PT-2026-41366 · Phpmyfaq · Phpmyfaq
Adrgs
·
Published
2026-05-06
·
Updated
2026-06-11
·
CVE-2026-46364
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
phpMyFAQ versions prior to 4.1.2
Description
An unauthenticated SQL injection exists in the
BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha() methods. The issue occurs when unsanitized User-Agent headers are interpolated into DELETE and INSERT queries. Unauthenticated attackers can exploit the ' /api/captcha' endpoint by crafting malicious User-Agent headers to perform time-based blind SQL injection, which allows for the extraction of sensitive data such as user credentials, admin tokens, and SMTP credentials from the database. Over 1,200 potentially affected devices have been identified.Recommendations
Update to version 4.1.2 or later.
Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Phpmyfaq