Skip to main content

phpMyFAQ CVE-2026-46359

| EUVDEUVD-2026-30594 HIGH
SQL Injection (CWE-89)
7.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

7
Analysis Updated
May 28, 2026 - 16:42 vuln.today
v3 (cvss_changed)
Analysis Updated
May 28, 2026 - 16:41 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 28, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
May 28, 2026 - 16:22 NVD
7.5 (HIGH) 7.7 (HIGH)
Patch available
May 15, 2026 - 20:02 EUVD
Source Code Evidence Fetched
May 15, 2026 - 19:32 vuln.today
Analysis Generated
May 15, 2026 - 19:32 vuln.today

DescriptionCVE.org

phpMyFAQ before 4.1.2 contains a sql injection vulnerability in CurrentUser::setTokenData that allows authenticated attackers to execute arbitrary SQL by injecting malicious OAuth token claims. Attackers with Azure AD accounts containing SQL metacharacters in display names or JWT claims can break out of string literals and execute arbitrary database queries.

AnalysisAI

SQL injection in phpMyFAQ prior to 4.1.2 allows attackers authenticating through Azure AD/Entra ID OAuth to execute arbitrary database queries by embedding SQL metacharacters in their identity provider display name or JWT claims. The CurrentUser::setTokenData() method interpolates OAuth token fields into an UPDATE statement via sprintf without calling the database escape routine, while sibling methods in the same file correctly escape input. Publicly available exploit code exists per VulnCheck and the GHSA advisory, though EPSS is low (0.03%, 9th percentile) and the issue is not in CISA KEV.

Technical ContextAI

phpMyFAQ is an open-source PHP-based FAQ management system (CPE cpe:2.3:a:thorsten:phpmyfaq) that supports Microsoft Azure AD / Entra ID OAuth single sign-on. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). In phpmyfaq/src/phpMyFAQ/User/CurrentUser.php lines 515-534, the setTokenData() method builds a SQL UPDATE against the faquser table by interpolating refresh_token, access_token, code_verifier, and json_encode($token['jwt']) directly into single-quoted string literals via sprintf, omitting the $db->escape() call that sibling methods setAuthSource() and setRememberMe() correctly use. Crucially, json_encode() does not escape single quotes, so a JWT claim such as preferred_username='O'Malley' survives encoding and terminates the SQL string literal, allowing arbitrary SQL to be appended.

RemediationAI

Vendor-released patch: upgrade phpMyFAQ to 4.1.2 or later, which adds proper $db->escape() handling in CurrentUser::setTokenData() consistent with setAuthSource() and setRememberMe(); see https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-pm8c-3qq3-72w7 and the VulnCheck advisory at https://www.vulncheck.com/advisories/phpmyfaq-sql-injection-in-currentuser-settokendata-via-unescaped-oauth-token-fields for details. If patching cannot be performed immediately, disable the Azure AD / Entra ID OAuth login provider in the phpMyFAQ configuration to eliminate the reachable code path - this prevents single sign-on with Microsoft accounts and forces users to local authentication. As a tighter compensating control on the identity side, restrict the Entra ID app registration assignment to a trusted, vetted user group whose display names and custom claims you control and audit, accepting that this only narrows rather than removes the risk. As a final defensive layer, place the phpMyFAQ database account behind least-privilege grants (UPDATE on faquser only) and enable database query logging on the faquser table to detect anomalous statements while the patch is rolled out.

Share

CVE-2026-46359 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy