Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
phpMyFAQ before 4.1.2 contains a sql injection vulnerability in CurrentUser::setTokenData that allows authenticated attackers to execute arbitrary SQL by injecting malicious OAuth token claims. Attackers with Azure AD accounts containing SQL metacharacters in display names or JWT claims can break out of string literals and execute arbitrary database queries.
AnalysisAI
SQL injection in phpMyFAQ prior to 4.1.2 allows attackers authenticating through Azure AD/Entra ID OAuth to execute arbitrary database queries by embedding SQL metacharacters in their identity provider display name or JWT claims. The CurrentUser::setTokenData() method interpolates OAuth token fields into an UPDATE statement via sprintf without calling the database escape routine, while sibling methods in the same file correctly escape input. Publicly available exploit code exists per VulnCheck and the GHSA advisory, though EPSS is low (0.03%, 9th percentile) and the issue is not in CISA KEV.
Technical ContextAI
phpMyFAQ is an open-source PHP-based FAQ management system (CPE cpe:2.3:a:thorsten:phpmyfaq) that supports Microsoft Azure AD / Entra ID OAuth single sign-on. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). In phpmyfaq/src/phpMyFAQ/User/CurrentUser.php lines 515-534, the setTokenData() method builds a SQL UPDATE against the faquser table by interpolating refresh_token, access_token, code_verifier, and json_encode($token['jwt']) directly into single-quoted string literals via sprintf, omitting the $db->escape() call that sibling methods setAuthSource() and setRememberMe() correctly use. Crucially, json_encode() does not escape single quotes, so a JWT claim such as preferred_username='O'Malley' survives encoding and terminates the SQL string literal, allowing arbitrary SQL to be appended.
RemediationAI
Vendor-released patch: upgrade phpMyFAQ to 4.1.2 or later, which adds proper $db->escape() handling in CurrentUser::setTokenData() consistent with setAuthSource() and setRememberMe(); see https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-pm8c-3qq3-72w7 and the VulnCheck advisory at https://www.vulncheck.com/advisories/phpmyfaq-sql-injection-in-currentuser-settokendata-via-unescaped-oauth-token-fields for details. If patching cannot be performed immediately, disable the Azure AD / Entra ID OAuth login provider in the phpMyFAQ configuration to eliminate the reachable code path - this prevents single sign-on with Microsoft accounts and forces users to local authentication. As a tighter compensating control on the identity side, restrict the Entra ID app registration assignment to a trusted, vetted user group whose display names and custom claims you control and audit, accepting that this only narrows rather than removes the risk. As a final defensive layer, place the phpMyFAQ database account behind least-privilege grants (UPDATE on faquser only) and enable database query logging on the faquser table to detect anomalous statements while the patch is rolled out.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30594
GHSA-p9wc-4pjv-rg82