GHSA-58fg-62fg-3fcj

Source

https://github.com/advisories/GHSA-58fg-62fg-3fcj

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-58fg-62fg-3fcj/GHSA-58fg-62fg-3fcj.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-58fg-62fg-3fcj

Aliases

CVE-2026-48488

Published

2026-06-23T22:02:25Z

Modified

2026-06-23T22:15:15.452718802Z

Severity

2.7 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

phpMyFAQ has Weak Cryptography - SHA1 for Password Hashing

Details

Summary

Attachment passwords are hashed using SHA-1, a cryptographically broken algorithm. SHA-1 has been vulnerable to collision attacks since 2017 (SHAttered).

Details

Affected File : phpmyfaq/src/phpMyFAQ/Attachment/AbstractAttachment.php

Impact

An attacker can generate SHA-1 collisions to bypass attachment protection
Risk of password cracking if database is compromised
Estimated cracking time: < 1 minute for standard attachment

Solution

Use bcrypt:

public function setPassword(string $password): void
{
    $this->passwordHash = password_hash($password, PASSWORD_BCRYPT);
}

public function verifyPassword(string $plainPassword): bool
{
    return password_verify($plainPassword, $this->passwordHash);
}

Database specific

{
    "github_reviewed_at": "2026-06-23T22:02:25Z",
    "severity": "LOW",
    "cwe_ids": [
        "CWE-328"
    ],
    "github_reviewed": true,
    "nvd_published_at": "2026-06-08T16:16:43Z"
}

References

Affected packages

Packagist / thorsten/phpmyfaq

Package

Name: thorsten/phpmyfaq
Purl: pkg:composer/thorsten%2Fphpmyfaq

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.1.4

Affected versions

2.*

2.8.0-alpha2

2.8.0-alpha3

2.8.0-beta

2.8.0-beta2

2.8.0-beta3

2.8.0-RC

2.8.0-RC2

2.8.0-RC3

2.8.0-RC4

2.8.0

2.8.1

2.8.2

2.8.3

2.8.4

2.8.5

2.8.6

2.8.7

2.8.8

2.8.9

2.8.10

2.8.11

2.8.12

2.8.13

2.8.14

2.8.15

2.8.16

2.8.17

2.8.18

2.8.19

2.8.20

2.8.21

2.8.22

2.8.23

2.8.24

2.8.25

2.8.26

2.8.27

2.8.28

2.8.29

2.9.0-alpha

2.9.0-alpha2

2.9.0-alpha3

2.9.0-alpha4

2.9.0-beta

2.9.0-beta2

2.9.0-rc

2.9.0-rc2

2.9.0-rc3

2.9.0-rc4

2.9.0

2.9.1

2.9.2

2.9.3

2.9.4

2.9.5

2.9.6

2.9.7

2.9.8

2.9.9

2.9.10

2.9.11

2.9.12

2.9.13

2.10.0-alpha

3.*

3.0.0-alpha

3.0.0-alpha.2

3.0.0-alpha.3

3.0.0-alpha.4

3.0.0-beta

3.0.0-beta.2

3.0.0-beta.3

3.0.0-RC

3.0.0-RC.2

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.0.10

3.0.11

3.0.12

3.1.0-alpha

3.1.0-alpha.2

3.1.0-alpha.3

3.1.0-beta

3.1.0-RC

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

3.1.18

3.2.0-alpha

3.2.0-beta

3.2.0-beta.2

3.2.0-RC

3.2.0-RC.2

3.2.0-RC.4

3.2.0

3.2.1

3.2.2

3.2.3

3.2.4

3.2.5

3.2.6

3.2.7

3.2.8

3.2.9

3.2.10

4.*

4.0.0-alpha

4.0.0-alpha.2

4.0.0-alpha.3

4.0.0-alpha.4

4.0.0-beta

4.0.0-beta.2

4.0.0-RC

4.0.0-RC.2

4.0.0-RC.3

4.0.0-RC.4

4.0.0-RC.5

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

4.0.7

4.0.8

4.0.9

4.0.10

4.0.11

4.0.12

4.0.13

4.0.14

4.0.15

4.0.16

4.0.18

4.0.19

4.1.0-alpha

4.1.0-alpha.2

4.1.0-alpha.3

4.1.0-beta

4.1.0-beta.2

4.1.0-RC

4.1.0-RC.2

4.1.0-RC.4

4.1.0-RC.5

4.1.0-RC.6

4.1.0-RC.7

4.1.0

4.1.1

4.1.2

4.1.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-58fg-62fg-3fcj/GHSA-58fg-62fg-3fcj.json"

last_known_affected_version_range

"<= 4.1.3"

Packagist / phpmyfaq/phpmyfaq