CVE-2026-48488
CVE-2026-48488 is a low-severity vulnerability with a CVSS 4.0 base score of 2.7. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-328.
Key facts
- Severity: Low (CVSS 4.0 base score 2.7)
- EPSS exploit prediction: 0% (8th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-35091
- Weakness: CWE-328
- Published:
- Last modified:
Description
phpMyFAQ is an open source FAQ web application. Prior to version 4.1.4, attachment passwords are hashed using SHA-1, a cryptographically broken algorithm. SHA-1 has been vulnerable to collision attacks since 2017 (SHAttered). Version 4.1.4 fixes the issue.
Frequently asked questions
- What is CVE-2026-48488?
- phpMyFAQ is an open source FAQ web application. Prior to version 4.1.4, attachment passwords are hashed using SHA-1, a cryptographically broken algorithm. SHA-1 has been vulnerable to collision attacks since 2017 (SHAttered). Version 4.1.4 fixes the issue.
- How severe is CVE-2026-48488?
- CVE-2026-48488 has a CVSS 4.0 base score of 2.7, rated low severity.
- Is CVE-2026-48488 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (8th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2026-48488?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-48488 have an EU (EUVD) identifier?
- Yes. CVE-2026-48488 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-35091.
- When was CVE-2026-48488 published?
- CVE-2026-48488 was published on 2026-06-08 and last updated on 2026-06-17.
References
- https://github.com/thorsten/phpMyFAQ/commit/1aa9be6f8a2fa5c527c983826205229fc3129718
- https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-58fg-62fg-3fcj
Other CWE-328 vulnerabilities
- CVE-2026-36182 — Critical (CVSS 9.8): GNCC GP5 v7.1.76 was discovered to utilize a weak hashing algorithm to protect the root password, possibly allowing…
- CVE-2020-37168 — Critical (CVSS 9.8): Ecommerce Systempay 1.0 contains a weak cryptographic implementation vulnerability that allows attackers to brute force…
- CVE-2025-41652 — Critical (CVSS 9.8): The devices are vulnerable to an authentication bypass due to flaws in the authorization mechanism. An unauthenticated…
- CVE-2025-27595 — Critical (CVSS 9.8): The device uses a weak hashing alghorithm to create the password hash. Hence, a matching password can be easily…
- CVE-2022-45141 — Critical (CVSS 9.8): Since the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability was disclosed by Microsoft on Nov 8 2022 and…
- CVE-2023-0452 — Critical (CVSS 9.8): Econolite EOS versions prior to 3.2.23 use a weak hash algorithm for encrypting privileged user credentials. A…