CVE-2026-46364
9.8 CRITICALphpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::s...
Published: 2026-05-15 · Last updated: 2026-05-28
Severity and scoring
- CVSS
- 9.8 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-89
Description
phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha() methods that interpolate unsanitized User-Agent headers into DELETE and INSERT queries. Unauthenticated attackers can exploit the public GET /api/captcha endpoint by crafting malicious User-Agent headers to perform time-based blind SQL injection, extracting sensitive data including user credentials, admin tokens, and SMTP credentials from the database.
Source: NVD
QSearch commentary
SQL injection in a CAPTCHA garbage-collector function is the canonical "security-feature defeats security" finding. The fact that a CAPTCHA module — a defensive control — opens an unauthenticated SQLi shows why our Application Security engagements always include adjacent defensive features in the attack surface map. Defense-in-depth fails when one of the defenses is itself the injection vector.
— QSearch Security Research · 2026-05-19
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-46364
- [Other]https://github.com/thorsten/phpMyFAQ/commit/b9f25109fddb38eee19987183798638d07943f92
- [Other]https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-289f-fq7w-6q2w
- [Other]https://www.vulncheck.com/advisories/phpmyfaq-sql-injection-via-user-agent-header-in-builtincaptcha
Engagement axis
This CVE class is addressed in the QSearch continuous-protection axis.
Learn more about this axis →Related CVEs
Same CWE
- CVE-2026-50636 — The RemoteControl API methods invite_participants and remind_participants pass a caller-supplied token-ID array into TokenDynamic::findUn... (8.8 HIGH)
- CVE-2026-8025 — Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in MOSK Information Technologies Ltd (9.8 CRITICAL)
- CVE-2026-7486 — Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Netcad Software Inc (9.8 CRITICAL)
- CVE-2017-20249 — Apptha Slider Gallery 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries ... (8.2 HIGH)
- CVE-2017-20247 — WordPress Plugin PICA Photo Gallery 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrar... (8.2 HIGH)