🚨 BREAKING

CVE-2026-46364: Critical SQL Injection in phpMyFAQ Unauthenticated API Access

/CRITICAL /CVSS 9.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severitysql-injectioncwe-89
CVE-2026-46364: Critical SQL Injection in phpMyFAQ Unauthenticated API Access

The National Vulnerability Database has identified a critical unauthenticated SQL injection vulnerability (CVE-2026-46364) impacting phpMyFAQ versions prior to 4.1.2. Attackers can exploit the public /api/captcha endpoint by manipulating the User-Agent header. This allows for time-based blind SQL injection, potentially leading to the exfiltration of sensitive data, including user credentials, admin tokens, and SMTP configurations stored in the database.

This vulnerability stems from the interpolation of unsanitized User-Agent strings directly into DELETE and INSERT SQL queries within the BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha() methods. The CVSS score of 9.8 highlights the severity, indicating a high potential for impact on confidentiality, integrity, and availability.

Defenders must prioritize patching phpMyFAQ installations to version 4.1.2 or later immediately. Given the unauthenticated nature of the exploit, any exposed instance is a prime target. Auditing database access logs for suspicious queries and reviewing the integrity of stored credentials should be part of the immediate response.

What This Means For You

  • If your organization uses phpMyFAQ, you must patch to version 4.1.2 or higher immediately. This vulnerability allows unauthenticated attackers to access sensitive database information, including user credentials, by simply sending a crafted HTTP request. Review your web server access logs for any unusual activity targeting the `/api/captcha` endpoint.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1560.001 Archive Collected Data: Archive via Utility Collection T1040 Credential Stuffing Credential Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-46364: Unauthenticated SQL Injection via phpMyFAQ API Captcha Endpoint

Sigma YAML — free preview 
title: CVE-2026-46364: Unauthenticated SQL Injection via phpMyFAQ API Captcha Endpoint
id: scw-2026-05-15-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2026-46364 by targeting the /api/captcha endpoint of phpMyFAQ with common SQL injection keywords in the URI. This vulnerability allows unauthenticated attackers to perform time-based blind SQL injection by manipulating the User-Agent header, leading to sensitive data exfiltration.
author: SCW Feed Engine (AI-generated)
date: 2026-05-15
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-46364/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/api/captcha'
      cs-method|exact:
          - 'GET'
      uri|contains:
          - 'UNION'
          - 'SLEEP'
          - 'BENCHMARK'
          - 'AND'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-46364 SQLi phpMyFAQ versions prior to 4.1.2
CVE-2026-46364 SQLi Vulnerable methods: BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha()
CVE-2026-46364 SQLi Vulnerable endpoint: GET /api/captcha
CVE-2026-46364 SQLi Attack vector: Malicious User-Agent headers

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 15, 2026 at 22:17 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-45675: Open WebUI Vulnerable to Admin Role Race Condition

CVE-2026-45675 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, he LDAP and OAuth authentication flows use...

vulnerabilityCVEhigh-severitycwe-269cwe-362
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 3 IOCs /⚙ 2 Sigma

CVE-2026-45671: Open WebUI File Deletion Flaw Impacts Self-Hosted AI

CVE-2026-45671 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files...

vulnerabilityCVEhigh-severitycwe-639
/SCW Vulnerability Desk /HIGH /8 /⚑ 4 IOCs /⚙ 3 Sigma

Open WebUI CVE-2026-45399: Low-Privilege Users Disrupt System-Wide AI Tasks

CVE-2026-45399 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user with low privileges can...

vulnerabilityCVEhigh-severitycwe-862
/SCW Vulnerability Desk /HIGH /7.1 /⚑ 4 IOCs /⚙ 2 Sigma