PHP
CVE-2026-32629
MEDIUM
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
An unauthenticated attacker can submit a guest FAQ with an email address that is syntactically valid per RFC 5321 (quoted local part) yet contains raw HTML - for example "<script>alert(1)</script>"@evil.com. PHP's FILTER_VALIDATE_EMAIL accepts this email as valid. The email is stored in the database without HTML sanitization and later rendered in the admin FAQ editor template using Twig's |raw filter, which bypasses auto-escaping entirely.
Details
- PHP FILTER_VALIDATE_EMAIL accepts RFC-valid quoted local parts with dangerous characters
phpmyfaq/src/phpMyFAQ/Controller/Frontend/Api/FaqController.php:99 $email = trim((string) Filter::filterVar($data->email, FILTER_VALIDATE_EMAIL)); PHP accepts "<script>alert(1)</script>"@evil.com as a valid email (RFC 5321 allows <, > inside quoted local parts). Confirmed: "<script>alert(1)</script>"@evil.com => string (valid, not false)
- Email stored raw without HTML sanitization
phpmyfaq/src/phpMyFAQ/Faq.php - email retrieved directly as $row->email from the database.
- Admin Twig template renders email with |raw
phpmyfaq/assets/templates/admin/content/faq.editor.twig:296 <input type="email" name="email" id="email" value="{{ faqData['email'] | raw }}" class="form-control">
Affected version: 4.2.0-alpha, commit f0dc86c8f
PoC
The reproduction of the vulnerability was implemented with the help of AI while reviewing the source code to generate the proof-of-concept. Please kindly note this for reference. Since the vulnerability has already been confirmed directly in the source code, the proof-of-concept code may be considered as a reference only.
Please extract the attached compressed file and proceed. poc.zip
- (docker compose -f docker-compose.yml down -v)
- docker compose -f docker-compose.yml up -d mariadb php-fpm nginx
- bash exploit.sh
-----
- Access http://localhost:8888/admin/
- Log in with admin / Admin1234!
- After logging in, check whether the URL remains http://localhost:8888/admin/
- Go to Content → FAQ Administration → edit "poc" → alert popup should appear
If it does not appear, you can also access it directly via: http://localhost:8888/admin/faq/edit/1/en
<img width="1388" height="239" alt="스크린샷 2026-03-12 오후 11 42 52" src="https://github.com/user-attachments/assets/b6d5446f-4eba-4cb2-9284-1bca4855142e" /> <img width="1171" height="92" alt="스크린샷 2026-03-12 오후 11 16 17" src="https://github.com/user-attachments/assets/3578e429-7106-4616-92ed-4167816d40f0" />
Impact
When an administrator opens /admin/faq/edit/{id}/{lang} to review the pending FAQ, the injected script executes in the admin's browser context. This allows an attacker to:
- Steal the administrator's session cookie → full admin account takeover
- Perform arbitrary admin actions (create users, modify content, change configuration)
- Pivot to further attacks on the server
The attack chain requires no authentication. By default, records.allowNewFaqsForGuests=true allows unauthenticated FAQ submission, and records.defaultActivation=false guarantees the administrator must visit the edit page to review it.
Note on captcha: The built-in captcha is enabled by default when the PHP gd extension is present (spam.enableCaptchaCode=true). This prevents fully automated exploitation but does not prevent a targeted manual attack - an attacker can solve the captcha once and submit the payload.
Credits
wooseokdotkim
AnalysisAI
Stored cross-site scripting (XSS) in phpMyFAQ 4.2.0-alpha allows unauthenticated attackers to inject malicious JavaScript via RFC 5321-compliant quoted email addresses in guest FAQ submissions. The injected payload is stored without sanitization and rendered using Twig's |raw filter in the admin FAQ editor, executing in administrator browsers and enabling session hijacking, admin account takeover, and arbitrary site manipulation. A publicly available proof-of-concept demonstrates successful JavaScript execution when administrators review pending FAQs.
Technical ContextAI
phpMyFAQ uses PHP's FILTER_VALIDATE_EMAIL function to validate email addresses submitted via the FaqController API endpoint. RFC 5321 permits quoted local parts to contain special characters including angle brackets, allowing syntactically valid addresses like '"<script>alert(1)</script>"@evil.com'. The email validation occurs in phpmyfaq/src/phpMyFAQ/Controller/Frontend/Api/FaqController.php at line 99, where Filter::filterVar() with FILTER_VALIDATE_EMAIL accepts the malicious string. The email is then persisted to the database via phpmyfaq/src/phpMyFAQ/Faq.php without HTML entity encoding or sanitization. The CWE-20 (Improper Input Validation) root cause manifests in two layers: insufficient email validation that fails to restrict RFC-valid but dangerous characters, and inadequate output encoding. The admin template at phpmyfaq/assets/templates/admin/content/faq.editor.twig line 296 renders the stored email using Twig's |raw filter, which explicitly disables automatic escaping and passes the HTML directly to the browser, bypassing Twig's default auto-escaping protection.
RemediationAI
Immediate remediation requires patched version information from the vendor advisory at https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-98gw-w575-h2ph. Pending vendor patch availability, implement the following mitigations: (1) Disable guest FAQ submissions by setting records.allowNewFaqsForGuests=false in configuration, which eliminates the unauthenticated entry vector; (2) Enforce strict CAPTCHA validation and rate-limiting on FAQ submission endpoints; (3) Apply HTML entity encoding to the email field in the admin template by replacing |raw with standard Twig escaping: change '{{ faqData['email'] | raw }}' to '{{ faqData['email'] }}' or explicitly use '{{ faqData['email'] | escape }}'; (4) Implement server-side email validation that rejects RFC-valid quoted local parts containing special characters, restricting the local part to alphanumeric characters, dots, hyphens, and underscores per RFC 5321 recommendations for SMTP; (5) Sanitize all user-submitted email fields before database storage using an HTML sanitization library.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-20 – Improper Input Validation
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-98gw-w575-h2ph