Which versions of phpMyFAQ are affected by EUVD-2026-30601?

phpMyFAQ versions before 4.1.2 contain an unauthenticated SQL injection vulnerability in a public API endpoint that enables remote extraction of admin credentials, authentication tokens, and SMTP…. A patch is available.

How to fix or mitigate EUVD-2026-30601?

Within 24 hours: Identify all phpMyFAQ deployments and document current versions. Within 7 days: Upgrade all instances to phpMyFAQ 4.1.2 or later. Within 30 days: Conduct database access logs audit for signs of unauthorized queries, revoke and reissue all SMTP credentials, and reset or reissue all admin authentication tokens as precaution.

phpMyFAQ EUVD-2026-30601

Q: What is the CVSS score of EUVD-2026-30601?

EUVD-2026-30601 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-46364 CRITICAL

SQL Injection (CWE-89)

2026-05-15 VulnCheck

GHSA-ch9q-c9mp-j5gq

Information Disclosure SQLi

9.3

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

May 28, 2026 - 16:28 vuln.today

v3 (cvss_changed)

Analysis Updated

May 28, 2026 - 16:28 vuln.today

v2 (cvss_changed)

Re-analysis Queued

May 28, 2026 - 16:22 vuln.today

cvss_changed

CVSS changed

May 28, 2026 - 16:22 NVD

9.8 (CRITICAL) 9.3 (CRITICAL)

Source Code Evidence Fetched

May 15, 2026 - 19:30 vuln.today

Analysis Generated

May 15, 2026 - 19:30 vuln.today

DescriptionNVD

phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha() methods that interpolate unsanitized User-Agent headers into DELETE and INSERT queries. Unauthenticated attackers can exploit the public GET /api/captcha endpoint by crafting malicious User-Agent headers to perform time-based blind SQL injection, extracting sensitive data including user credentials, admin tokens, and SMTP credentials from the database.

AnalysisAI

Unauthenticated SQL injection in phpMyFAQ before 4.1.2 allows remote attackers to extract credentials, admin tokens, and SMTP secrets by sending a crafted User-Agent header to the public GET /api/captcha endpoint. The flaw sits in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha(), which interpolate the header into DELETE and INSERT statements via sprintf with no escaping. …

RemediationAI

Within 24 hours: Identify all phpMyFAQ deployments and document current versions. Within 7 days: Upgrade all instances to phpMyFAQ 4.1.2 or later. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-30601 vulnerability details – vuln.today

Back

phpMyFAQ EUVD-2026-30601

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

phpMyFAQ EUVD-2026-30601

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code