Skip to main content

phpMyFAQ CVE-2026-46363

| EUVD-2026-30598 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-15 VulnCheck GHSA-h36g-93qx-rxgr
XSS Phpmyfaq
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

4
CVSS changed
May 28, 2026 - 16:22 NVD
5.4 (MEDIUM) 5.1 (MEDIUM)
Patch available
May 15, 2026 - 20:02 EUVD
Source Code Evidence Fetched
May 15, 2026 - 19:38 vuln.today
Analysis Generated
May 15, 2026 - 19:38 vuln.today

DescriptionCVE.org

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in FAQ creation and update endpoints that bypass sanitization through encode-decode cycles. The vulnerability allows authenticated attackers with FAQ_ADD permission to inject malicious script tags via question or answer parameters, which execute in every visitor's browser when FAQ content is rendered with the raw Twig filter.

AnalysisAI

Stored cross-site scripting in phpMyFAQ versions prior to 4.1.2 allows authenticated users with FAQ_ADD permission to inject malicious JavaScript into FAQ questions and answers that execute in all visitors' browsers. The vulnerability exploits an encode-decode cycle where FILTER_SANITIZE_SPECIAL_CHARS encoding is immediately reversed by html_entity_decode(), bypassing Filter::removeAttributes() which only strips HTML attributes but not tags like <script>. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain low-privilege account with FAQ_ADD permission
Delivery
Acquire valid CSRF token from authenticated session
Exploit
Craft FAQ with <script> payload in question/answer
Install
Submit via /admin/api/faq/create endpoint
C2
Payload passes through encode-decode sanitization bypass
Execute
Malicious FAQ stored in database
Impact
Victim users browse FAQ or search results
Step 8
Stored JavaScript executes in victim browsers
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Attacker must possess an authenticated phpMyFAQ account with FAQ_ADD permission assigned (PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 5.4 (Medium) reflects network accessibility (AV:N) with low attack complexity (AC:L) but requires authenticated access with low privileges (PR:L) and user interaction (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a low-privilege account possessing FAQ_ADD permission (such as a content editor or support staff member) crafts a malicious FAQ entry containing a <script> tag in the question or answer field. The payload is designed to steal session cookies or perform actions as authenticated users. …
Remediation Upgrade to phpMyFAQ version 4.1.2 immediately, which addresses the encode-decode bypass and implements proper tag-level sanitization. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46363 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy