Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl() that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craft URLs with unescaped quotes to inject event handlers, stealing admin session cookies and achieving full application takeover when visitors view affected FAQ pages.
AnalysisAI
Stored cross-site scripting in phpMyFAQ 4.1.1 lets any authenticated user with a registered account persist JavaScript inside FAQ or News comments by submitting a URL containing an unescaped double quote, which Utils::parseUrl() injects unescaped into an href attribute. Payloads execute for every visitor - including admins viewing the comments panel - enabling session cookie theft and full application takeover. Publicly available exploit code exists in the GHSA advisory, though EPSS is only 0.01% and SSVC categorizes exploitation as POC rather than active.
Technical ContextAI
The vulnerable sink is Utils::parseUrl() at phpmyfaq/src/phpMyFAQ/Utils.php line 281, which uses the regex /(https?:\/\/[^\s]+)/i and substitutes matches directly into <a href="$1">$1</a> with no htmlspecialchars() call - a textbook CWE-79 (Improper Neutralization of Input During Web Page Generation) flaw where the character class [^\s]+ greedily consumes the literal double-quote needed to break out of the attribute. The sink is only reachable when main.enableCommentEditor is enabled, because that path routes comments through sanitizeHtmlComment() instead of FILTER_SANITIZE_SPECIAL_CHARS, preserving the quote through storage; rendering then uses {{ comment.comment|raw }} in comment.macros.twig line 40, disabling Twig auto-escaping. The CPE cpe:2.3:a:thorsten:phpmyfaq:*:*:*:*:*:*:*:* covers the affected upstream package, and the absence of any Content-Security-Policy header in the application removes a key mitigating control.
RemediationAI
Vendor-released patch: upgrade to phpMyFAQ 4.1.2 via Composer (thorsten/phpmyfaq or phpmyfaq/phpmyfaq), as documented in GHSA-9525-27vj-c8r8 at https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9525-27vj-c8r8. If immediate upgrade is not possible, the highest-leverage workaround is to disable the rich comment editor by setting main.enableCommentEditor = false in the admin Configuration panel, which routes comment input back through FILTER_SANITIZE_SPECIAL_CHARS and prevents the double-quote from surviving to the parseUrl() sink - the trade-off is loss of HTML formatting in comments. As compensating controls, disable open user registration and remove existing low-trust accounts to eliminate the authenticated precondition, purge or moderate stored comments before applying the fix to remove any pre-planted payloads, and deploy a strict Content-Security-Policy header (the app currently sets none) such as default-src 'self'; script-src 'self' to neutralize inline event handlers, accepting that any inline scripts the app legitimately uses will need refactoring.
Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2. Rated critical severity (CVSS 9.8
Authentication Bypass by Capture-replay in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated critical severity
Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated critical severity (CVSS 9.8), t
Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.8. Rated critical severity (CVSS 9.8), th
Unauthenticated SQL injection in phpMyFAQ before 4.1.2 allows remote attackers to extract credentials, admin tokens, and
In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.ratings.php. Rated high severity (CVS
In phpMyFaq before 2.9.9, there is CSRF in admin/ajax.config.php. Rated high severity (CVSS 8.8), this vulnerability is
In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) for modifying a glossary. Rated high severity (CVSS
In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.main.php. Rated high severity (CVSS 8
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Rated high severi
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Rated high severi
Improper Privilege Management in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated high severity (CVSS 8.8), th
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30578
GHSA-w42g-jj8w-fj77