Skip to main content

PHP CVE-2026-32629

MEDIUM
Improper Input Validation (CWE-20)
2026-03-31 https://github.com/thorsten/phpMyFAQ GHSA-98gw-w575-h2ph
5.4
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Patch released
Apr 01, 2026 - 02:30 nvd
Patch available
Analysis Generated
Mar 31, 2026 - 23:31 vuln.today
CVE Published
Mar 31, 2026 - 22:48 nvd
MEDIUM 5.4

DescriptionGitHub Advisory

Summary

An unauthenticated attacker can submit a guest FAQ with an email address that is syntactically valid per RFC 5321 (quoted local part) yet contains raw HTML - for example "<script>alert(1)</script>"@evil.com. PHP's FILTER_VALIDATE_EMAIL accepts this email as valid. The email is stored in the database without HTML sanitization and later rendered in the admin FAQ editor template using Twig's |raw filter, which bypasses auto-escaping entirely.

Details

  1. PHP FILTER_VALIDATE_EMAIL accepts RFC-valid quoted local parts with dangerous characters

phpmyfaq/src/phpMyFAQ/Controller/Frontend/Api/FaqController.php:99 $email = trim((string) Filter::filterVar($data->email, FILTER_VALIDATE_EMAIL)); PHP accepts "<script>alert(1)</script>"@evil.com as a valid email (RFC 5321 allows <, > inside quoted local parts). Confirmed: "<script>alert(1)</script>"@evil.com => string (valid, not false)

  1. Email stored raw without HTML sanitization

phpmyfaq/src/phpMyFAQ/Faq.php - email retrieved directly as $row->email from the database.

  1. Admin Twig template renders email with |raw

phpmyfaq/assets/templates/admin/content/faq.editor.twig:296 <input type="email" name="email" id="email" value="{{ faqData['email'] | raw }}" class="form-control">

Affected version: 4.2.0-alpha, commit f0dc86c8f

PoC

The reproduction of the vulnerability was implemented with the help of AI while reviewing the source code to generate the proof-of-concept. Please kindly note this for reference. Since the vulnerability has already been confirmed directly in the source code, the proof-of-concept code may be considered as a reference only.

Please extract the attached compressed file and proceed. poc.zip

  1. (docker compose -f docker-compose.yml down -v)
  2. docker compose -f docker-compose.yml up -d mariadb php-fpm nginx
  3. bash exploit.sh

-----

  1. Access http://localhost:8888/admin/
  2. Log in with admin / Admin1234!
  3. After logging in, check whether the URL remains http://localhost:8888/admin/
  4. Go to Content → FAQ Administration → edit "poc" → alert popup should appear

If it does not appear, you can also access it directly via: http://localhost:8888/admin/faq/edit/1/en

<img width="1388" height="239" alt="스크린샷 2026-03-12 오후 11 42 52" src="https://github.com/user-attachments/assets/b6d5446f-4eba-4cb2-9284-1bca4855142e" /> <img width="1171" height="92" alt="스크린샷 2026-03-12 오후 11 16 17" src="https://github.com/user-attachments/assets/3578e429-7106-4616-92ed-4167816d40f0" />

Impact

When an administrator opens /admin/faq/edit/{id}/{lang} to review the pending FAQ, the injected script executes in the admin's browser context. This allows an attacker to:

  • Steal the administrator's session cookie → full admin account takeover
  • Perform arbitrary admin actions (create users, modify content, change configuration)
  • Pivot to further attacks on the server

The attack chain requires no authentication. By default, records.allowNewFaqsForGuests=true allows unauthenticated FAQ submission, and records.defaultActivation=false guarantees the administrator must visit the edit page to review it.

Note on captcha: The built-in captcha is enabled by default when the PHP gd extension is present (spam.enableCaptchaCode=true). This prevents fully automated exploitation but does not prevent a targeted manual attack - an attacker can solve the captcha once and submit the payload.

Credits

wooseokdotkim

AnalysisAI

Stored cross-site scripting (XSS) in phpMyFAQ 4.2.0-alpha allows unauthenticated attackers to inject malicious JavaScript via RFC 5321-compliant quoted email addresses in guest FAQ submissions. The injected payload is stored without sanitization and rendered using Twig's |raw filter in the admin FAQ editor, executing in administrator browsers and enabling session hijacking, admin account takeover, and arbitrary site manipulation. A publicly available proof-of-concept demonstrates successful JavaScript execution when administrators review pending FAQs.

Technical ContextAI

phpMyFAQ uses PHP's FILTER_VALIDATE_EMAIL function to validate email addresses submitted via the FaqController API endpoint. RFC 5321 permits quoted local parts to contain special characters including angle brackets, allowing syntactically valid addresses like '"<script>alert(1)</script>"@evil.com'. The email validation occurs in phpmyfaq/src/phpMyFAQ/Controller/Frontend/Api/FaqController.php at line 99, where Filter::filterVar() with FILTER_VALIDATE_EMAIL accepts the malicious string. The email is then persisted to the database via phpmyfaq/src/phpMyFAQ/Faq.php without HTML entity encoding or sanitization. The CWE-20 (Improper Input Validation) root cause manifests in two layers: insufficient email validation that fails to restrict RFC-valid but dangerous characters, and inadequate output encoding. The admin template at phpmyfaq/assets/templates/admin/content/faq.editor.twig line 296 renders the stored email using Twig's |raw filter, which explicitly disables automatic escaping and passes the HTML directly to the browser, bypassing Twig's default auto-escaping protection.

RemediationAI

Immediate remediation requires patched version information from the vendor advisory at https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-98gw-w575-h2ph. Pending vendor patch availability, implement the following mitigations: (1) Disable guest FAQ submissions by setting records.allowNewFaqsForGuests=false in configuration, which eliminates the unauthenticated entry vector; (2) Enforce strict CAPTCHA validation and rate-limiting on FAQ submission endpoints; (3) Apply HTML entity encoding to the email field in the admin template by replacing |raw with standard Twig escaping: change '{{ faqData['email'] | raw }}' to '{{ faqData['email'] }}' or explicitly use '{{ faqData['email'] | escape }}'; (4) Implement server-side email validation that rejects RFC-valid quoted local parts containing special characters, restricting the local part to alphanumeric characters, dots, hyphens, and underscores per RFC 5321 recommendations for SMTP; (5) Sanitize all user-submitted email fields before database storage using an HTML sanitization library.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-32629 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy