CRITICALCVE-2026-46364Published 2026-05-15Modified 2026-05-28CNA VulnCheck

CVE-2026-46364: phpMyFAQ - SQL Injection via User-Agent Header in BuiltinCaptcha

phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha() methods that interpolate unsanitized User-Agent headers into DELETE and INSERT queries. Unauthenticated attackers can exploit the public GET /api/captcha endpoint by crafting malicious User-Agent headers to perform time-based blind SQL injection, extracting sensitive data including user credentials, admin tokens, and SMTP credentials from the database.

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: 4.1.2
Affected Products: 1

Fix available

4.1.2

Patch commits

https://github.com/thorsten/phpMyFAQ/commit/b9f25109fddb38eee19987183798638d07943f92

Affected packages

thorsten / phpmyfaq
< 4.1.2 (from 0)
Fixed in 4.1.2

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Fix available