic":78},"D3-PR","Password Rotation",{"name":66},{"id":80,"name":81,"tactic":82},"D3-PWA","Password Authentication",{"name":66},{"id":84,"name":85,"tactic":86},"D3-CDP","Change Default Password",{"name":66},{"id":88,"name":89,"tactic":90},"D3-SPP","Strong Password Policy",{"name":66},{"id":92,"name":93,"tactic":94},"D3-OTP","One-time Password",{"name":66},{"id":96,"name":97,"tactic":98},"D3-RIC","Reissue Credential",{"name":99},"Restore",{"id":101,"name":102,"tactic":103},"D3-CTS","Credential Transmission Scoping",{"name":104},"Isolate",{"id":106,"name":107,"techniques":108},"CAPEC-560","Use of Known Domain Credentials",[109],{"id":110,"name":111,"tactics":112,"countermeasures":128},"T1078","Valid Accounts",[113,116,119,122,125],{"id":114,"name":115},"TA0030","Defense Evasion",{"id":117,"name":118},"TA0005","Stealth",{"id":120,"name":121},"TA0110","Persistence",{"id":123,"name":124},"TA0111","Privilege Escalation",{"id":126,"name":127},"TA0108","Initial Access",[129,134,138,142,146,150,152,156,160],{"id":130,"name":131,"tactic":132},"D3-AM","Access Modeling",{"name":133},"Model",{"id":135,"name":136,"tactic":137},"D3-LAM","Local Account Monitoring",{"name":39},{"id":139,"name":140,"tactic":141},"D3-DAM","Domain Account Monitoring",{"name":39},{"id":143,"name":144,"tactic":145},"D3-AL","Account Locking",{"name":52},{"id":147,"name":148,"tactic":149},"D3-AA","Agent Authentication",{"name":66},{"id":84,"name":85,"tactic":151},{"name":66},{"id":153,"name":154,"tactic":155},"D3-ULA","Unlock Account",{"name":99},{"id":157,"name":158,"tactic":159},"D3-RUAA","Restore User Account Access",{"name":99},{"id":161,"name":162,"tactic":163},"D3-UAP","User Account Permissions",{"name":104},{"id":165,"name":166,"techniques":167},"CAPEC-565","Password Spraying",[168],{"id":169,"name":166,"tactics":170,"countermeasures":172},"T1110.003",[171],{"id":32,"name":33},[173,175,177,179,183,187,191,195,199,203,207,211,215,219,221,223,225,227,229,231,233,235,237,239,241,243,245],{"id":36,"name":37,"tactic":174},{"name":39},{"id":41,"name":42,"tactic":176},{"name":39},{"id":45,"name":46,"tactic":178},{"name":39},{"id":180,"name":181,"tactic":182},"D3-UGLPA","User Geolocation Logon Pattern Analysis",{"name":39},{"id":184,"name":185,"tactic":186},"D3-PMAD","Protocol Metadata Anomaly Detection",{"name":39},{"id":188,"name":189,"tactic":190},"D3-CSPP","Client-server Payload Profiling",{"name":39},{"id":192,"name":193,"tactic":194},"D3-PHDURA","Per Host Download-Upload Ratio Analysis",{"name":39},{"id":196,"name":197,"tactic":198},"D3-NTSA","Network Traffic Signature Analysis",{"name":39},{"id":200,"name":201,"tactic":202},"D3-APCA","Application Protocol Command Analysis",{"name":39},{"id":204,"name":205,"tactic":206},"D3-NTCD","Network Traffic Community Deviation",{"name":39},{"id":208,"name":209,"tactic":210},"D3-RTSD","Remote Terminal Session Detection",{"name":39},{"id":212,"name":213,"tactic":214},"D3-CAA","Connection Attempt Analysis",{"name":39},{"id":216,"name":217,"tactic":218},"D3-ANAA","Administrative Network Activity Analysis",{"name":39},{"id":49,"name":50,"tactic":220},{"name":52},{"id":54,"name":55,"tactic":222},{"name":52},{"id":58,"name":59,"tactic":224},{"name":61},{"id":63,"name":64,"tactic":226},{"name":66},{"id":68,"name":69,"tactic":228},{"name":66},{"id":72,"name":73,"tactic":230},{"name":66},{"id":76,"name":77,"tactic":232},{"name":66},{"id":80,"name":81,"tactic":234},{"name":66},{"id":84,"name":85,"tactic":236},{"name":66},{"id":88,"name":89,"tactic":238},{"name":66},{"id":92,"name":93,"tactic":240},{"name":66},{"id":96,"name":97,"tactic":242},{"name":99},{"id":101,"name":102,"tactic":244},{"name":104},{"id":246,"name":247,"tactic":248},"D3-NTF","Network Traffic Filtering",{"name":104},{"id":250,"name":251,"techniques":252},"CAPEC-600","Credential Stuffing",[253],{"id":254,"name":251,"tactics":255,"countermeasures":257},"T1110.004",[256],{"id":32,"name":33},[258,260,262,264,266,268,270,272,274,276,278,280,282],{"id":41,"name":42,"tactic":259},{"name":39},{"id":45,"name":46,"tactic":261},{"name":39},{"id":180,"name":181,"tactic":263},{"name":39},{"id":184,"name":185,"tactic":265},{"name":39},{"id":188,"name":189,"tactic":267},{"name":39},{"id":192,"name":193,"tactic":269},{"name":39},{"id":196,"name":197,"tactic":271},{"name":39},{"id":200,"name":201,"tactic":273},{"name":39},{"id":204,"name":205,"tactic":275},{"name":39},{"id":208,"name":209,"tactic":277},{"name":39},{"id":212,"name":213,"tactic":279},{"name":39},{"id":216,"name":217,"tactic":281},{"name":39},{"id":246,"name":247,"tactic":283},{"name":104},{"id":285,"name":286,"techniques":287},"CAPEC-652","Use of Known Kerberos Credentials",[288],{"id":289,"name":290,"tactics":291,"countermeasures":293},"T1558","Steal or Forge Kerberos Tickets",[292],{"id":32,"name":33},[294,296,298,300,302,304,306,308,310,312,316,318,320,322,324,326,328,332,336,338,340],{"id":180,"name":181,"tactic":295},{"name":39},{"id":184,"name":185,"tactic":297},{"name":39},{"id":188,"name":189,"tactic":299},{"name":39},{"id":192,"name":193,"tactic":301},{"name":39},{"id":196,"name":197,"tactic":303},{"name":39},{"id":200,"name":201,"tactic":305},{"name":39},{"id":204,"name":205,"tactic":307},{"name":39},{"id":208,"name":209,"tactic":309},{"name":39},{"id":36,"name":37,"tactic":311},{"name":39},{"id":313,"name":314,"tactic":315},"D3-RTA","RPC Traffic Analysis",{"name":39},{"id":49,"name":50,"tactic":317},{"name":52},{"id":54,"name":55,"tactic":319},{"name":52},{"id":58,"name":59,"tactic":321},{"name":61},{"id":63,"name":64,"tactic":323},{"name":66},{"id":68,"name":69,"tactic":325},{"name":66},{"id":72,"name":73,"tactic":327},{"name":66},{"id":329,"name":330,"tactic":331},"D3-TB","Token Binding",{"name":66},{"id":333,"name":334,"tactic":335},"D3-TBA","Token-based Authentication",{"name":66},{"id":96,"name":97,"tactic":337},{"name":99},{"id":246,"name":247,"tactic":339},{"name":104},{"id":101,"name":102,"tactic":341},{"name":104},{"id":343,"name":344,"techniques":345},"CAPEC-653","Use of Known Operating System Credentials",[],[],[],[],[],[],[],"2026-05-15T18:36:37.522Z","2026-05-15T22:22:06.593Z","Received",{"cisa_kev":356,"cisa_ransomware":356,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":357,"severity_score":358,"severity_version":359,"severity_source":360,"severity_vector":361,"severity_status":354},false,"critical",9.1,"v3.1","cve.org","CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",[363,369],{"url":364,"sources":365,"tags":367},"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9pq7-mfwh-xx2j",[360,366],"nvd",[368],"Vendor Advisory",{"url":370,"sources":371,"tags":372},"https://www.vulncheck.com/advisories/phpmyfaq-unauthenticated-two-factor-authentication-brute-force-via-admin-check-endpoint",[360,366],[373],"Third Party Advisory",[],[],[377,382],{"source":360,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":378,"cvss_v4_0":9},{"baseScore":358,"baseSeverity":379,"vectorString":361,"impactScore":380,"exploitabilityScore":381},"CRITICAL",8.7,10,{"source":366,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":383,"cvss_v4_0":9},{"baseScore":358,"baseSeverity":379,"vectorString":361,"impactScore":380,"exploitabilityScore":381},[385],{"ecosystem":9,"name":386,"vendor":387,"product":386,"cpe_part":388,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":389},"phpmyfaq","thorsten","a",[390],{"version":391,"is_range":392,"range_type":360,"version_start":9,"version_start_type":9,"version_end":393,"version_end_type":394,"fixed_in":9},"\u003C 4.1.2",true,"4.1.2","excluding"]