External risk intelligence

phpMyFAQ's public API can expose customer data due to SQL injection.

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-46364

phpMyFAQ's public API is vulnerable to SQL injection, potentially exposing sensitive customer data like credentials to unauthenticated attackers. This advisory deserves attention now due to the direct exposure of customer data and ease of exploitation.

5Halo Surface Signal

SQL Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-46364

phpMyFAQ is a content management system designed to serve as a public-facing FAQ portal. Its primary function is to provide help content to users via the web, meaning the application and its associated API endpoints, such as the vulnerable captcha interface, are typically exposed to the public internet by design in standard deployments.

PCI scan relevance

PCI Relevance for CVE-2026-46364

Yes

CVE-2026-46364 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This CVE is PCI relevant because it is an unauthenticated SQL injection vulnerability that allows attackers to extract sensitive data like user credentials.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability allows unauthenticated attackers to inject malicious SQL commands into phpMyFAQ through its API. This can lead to the extraction of sensitive information like user credentials and administrative tokens.

  • Sensitive data can be stolen.
  • Affects systems reachable from the internet.
  • Exploitable without a login.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this SQL injection flaw by sending specially crafted requests to the `/api/captcha` endpoint. The vulnerability lies in how the application processes the User-Agent header, interpolating it directly into database queries without proper sanitization. This allows attackers to manipulate the queries to extract sensitive information from the database.

  • No authentication required.
  • Targets the `/api/captcha` endpoint.
  • Exploits unsanitized User-Agent header.

Live Threat

Current exploitation, exposure, and threat context

Attackers are likely to weaponize this vulnerability due to its unauthenticated nature and the direct access to sensitive data. The SQL injection flaw allows for immediate data exfiltration without any prior compromise. The public API endpoint makes exploitation straightforward for motivated actors.

  • Publicly accessible API endpoint.
  • Direct access to sensitive data.
  • Unauthenticated exploitation.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize blocking traffic to the `/api/captcha` endpoint and reviewing logs for anomalous User-Agent strings, as exploitation is highly likely. Teams should focus on identifying all instances of phpMyFAQ and assessing their exposure to external requests. If the application is publicly accessible, consider taking it offline until a patch can be applied.

  • Block public access to the captcha endpoint.
  • Upgrade phpMyFAQ to 4.1.2 or later.
  • Monitor for SQL injection patterns in logs.

Frequently asked questions

What is phpMyFAQ and what is its primary purpose?

phpMyFAQ is a content management system developed to help users create and manage frequently asked questions (FAQs) on their websites. It simplifies the process of publishing support content, making it a useful tool for organizations needing to provide information and answers to their audience.

What type of weakness does CVE-2026-46364 represent in phpMyFAQ?

CVE-2026-46364 is a critical vulnerability classified as an SQL injection (CWE-89) weakness. This means that attackers can insert malicious SQL code into the application's database queries, potentially leading to unauthorized data access or manipulation.

How can attackers exploit the phpMyFAQ vulnerability via its API?

Attackers can exploit this vulnerability by sending crafted requests to the `/api/captcha` endpoint without authentication. The weakness involves the application improperly handling the User-Agent header, which is then included in database queries, enabling time-based blind SQL injection to extract sensitive data.

What is the significance of CVE-2026-46364 for publicly accessible systems?

This vulnerability is highly relevant for publicly accessible phpMyFAQ instances because the affected API endpoint is exposed to the internet. Attackers can exploit it without needing any prior access or credentials, directly targeting the system to steal sensitive information such as user credentials and administrative tokens.

What actions should be taken to respond to the phpMyFAQ vulnerability?

To mitigate this risk, it is recommended to block external traffic to the `/api/captcha` endpoint immediately. Upgrading phpMyFAQ to version 4.1.2 or later is crucial. Additionally, organizations should monitor system logs for signs of SQL injection attempts and review their phpMyFAQ installations for any public exposure.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified