Skip to main content

phpMyFAQ EUVDEUVD-2026-30578

| CVE-2026-46367 HIGH
Cross-site Scripting (XSS) (CWE-79)
8.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

7
Analysis Updated
May 28, 2026 - 16:38 vuln.today
v3 (cvss_changed)
Analysis Updated
May 28, 2026 - 16:36 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 28, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
May 28, 2026 - 16:22 NVD
7.6 (HIGH) 8.3 (HIGH)
Patch available
May 15, 2026 - 20:02 EUVD
Source Code Evidence Fetched
May 15, 2026 - 19:31 vuln.today
Analysis Generated
May 15, 2026 - 19:31 vuln.today

DescriptionCVE.org

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl() that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craft URLs with unescaped quotes to inject event handlers, stealing admin session cookies and achieving full application takeover when visitors view affected FAQ pages.

AnalysisAI

Stored cross-site scripting in phpMyFAQ 4.1.1 lets any authenticated user with a registered account persist JavaScript inside FAQ or News comments by submitting a URL containing an unescaped double quote, which Utils::parseUrl() injects unescaped into an href attribute. Payloads execute for every visitor - including admins viewing the comments panel - enabling session cookie theft and full application takeover. Publicly available exploit code exists in the GHSA advisory, though EPSS is only 0.01% and SSVC categorizes exploitation as POC rather than active.

Technical ContextAI

The vulnerable sink is Utils::parseUrl() at phpmyfaq/src/phpMyFAQ/Utils.php line 281, which uses the regex /(https?:\/\/[^\s]+)/i and substitutes matches directly into <a href="$1">$1</a> with no htmlspecialchars() call - a textbook CWE-79 (Improper Neutralization of Input During Web Page Generation) flaw where the character class [^\s]+ greedily consumes the literal double-quote needed to break out of the attribute. The sink is only reachable when main.enableCommentEditor is enabled, because that path routes comments through sanitizeHtmlComment() instead of FILTER_SANITIZE_SPECIAL_CHARS, preserving the quote through storage; rendering then uses {{ comment.comment|raw }} in comment.macros.twig line 40, disabling Twig auto-escaping. The CPE cpe:2.3:a:thorsten:phpmyfaq:*:*:*:*:*:*:*:* covers the affected upstream package, and the absence of any Content-Security-Policy header in the application removes a key mitigating control.

RemediationAI

Vendor-released patch: upgrade to phpMyFAQ 4.1.2 via Composer (thorsten/phpmyfaq or phpmyfaq/phpmyfaq), as documented in GHSA-9525-27vj-c8r8 at https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9525-27vj-c8r8. If immediate upgrade is not possible, the highest-leverage workaround is to disable the rich comment editor by setting main.enableCommentEditor = false in the admin Configuration panel, which routes comment input back through FILTER_SANITIZE_SPECIAL_CHARS and prevents the double-quote from surviving to the parseUrl() sink - the trade-off is loss of HTML formatting in comments. As compensating controls, disable open user registration and remove existing low-trust accounts to eliminate the authenticated precondition, purge or moderate stored comments before applying the fix to remove any pre-planted payloads, and deploy a strict Content-Security-Policy header (the app currently sets none) such as default-src 'self'; script-src 'self' to neutralize inline event handlers, accepting that any inline scripts the app legitimately uses will need refactoring.

CVE-2023-5865 CRITICAL POC
9.8 Oct 31

Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2. Rated critical severity (CVSS 9.8

CVE-2023-1886 CRITICAL POC
9.8 Apr 05

Authentication Bypass by Capture-replay in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated critical severity

CVE-2023-1753 CRITICAL POC
9.8 Mar 31

Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated critical severity (CVSS 9.8), t

CVE-2022-3754 CRITICAL POC
9.8 Oct 29

Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.8. Rated critical severity (CVSS 9.8), th

CVE-2026-46364 CRITICAL POC
9.3 May 15

Unauthenticated SQL injection in phpMyFAQ before 4.1.2 allows remote attackers to extract credentials, admin tokens, and

CVE-2017-15730 HIGH POC
8.8 Oct 22

In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.ratings.php. Rated high severity (CVS

CVE-2017-15808 HIGH POC
8.8 Oct 23

In phpMyFaq before 2.9.9, there is CSRF in admin/ajax.config.php. Rated high severity (CVSS 8.8), this vulnerability is

CVE-2017-15735 HIGH POC
8.8 Oct 22

In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) for modifying a glossary. Rated high severity (CVSS

CVE-2017-15734 HIGH POC
8.8 Oct 22

In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.main.php. Rated high severity (CVSS 8

CVE-2024-28107 HIGH POC
8.8 Mar 25

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Rated high severi

CVE-2024-27299 HIGH POC
8.8 Mar 25

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Rated high severi

CVE-2023-1762 HIGH POC
8.8 Mar 31

Improper Privilege Management in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated high severity (CVSS 8.8), th

Share

EUVD-2026-30578 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy