Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
CVE-2026-46364: phpMyFAQ before 4.1.2 allows unauthorized data access
CVE-2026-46364
Summary
The phpMyFAQ software before version 4.1.2 has a security weakness that could allow unauthorized access to sensitive data. This weakness affects the security of user credentials, admin tokens, and SMTP passwords stored in the database. To protect your data, update phpMyFAQ to version 4.1.2 or later.
Original title
phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha() methods that interpolate unsanitized User-Agent...
Original description
phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha() methods that interpolate unsanitized User-Agent headers into DELETE and INSERT queries. Unauthenticated attackers can exploit the public GET /api/captcha endpoint by crafting malicious User-Agent headers to perform time-based blind SQL injection, extracting sensitive data including user credentials, admin tokens, and SMTP credentials from the database.
nvd CVSS3.1
9.8
Vulnerability type
CWE-89
SQL Injection
Published: 15 May 2026 · Updated: 28 May 2026 · First seen: 15 May 2026