CVE-2026-46364 PUBLISHED

phpMyFAQ - SQL Injection via User-Agent Header in BuiltinCaptcha

Assigner: VulnCheck
Reserved: 13.05.2026 Published: 15.05.2026 Updated: 15.05.2026

phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha() methods that interpolate unsanitized User-Agent headers into DELETE and INSERT queries. Unauthenticated attackers can exploit the public GET /api/captcha endpoint by crafting malicious User-Agent headers to perform time-based blind SQL injection, extracting sensitive data including user credentials, admin tokens, and SMTP credentials from the database.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 9.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	thorsten
Product	phpmyfaq
Versions	Default: unaffected affected from 0 to 4.1.2 (excl.) Version 4.1.2 is unaffected

Credits

adrgs reporter
aisafe-bot finder

References

Problem Types

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE