Description
phpMyFAQ before 4.1.2 contains a sql injection vulnerability in CurrentUser::setTokenData that allows authenticated attackers to execute arbitrary SQL by injecting malicious OAuth token claims. Attackers with Azure AD accounts containing SQL metacharacters in display names or JWT claims can break out of string literals and execute arbitrary database queries.
Published: 2026-05-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in phpMyFAQ’s CurrentUser::setTokenData function, where OAuth token claims are not properly escaped. A user who is authenticated can craft token fields containing SQL metacharacters, enabling them to break out of string literals and inject arbitrary SQL statements. This flaw allows attackers to read, modify, or delete data within the application’s database, potentially compromising confidentiality and integrity of stored information.

Affected Systems

Affected systems include installations of thorsten’s phpMyFAQ product prior to version 4.1.2 that are configured to use Azure Active Directory for authentication. Users possessing Azure AD accounts whose display names or JWT claims contain SQL metacharacters can exploit this issue. The vulnerability is limited to systems that process OAuth tokens without proper input sanitization.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity risk. The exploit requires an authenticated Azure AD account and the ability to embed SQL metacharacters in token fields, which limits the attack surface but still poses significant danger if users with such accounts exist. EPSS data is not available, and the flaw is not listed in the CISA KEV catalog, suggesting it is not currently a known exploited vulnerability. Nonetheless, the potential for arbitrary database access warrants immediate attention.

Generated by OpenCVE AI on May 15, 2026 at 20:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade phpMyFAQ to version 4.1.2 or later to remove the unauthenticated input handling flaw
  • If an upgrade is not possible, enforce strict validation of OAuth token claims to reject or escape SQL metacharacters before they are stored
  • Disable or reconfigure Azure Active Directory integration until remediation is applied to prevent token-based injection

Generated by OpenCVE AI on May 15, 2026 at 20:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 15 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Thorsten
Thorsten phpmyfaq
Vendors & Products Thorsten
Thorsten phpmyfaq

Fri, 15 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description phpMyFAQ before 4.1.2 contains a sql injection vulnerability in CurrentUser::setTokenData that allows authenticated attackers to execute arbitrary SQL by injecting malicious OAuth token claims. Attackers with Azure AD accounts containing SQL metacharacters in display names or JWT claims can break out of string literals and execute arbitrary database queries.
Title phpMyFAQ - SQL Injection in CurrentUser::setTokenData via Unescaped OAuth Token Fields
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Thorsten Phpmyfaq
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-15T21:12:54.058Z

Reserved: 2026-05-13T19:40:27.808Z

Link: CVE-2026-46359

cve-icon Vulnrichment

Updated: 2026-05-15T21:12:45.597Z

cve-icon NVD

Status : Received

Published: 2026-05-15T19:17:03.120

Modified: 2026-05-15T22:16:56.433

Link: CVE-2026-46359

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T20:45:08Z

Weaknesses