Skip to main content

phpMyFAQ EUVD-2026-30597

| CVE-2026-46360 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-15 VulnCheck GHSA-wj3q-vw2v-3rj3
XSS Phpmyfaq
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

4
CVSS changed
May 28, 2026 - 16:22 NVD
5.4 (MEDIUM) 5.1 (MEDIUM)
Patch available
May 15, 2026 - 20:02 EUVD
Source Code Evidence Fetched
May 15, 2026 - 19:37 vuln.today
Analysis Generated
May 15, 2026 - 19:37 vuln.today

DescriptionCVE.org

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in SvgSanitizer::decodeAllEntities() that limits recursive entity decoding to 5 iterations, allowing attackers to bypass sanitization. Authenticated users with FAQ_EDIT permission can upload malicious SVG files with deeply nested ampersand encoding around numeric HTML entities to reconstruct javascript: URLs, which execute arbitrary JavaScript when clicked by other users viewing the uploaded SVG.

AnalysisAI

Authenticated users with FAQ_EDIT permission in phpMyFAQ can bypass SVG sanitization and execute arbitrary JavaScript in victims' browsers by exploiting recursive entity decoding limits. By nesting ampersand encoding five levels deep around numeric HTML entities in SVG href attributes (e.g., j for 'j'), attackers reconstruct javascript: URLs that the decodeAllEntities() method fails to detect but browsers fully decode. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate with FAQ_EDIT permission
Delivery
Craft SVG with 5-layer entity-encoded javascript: URL
Exploit
Upload via /admin/api/content/images
Install
Bypass SvgSanitizer validation
C2
Store malicious SVG unfiltered
Execute
Victim clicks SVG link
Impact
Execute arbitrary JavaScript
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Attacker must have authenticated access to phpMyFAQ with FAQ_EDIT permission enabled for their account. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS v3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) yields a base score of 5.4 (Medium), which accurately reflects the attack requirements and impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated attacker with FAQ_EDIT permission logs into phpMyFAQ and navigates to the image upload interface at /admin/api/content/images. The attacker crafts a malicious SVG file containing an <a> element with href attribute encoding the string 'javascript:alert(document.domain)' using five levels of ampersand nesting around numeric HTML entities: <svg><a href="&amp;amp;amp;amp;amp;#106;&amp;amp;amp;amp;amp;#97;&amp;amp;amp;amp;amp;#118;...">Click me</a></svg>. …
Remediation Upgrade to phpMyFAQ version 4.1.2 or later, which fixes the vulnerability by increasing the maxIterations limit in decodeAllEntities() or implementing multi-phase entity normalization that fully resolves nested encoding before pattern matching. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-30597 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy