CVE-2026-46364
CRITICAL NUCLEIphpMyFAQ - SQL Injection via User-Agent Header in BuiltinCaptcha
Title source: cnaExploitation Summary
CVE-2026-46364 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha() methods that interpolate unsanitized User-Agent headers into DELETE and INSERT queries. Unauthenticated attackers can exploit the public GET /api/captcha endpoint by crafting malicious User-Agent headers to perform time-based blind SQL injection, extracting sensitive data including user credentials, admin tokens, and SMTP credentials from the database.
Nuclei Templates (1)
phpMyFAQ <= 4.1.1 - SQL Injection
CRITICALVERIFIEDby DhiyaneshDk
Shodan:
http.favicon.hash:-1194891278
FOFA:
app="phpMyFAQ"
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
GHSA Advisory GHSA-289f-fq7w-6q2w
https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-289f-fq7w-6q2w
Third Party Advisory third-party-advisory
VulnCheck Advisory: phpMyFAQ - SQL Injection via User-Agent Header in BuiltinCaptcha
https://www.vulncheck.com/advisories/phpmyfaq-sql-injection-via-user-agent-header-in-builtincaptcha
Scores
CVSS v3
9.8
EPSS
0.0776
EPSS Percentile
92.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (4)
phpmyfaq/phpmyfaq
0 - 4.1.2Packagist
thorsten/phpmyfaq
< 4.1.2
thorsten/phpmyfaq
0 - 4.1.2Packagist
thorsten/phpmyfaq
4.1.2
Published
May 15, 2026
Tracked Since
May 16, 2026