CVE-2026-46364

Published May 15, 2026

Last updated 6 days ago

CVSS critical 9.3
phpMyFAQ

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-46364 describes an unauthenticated SQL injection vulnerability present in phpMyFAQ versions prior to 4.1.2. This flaw specifically impacts the `BuiltinCaptcha::garbageCollector()` and `BuiltinCaptcha::saveCaptcha()` methods, which fail to properly sanitize User-Agent headers. Attackers can exploit this vulnerability by crafting malicious User-Agent headers and sending them to the public `/api/captcha` endpoint. This allows for time-based blind SQL injection, potentially enabling the extraction of sensitive information, including user credentials, administrator tokens, and SMTP credentials from the database.

Description
phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha() methods that interpolate unsanitized User-Agent headers into DELETE and INSERT queries. Unauthenticated attackers can exploit the public GET /api/captcha endpoint by crafting malicious User-Agent headers to perform time-based blind SQL injection, extracting sensitive data including user credentials, admin tokens, and SMTP credentials from the database.
Source
disclosure@vulncheck.com
NVD status
Deferred

Risk scores

CVSS 4.0

Type
Secondary
Base score
9.3
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
CRITICAL

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

disclosure@vulncheck.com
CWE-89

Social media

Hype score
Not currently trending

  1. We are so back πŸ”₯.Built a PoC for CVE-2026-46364 as part of security research, with Claude AI assisting in analysis and validation🀯. Only For Educational Purposes. #claude #bugbounty #bugbountytip #ethicalhacking #cve #Trending #vibecoding https://t.co/g607OUZJVe

    @0x0smilex

    30 May 2026

    745 Impressions

    0 Retweets

    21 Likes

    4 Bookmarks

    1 Reply

    0 Quotes

  2. 🚨 Critical - Multiple phpMyFAQ Vulnerabilities (CVE-2026-46364, CVE-2026-45010) phpMyFAQ contains critical vulnerabilities that may allow unauthenticated attackers to perform SQL injection through crafted User-Agent headers and brute-force TOTP authentication codes via the

    @UpwindMDR

    16 May 2026

    76 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🚨 CVE-2026-46364 β€” CVSS 9.8/10 β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector() and... Severity: CRITICAL Patch now. #cybersecurity #CVE https://t.co/WuFLhBLChE

    @OrizonCyber

    15 May 2026

    84 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

References

Sources include official advisories and independent security research.