Description
phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha() methods that interpolate unsanitized User-Agent headers into DELETE and INSERT queries. Unauthenticated attackers can exploit the public GET /api/captcha endpoint by crafting malicious User-Agent headers to perform time-based blind SQL injection, extracting sensitive data including user credentials, admin tokens, and SMTP credentials from the database.
Published: 2026-05-15
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unsanitized User‑Agent header is interpolated into SQL statements inside phpMyFAQ’s BuiltinCaptcha class, allowing attackers to send crafted requests to the public /api/captcha endpoint and perform a blind SQL injection. The injection can be leveraged to extract sensitive data, including user credentials, admin tokens, and SMTP configuration from the database. The flaw is exploitable without authentication, meaning any web client that can reach the endpoint can attempt the attack.

Affected Systems

This flaw exists in phpMyFAQ installations provided by thorsten. All versions earlier than 4.1.2 are affected, while 4.1.2 and later include the patch that sanitizes the User‑Agent field and removes the unsafe query code.

Risk and Exploitability

With a CVSS score of 9.8 the vulnerability is classified as critical. The EPSS score is not reported and the issue is not yet listed in CISA’s KEV catalog, but the lack of an authentication requirement makes exploitation trivial for anyone who can reach the web service. Attackers can use publicly available tools to conduct time‑based blind SQL injection against the /api/captcha endpoint over HTTP, extracting confidential data without needing credentials.

Generated by OpenCVE AI on May 15, 2026 at 20:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade phpMyFAQ to version 4.1.2 or later to apply the vendor’s SQL injection fix.
  • Restrict or disable the /api/captcha endpoint for unauthenticated users or limit access to trusted IP addresses or networks.
  • Enable database query logging and monitor for anomalous DELETE or INSERT statements that could indicate injection attempts.

Generated by OpenCVE AI on May 15, 2026 at 20:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 15 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Thorsten
Thorsten phpmyfaq
Vendors & Products Thorsten
Thorsten phpmyfaq

Fri, 15 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha() methods that interpolate unsanitized User-Agent headers into DELETE and INSERT queries. Unauthenticated attackers can exploit the public GET /api/captcha endpoint by crafting malicious User-Agent headers to perform time-based blind SQL injection, extracting sensitive data including user credentials, admin tokens, and SMTP credentials from the database.
Title phpMyFAQ - SQL Injection via User-Agent Header in BuiltinCaptcha
First Time appeared Phpmyfaq
Phpmyfaq phpmyfaq
Weaknesses CWE-89
CPEs cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:*
Vendors & Products Phpmyfaq
Phpmyfaq phpmyfaq
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Phpmyfaq Phpmyfaq
Thorsten Phpmyfaq
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-15T22:21:59.231Z

Reserved: 2026-05-13T19:40:27.809Z

Link: CVE-2026-46364

cve-icon Vulnrichment

Updated: 2026-05-15T22:11:18.993Z

cve-icon NVD

Status : Received

Published: 2026-05-15T19:17:03.750

Modified: 2026-05-15T19:17:03.750

Link: CVE-2026-46364

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T20:45:08Z

Weaknesses