Description
phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha() methods that interpolate unsanitized User-Agent headers into DELETE and INSERT queries. Unauthenticated attackers can exploit the public GET /api/captcha endpoint by crafting malicious User-Agent headers to perform time-based blind SQL injection, extracting sensitive data including user credentials, admin tokens, and SMTP credentials from the database.
Published: 2026-05-15
Score: 9.3 Critical
EPSS: 1.7% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unsanitized User‑Agent header is inserted directly into SQL statements in phpMyFAQ’s BuiltinCaptcha class, a classic SQL injection weakness (CWE‑89). Attackers can target the public /api/captcha endpoint with crafted requests, performing time‑based blind injection. This allows extraction of sensitive data such as user credentials, admin tokens, and SMTP configuration from the database. The flaw is exploitable without authentication, so any web client reaching the endpoint can attempt the attack.

Affected Systems

This flaw exists in phpMyFAQ installations provided by thorsten. All versions earlier than 4.1.2 are affected, while 4.1.2 and later include the patch that sanitizes the User‑Agent field and removes the unsafe query code.

Risk and Exploitability

With a CVSS score of 9.3 the vulnerability is classified as critical. The EPSS score is now 1%, indicating a very low exploitation probability, and the issue is not yet listed in CISA’s KEV catalog, but the lack of an authentication requirement makes exploitation trivial for anyone who can reach the web service. Attackers can use publicly available tools to conduct time‑based blind SQL injection against the /api/captcha endpoint over HTTP, extracting confidential data without needing credentials.

Generated by OpenCVE AI on June 18, 2026 at 07:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade phpMyFAQ to version 4.1.2 or later to apply the vendor’s SQL injection fix.
  • Restrict or disable the /api/captcha endpoint for unauthenticated users or limit access to trusted IP addresses or networks.
  • Enable database query logging and monitor for anomalous DELETE or INSERT statements that could indicate injection attempts.

Generated by OpenCVE AI on June 18, 2026 at 07:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-289f-fq7w-6q2w phpMyFAQ has unauthenticated SQL injection via User-Agent header in BuiltinCaptcha
History

Thu, 28 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Fri, 15 May 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 15 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Thorsten
Thorsten phpmyfaq
Vendors & Products Thorsten
Thorsten phpmyfaq

Fri, 15 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha() methods that interpolate unsanitized User-Agent headers into DELETE and INSERT queries. Unauthenticated attackers can exploit the public GET /api/captcha endpoint by crafting malicious User-Agent headers to perform time-based blind SQL injection, extracting sensitive data including user credentials, admin tokens, and SMTP credentials from the database.
Title phpMyFAQ - SQL Injection via User-Agent Header in BuiltinCaptcha
First Time appeared Phpmyfaq
Phpmyfaq phpmyfaq
Weaknesses CWE-89
CPEs cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:*
Vendors & Products Phpmyfaq
Phpmyfaq phpmyfaq
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Phpmyfaq Phpmyfaq
Thorsten Phpmyfaq
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-28T14:15:26.917Z

Reserved: 2026-05-13T19:40:27.809Z

Link: CVE-2026-46364

cve-icon Vulnrichment

Updated: 2026-05-15T22:11:18.993Z

cve-icon NVD

Status : Deferred

Published: 2026-05-15T19:17:03.750

Modified: 2026-06-17T10:53:36.230

Link: CVE-2026-46364

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T08:00:16Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')