VYPR
Critical severity9.8NVD Advisory· Published May 15, 2026· Updated May 28, 2026

CVE-2026-46364

CVE-2026-46364

Description

phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha() methods that interpolate unsanitized User-Agent headers into DELETE and INSERT queries. Unauthenticated attackers can exploit the public GET /api/captcha endpoint by crafting malicious User-Agent headers to perform time-based blind SQL injection, extracting sensitive data including user credentials, admin tokens, and SMTP credentials from the database.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
thorsten/phpmyfaqPackagist
< 4.1.24.1.2
phpmyfaq/phpmyfaqPackagist
< 4.1.24.1.2

Affected products

2
  • Thorsten/Phpmyfaqreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <4.1.2

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.