CVE-2026-48488
published 2026-06-08CVE-2026-48488: phpMyFAQ is an open source FAQ web application. Prior to version 4.1.4, attachment passwords are hashed using SHA-1, a cryptographically broken algorithm…
PriorityP413low2.7CVSS 4.0
AVNACLATNPRNUINVCLVINVANSCNSINSANEUCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.18%
8.0th percentile
phpMyFAQ is an open source FAQ web application. Prior to version 4.1.4, attachment passwords are hashed using SHA-1, a cryptographically broken algorithm. SHA-1 has been vulnerable to collision attacks since 2017 (SHAttered). Version 4.1.4 fixes the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| phpmyfaq | phpmyfaq | >= 0 < 4.1.4 | 4.1.4 |
| thorsten | phpmyfaq | < 4.1.4 | 4.1.4 |
| thorsten | phpmyfaq | >= 0 < 4.1.4 | 4.1.4 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
phpMyFAQ has Weak Cryptography - SHA1 for Password Hashing
ghsa·2026-06-23
CVE-2026-48488 [LOW] CWE-328 phpMyFAQ has Weak Cryptography - SHA1 for Password Hashing
phpMyFAQ has Weak Cryptography - SHA1 for Password Hashing
### Summary
Attachment passwords are hashed using SHA-1, a cryptographically broken algorithm. SHA-1 has been vulnerable to collision attacks since 2017 (SHAttered).
### Details
**Affected File** : `phpmyfaq/src/phpMyFAQ/Attachment/AbstractAttachment.php`
### Impact
- An attacker can generate SHA-1 collisions to bypass attachment protection
- Risk of password cracking if database is compromised
- Estimated cracking time: passwordHash = password_hash($password, PASSWORD_BCRYPT);
}
public function verifyPassword(string $plainPassword): bool
{
return password_verify($plainPassword, $this->passwordHash);
}
```
VulDB
thorsten phpMyFAQ up to 4.1.3 Attachment Password weak hash
vuldb·2026-06-08·CVSS 2.7
CVE-2026-48488 [LOW] thorsten phpMyFAQ up to 4.1.3 Attachment Password weak hash
A vulnerability was found in thorsten phpMyFAQ up to 4.1.3 and classified as problematic. This affects an unknown function of the component Attachment Password Handler. Such manipulation leads to use of weak hash.
This vulnerability is uniquely identified as CVE-2026-48488. The attack can be launched remotely. No exploit exists.
It is suggested to upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-08
Published