CVE-2026-48488: Weak Cryptographic Hash (SHA-1) Usage for Attachment Encryption Keys in phpMyFAQ
Vulnerability ID: CVE-2026-48488
CVSS Score: 2.7
Published: 2026-06-23
Prior to version 4.1.4, phpMyFAQ used the cryptographically broken SHA-1 algorithm to hash custom attachment encryption keys stored in the database. Attackers with database access can recover these plaintext keys through offline brute-force attacks and subsequently decrypt sensitive file attachments.
TL;DR
phpMyFAQ stored SHA-1 hashes of custom attachment encryption keys in the database. Attackers gaining database read access can rapidly crack these hashes offline to decrypt sensitive attachments.
Technical Details
- CWE ID: CWE-328 (Use of Weak Hash)
- Attack Vector: Network (AV:N)
- CVSS v4.0: 2.7 (Low)
- EPSS Score: 0.00182
- Impact: Low (Confidentiality compromise of encrypted attachments)
- Exploit Status: None
- KEV Status: Not Listed
Affected Systems
- phpMyFAQ
-
phpMyFAQ: < 4.1.4 (Fixed in:
4.1.4)
Code Analysis
Commit: 1aa9be6
Remove password hashing and password property from Attachment
Mitigation Strategies
- Upgrade phpMyFAQ to version 4.1.4 or higher
- Manually sanitize historical SHA-1 hashes from the database
- Rotate attachment encryption keys if a database breach has occurred
Remediation Steps:
- Upgrade the phpMyFAQ application code to version 4.1.4 or later
- Run the SQL command to clear legacy columns: UPDATE faqattachment SET password_hash = NULL;
- Audit database read access logs to ensure no unauthorized access has occurred
References
- GHSA-58fg-62fg-3fcj: Weak Cryptography in phpMyFAQ Attachment Keys
- Fix Commit: Remove password hashing and password property from Attachment
Read the full report for CVE-2026-48488 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)