phpMyFAQ - SQL Injection via User-Agent Header in BuiltinCaptcha | Advisories

Advisories

phpMyFAQ - SQL Injection via User-Agent Header in BuiltinCaptcha

severity: critical
date: 5/15/2026
Affecting: phpmyfaq >= 0, < 4.1.2
CVE: CVE-2026-46364
CWE: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSS: 9.8
References: GHSA Advisory GHSA-289f-fq7w-6q2w
https://github.com/thorsten/phpMyFAQ/commit/b9f25109fddb38eee19987183798638d07943f92
Credit: adrgs, aisafe-bot
Description: phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha() methods that interpolate unsanitized User-Agent headers into DELETE and INSERT queries. Unauthenticated attackers can exploit the public GET /api/captcha endpoint by crafting malicious User-Agent headers to perform time-based blind SQL injection, extracting sensitive data including user credentials, admin tokens, and SMTP credentials from the database.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo