SQL Injection Affecting thorsten/phpmyfaq package, versions <4.1.2
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PHP-THORSTENPHPMYFAQ-16624457
- published10 May 2026
- disclosed6 May 2026
- creditadrgs
Introduced: 6 May 2026
NewCVE-2026-46359 (opens in a new tab)How to fix?
Upgrade thorsten/phpmyfaq to version 4.1.2 or higher.
Overview
thorsten/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases
Affected versions of this package are vulnerable to SQL Injection in the setTokenData function when OAuth token fields are interpolated into a SQL statement without proper escaping. An attacker can execute arbitrary SQL commands by supplying specially crafted values in OAuth claims, such as a display name containing SQL metacharacters, during the authentication process. This is only exploitable if Azure AD (Entra ID) authentication is enabled and the attacker can authenticate via OAuth.