CVE-2026-46359 | THREATINT

Description

phpMyFAQ before 4.1.2 contains a sql injection vulnerability in CurrentUser::setTokenData that allows authenticated attackers to execute arbitrary SQL by injecting malicious OAuth token claims. Attackers with Azure AD accounts containing SQL metacharacters in display names or JWT claims can break out of string literals and execute arbitrary database queries.

PUBLISHED Reserved 2026-05-13 | Published 2026-05-15 | Updated 2026-05-15 | Assigner VulnCheck

HIGH: 7.5CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Problem types

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status

unaffected

Any version before 4.1.2

affected

4.1.2 (semver)

unaffected

Credits

adrgs reporter

aisafe-bot finder

References

github.com/...pMyFAQ/security/advisories/GHSA-pm8c-3qq3-72w7 exploit

github.com/...pMyFAQ/security/advisories/GHSA-pm8c-3qq3-72w7 (GHSA Advisory GHSA-pm8c-3qq3-72w7) vendor-advisory

www.vulncheck.com/...endata-via-unescaped-oauth-token-fields (VulnCheck Advisory: phpMyFAQ - SQL Injection in CurrentUser::setTokenData via Unescaped OAuth Token Fields) third-party-advisory

cve.org (CVE-2026-46359)

nvd.nist.gov (CVE-2026-46359)

Download JSON