Skip to main content

phpMyFAQ CVE-2026-46364

| EUVDEUVD-2026-30601 CRITICAL
SQL Injection (CWE-89)
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
May 28, 2026 - 16:28 vuln.today
v3 (cvss_changed)
Analysis Updated
May 28, 2026 - 16:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 28, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
May 28, 2026 - 16:22 NVD
9.8 (CRITICAL) 9.3 (CRITICAL)
Source Code Evidence Fetched
May 15, 2026 - 19:30 vuln.today
Analysis Generated
May 15, 2026 - 19:30 vuln.today

DescriptionCVE.org

phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha() methods that interpolate unsanitized User-Agent headers into DELETE and INSERT queries. Unauthenticated attackers can exploit the public GET /api/captcha endpoint by crafting malicious User-Agent headers to perform time-based blind SQL injection, extracting sensitive data including user credentials, admin tokens, and SMTP credentials from the database.

AnalysisAI

Unauthenticated SQL injection in phpMyFAQ before 4.1.2 allows remote attackers to extract credentials, admin tokens, and SMTP secrets by sending a crafted User-Agent header to the public GET /api/captcha endpoint. The flaw sits in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha(), which interpolate the header into DELETE and INSERT statements via sprintf with no escaping. No public exploit identified at time of analysis, though VulnCheck has published a detailed reachability writeup and a verified time-based blind PoC payload appears in the GHSA advisory.

Technical ContextAI

phpMyFAQ is a PHP-based open-source FAQ management system tracked under CPE cpe:2.3:a:thorsten:phpmyfaq. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). In phpmyfaq/src/phpMyFAQ/Captcha/BuiltinCaptcha.php at lines 298 and 330, the $this->userAgent and $this->ip values, populated directly from request headers in the constructor, are concatenated into raw SQL via sprintf() and dispatched through $db->query() without going through the existing Database::escape() helper or a prepared statement. The same file's checkCaptchaCode() at line 472 does use $db->escape(), confirming the sanitizer was available but skipped in the two captcha lifecycle sinks. Both sinks fire on every request to the unauthenticated GET /api/captcha route exposed by CaptchaController.

RemediationAI

Vendor-released patch: upgrade to phpMyFAQ 4.1.2 or later, available from the maintainers per advisory https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-289f-fq7w-6q2w. Composer users should run composer update thorsten/phpmyfaq to pull >=4.1.2. If immediate upgrade is not possible, block or rate-limit the GET /api/captcha endpoint at the reverse proxy or WAF, and strip or whitelist the User-Agent header before it reaches PHP - this will break captcha generation for legitimate users and visually disable the captcha challenge on forms, so plan a maintenance window. A WAF rule rejecting SQL keywords (SLEEP, BENCHMARK, UNION, single quotes) in User-Agent headers is a narrower stopgap but will produce false positives for security scanners and exotic browser strings. Additional vendor context is available at https://www.vulncheck.com/advisories/phpmyfaq-sql-injection-via-user-agent-header-in-builtincaptcha and https://vuldb.com/vuln/364249.

CVE-2023-5865 CRITICAL POC
9.8 Oct 31

Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2. Rated critical severity (CVSS 9.8

CVE-2023-1886 CRITICAL POC
9.8 Apr 05

Authentication Bypass by Capture-replay in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated critical severity

CVE-2023-1753 CRITICAL POC
9.8 Mar 31

Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated critical severity (CVSS 9.8), t

CVE-2022-3754 CRITICAL POC
9.8 Oct 29

Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.8. Rated critical severity (CVSS 9.8), th

CVE-2017-15730 HIGH POC
8.8 Oct 22

In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.ratings.php. Rated high severity (CVS

CVE-2017-15808 HIGH POC
8.8 Oct 23

In phpMyFaq before 2.9.9, there is CSRF in admin/ajax.config.php. Rated high severity (CVSS 8.8), this vulnerability is

CVE-2017-15735 HIGH POC
8.8 Oct 22

In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) for modifying a glossary. Rated high severity (CVSS

CVE-2017-15734 HIGH POC
8.8 Oct 22

In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.main.php. Rated high severity (CVSS 8

CVE-2024-28107 HIGH POC
8.8 Mar 25

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Rated high severi

CVE-2024-27299 HIGH POC
8.8 Mar 25

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Rated high severi

CVE-2023-1762 HIGH POC
8.8 Mar 31

Improper Privilege Management in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated high severity (CVSS 8.8), th

CVE-2023-0793 HIGH POC
8.8 Feb 12

Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.11. Rated high severity (CVSS 8.8), this

Share

CVE-2026-46364 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy