CVE-2026-46359 thorsten CVE debrief

Who should care

Administrators and developers running phpMyFAQ, especially deployments that use Azure AD or other OAuth/JWT-based login flows. Security teams should also care if user identity claims are ingested into database-backed account or session logic.

Technical summary

The vulnerability is identified as CWE-89 and is described as SQL injection in CurrentUser::setTokenData. The attack requires authentication and is tied to unescaped OAuth token fields, including display names or JWT claims that may contain SQL metacharacters. NVD lists the issue with CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H and marks the record as Deferred.

Defensive priority

High. Although exploitation requires user interaction and malformed identity data, the impact is broad because successful injection can affect confidentiality, integrity, and availability.

Recommended defensive actions

• Upgrade phpMyFAQ to 4.1.2 or later.
• Review CurrentUser::setTokenData and any related OAuth/JWT claim handling for unsafe string concatenation.
• Use parameterized queries for all database access paths that consume identity claims.
• Validate and normalize inbound identity fields before they are written to SQL-backed storage.
• Audit logs and database activity for unexpected SQL errors, odd query patterns, or changes originating from authentication flows.

Evidence notes

This summary is based on the supplied CVE description, the NVD record metadata, and the linked advisory references in the record. The record lists CWE-89 and the CVSS vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H, and it marks the NVD status as Deferred. The vendor/product naming in the source metadata is low-confidence, so product context is taken from the CVE description and advisory references rather than inferred from the vendor field.

Official resources