PatchSiren cyber security CVE debrief
CVE-2026-46364 thorsten CVE debrief
CVE-2026-46364 is a critical unauthenticated SQL injection in phpMyFAQ before 4.1.2. The issue is triggered through the public /api/captcha flow, where malicious User-Agent values are interpolated into SQL in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha(). Because the injection is reachable without authentication, exposed databases may leak sensitive information such as user credentials, admin tokens, and SMTP secrets.
- Vendor
- thorsten
- Product
- phpmyfaq
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-15
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-15
- Advisory updated
- 2026-05-18
Who should care
Operators of phpMyFAQ installations, especially anyone exposing the public captcha API; application owners; database administrators; and security teams responsible for credential rotation and web application patching.
Technical summary
According to the supplied description and NVD metadata, the flaw is an unauthenticated SQL injection in phpMyFAQ's BuiltinCaptcha code path. Unsanitized User-Agent header content is concatenated into DELETE and INSERT statements, enabling time-based blind SQL injection through the public GET /api/captcha endpoint. The NVD record maps the issue to CWE-89 and lists a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, which aligns with broad remote impact on confidentiality, integrity, and availability.
Defensive priority
Critical. This is network-reachable, requires no authentication, and can expose highly sensitive database contents. Patch and secret rotation should be treated as urgent.
Recommended defensive actions
- Upgrade phpMyFAQ to version 4.1.2 or later.
- Treat all exposed instances as potentially impacted if /api/captcha is reachable from untrusted networks.
- Rotate any credentials or secrets stored in the database, including user passwords, admin tokens, and SMTP credentials, if exposure is plausible.
- Review web and database logs for suspicious User-Agent patterns or repeated slow queries consistent with blind SQL injection attempts.
- Validate that the referenced remediation commit and upstream advisory are applied in your build or deployment pipeline.
- If immediate patching is not possible, restrict access to the affected endpoint and place compensating controls in front of the application.
Evidence notes
The supplied source corpus identifies phpMyFAQ before 4.1.2 as affected and cites three references: a remediation commit, a GitHub Security Advisory, and a VulnCheck advisory. NVD metadata in the corpus marks the record as Deferred and associates it with CWE-89 and a critical CVSS 3.1 vector. The disclosure date used here is the CVE published date from the provided timeline, not generation or review timing.
Official resources
Publicly disclosed in the supplied advisory corpus and published as CVE-2026-46364 on 2026-05-15; modified on 2026-05-18. No KEV entry was provided in the source corpus.