Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha() methods that interpolate unsanitized User-Agent headers into DELETE and INSERT queries. Unauthenticated attackers can exploit the public GET /api/captcha endpoint by crafting malicious User-Agent headers to perform time-based blind SQL injection, extracting sensitive data including user credentials, admin tokens, and SMTP credentials from the database.
AnalysisAI
Unauthenticated SQL injection in phpMyFAQ before 4.1.2 allows remote attackers to extract credentials, admin tokens, and SMTP secrets by sending a crafted User-Agent header to the public GET /api/captcha endpoint. The flaw sits in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha(), which interpolate the header into DELETE and INSERT statements via sprintf with no escaping. No public exploit identified at time of analysis, though VulnCheck has published a detailed reachability writeup and a verified time-based blind PoC payload appears in the GHSA advisory.
Technical ContextAI
phpMyFAQ is a PHP-based open-source FAQ management system tracked under CPE cpe:2.3:a:thorsten:phpmyfaq. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). In phpmyfaq/src/phpMyFAQ/Captcha/BuiltinCaptcha.php at lines 298 and 330, the $this->userAgent and $this->ip values, populated directly from request headers in the constructor, are concatenated into raw SQL via sprintf() and dispatched through $db->query() without going through the existing Database::escape() helper or a prepared statement. The same file's checkCaptchaCode() at line 472 does use $db->escape(), confirming the sanitizer was available but skipped in the two captcha lifecycle sinks. Both sinks fire on every request to the unauthenticated GET /api/captcha route exposed by CaptchaController.
RemediationAI
Vendor-released patch: upgrade to phpMyFAQ 4.1.2 or later, available from the maintainers per advisory https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-289f-fq7w-6q2w. Composer users should run composer update thorsten/phpmyfaq to pull >=4.1.2. If immediate upgrade is not possible, block or rate-limit the GET /api/captcha endpoint at the reverse proxy or WAF, and strip or whitelist the User-Agent header before it reaches PHP - this will break captcha generation for legitimate users and visually disable the captcha challenge on forms, so plan a maintenance window. A WAF rule rejecting SQL keywords (SLEEP, BENCHMARK, UNION, single quotes) in User-Agent headers is a narrower stopgap but will produce false positives for security scanners and exotic browser strings. Additional vendor context is available at https://www.vulncheck.com/advisories/phpmyfaq-sql-injection-via-user-agent-header-in-builtincaptcha and https://vuldb.com/vuln/364249.
Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2. Rated critical severity (CVSS 9.8
Authentication Bypass by Capture-replay in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated critical severity
Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated critical severity (CVSS 9.8), t
Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.8. Rated critical severity (CVSS 9.8), th
In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.ratings.php. Rated high severity (CVS
In phpMyFaq before 2.9.9, there is CSRF in admin/ajax.config.php. Rated high severity (CVSS 8.8), this vulnerability is
In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) for modifying a glossary. Rated high severity (CVSS
In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.main.php. Rated high severity (CVSS 8
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Rated high severi
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Rated high severi
Improper Privilege Management in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated high severity (CVSS 8.8), th
Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.11. Rated high severity (CVSS 8.8), this
Same weakness CWE-89 – SQL Injection
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30601
GHSA-ch9q-c9mp-j5gq