Which versions of phpMyFAQ are affected by CVE-2026-46359?

phpMyFAQ versions prior to 4.1.2 contain a SQL injection vulnerability in Azure AD/Entra ID OAuth integration that allows authenticated users to execute arbitrary database queries.. A patch is available.

How to fix or mitigate CVE-2026-46359?

Within 24 hours: Identify all phpMyFAQ deployments and determine which use Azure AD/Entra ID authentication. Within 7 days: Upgrade all affected instances to phpMyFAQ 4.1.2 or later. Within 30 days: Audit database access logs and OAuth authentication logs for indicators of exploitation; deploy database activity monitoring to detect future SQL injection attempts.

phpMyFAQ CVE-2026-46359

Q: What is the CVSS score of CVE-2026-46359?

CVE-2026-46359 has a CVSS 4.0 base score of 7.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-30594 HIGH

SQL Injection (CWE-89)

2026-05-15 VulnCheck

GHSA-p9wc-4pjv-rg82

SQLi Microsoft

7.7

CVSS 4.0

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Analysis Updated

May 28, 2026 - 16:42 vuln.today

v3 (cvss_changed)

Analysis Updated

May 28, 2026 - 16:41 vuln.today

v2 (cvss_changed)

Re-analysis Queued

May 28, 2026 - 16:22 vuln.today

cvss_changed

CVSS changed

May 28, 2026 - 16:22 NVD

7.5 (HIGH) 7.7 (HIGH)

Patch available

May 15, 2026 - 20:02 EUVD

Source Code Evidence Fetched

May 15, 2026 - 19:32 vuln.today

Analysis Generated

May 15, 2026 - 19:32 vuln.today

DescriptionNVD

phpMyFAQ before 4.1.2 contains a sql injection vulnerability in CurrentUser::setTokenData that allows authenticated attackers to execute arbitrary SQL by injecting malicious OAuth token claims. Attackers with Azure AD accounts containing SQL metacharacters in display names or JWT claims can break out of string literals and execute arbitrary database queries.

AnalysisAI

SQL injection in phpMyFAQ prior to 4.1.2 allows attackers authenticating through Azure AD/Entra ID OAuth to execute arbitrary database queries by embedding SQL metacharacters in their identity provider display name or JWT claims. The CurrentUser::setTokenData() method interpolates OAuth token fields into an UPDATE statement via sprintf without calling the database escape routine, while sibling methods in the same file correctly escape input. …

RemediationAI

Within 24 hours: Identify all phpMyFAQ deployments and determine which use Azure AD/Entra ID authentication. Within 7 days: Upgrade all affected instances to phpMyFAQ 4.1.2 or later. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory