Main Vulnerability Database Vulnerabilities #VU130116

SQL injection in phpMyFAQ - #VU130116

Published: May 5, 2026

Vulnerability identifier: #VU130116

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Thorsten Rinne

Affected software:
phpMyFAQ

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary SQL commands.

The vulnerability exists due to SQL injection in CurrentUser::setTokenData() in phpmyfaq/src/phpMyFAQ/User/CurrentUser.php when processing OAuth token fields from the Azure AD authentication flow. A remote attacker can supply crafted token claim data to execute arbitrary SQL commands.

User interaction is required to complete the OAuth login flow, and exploitation requires Azure AD authentication to be enabled.

Remediation

Install security update from vendor's website.

Sources

https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-pm8c-3qq3-72w7

SQL injection in phpMyFAQ - #VU130116

Detailed vulnerability description

Remediation

Sources

Please verify you're human