CVE-2026-35671 — phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user's password without — CVE Database · The Intelligence Room