SQL Injection Vulnerability in phpMyFAQ by phpMyFAQ Team
CVE-2026-46359

7.5HIGH

Key Information:

Vendor: Thorsten
Status: pHPMyFAQ
Vendor: CVE Published:; 15 May 2026

What is CVE-2026-46359?

phpMyFAQ versions prior to 4.1.2 are susceptible to a SQL injection vulnerability through the CurrentUser::setTokenData function. This flaw enables authenticated users to manipulate OAuth token claims, particularly when using Azure AD accounts that include SQL metacharacters in their display names or JWT claims. By exploiting this vulnerability, attackers can execute arbitrary SQL queries on the underlying database, leading to potential data breaches and unauthorized access.

Affected Version(s)

phpmyfaq 0 < 4.1.2

phpmyfaq 4.1.2

References

https://github.com/thorsten/phpMyFAQ/security/advisories/...

vendor-advisory

https://www.vulncheck.com/advisories/phpmyfaq-sql-injecti...

third-party-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2026
Vulnerability Reserved
May 13, 2026

Credit

adrgs

aisafe-bot

CVE-2026-46359 Data

JSON

Thorsten

What is CVE-2026-46359?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit