Description
phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, an unauthenticated attacker can submit a guest FAQ with an email address that is syntactically valid per RFC 5321 (quoted local part) yet contains raw HTML — for example "<script>alert(1)</script>"@evil.com. PHP's FILTER_VALIDATE_EMAIL accepts this email as valid. The email is stored in the database without HTML sanitization and later rendered in the admin FAQ editor template using Twig's |raw filter, which bypasses auto-escaping entirely. This issue has been patched in version 4.1.1.
Published: 2026-04-02
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting in Admin Editor
Action: Patch Now
AI Analysis

Impact

A malformed e‑mail address containing raw HTML, such as "<script>alert(1)</script>"@evil.com, is accepted by the PHP FILTER_VALIDATE_EMAIL function in phpMyFAQ versions older than 4.1.1. The email is persisted without sanitization and later rendered in the administrative FAQ editor template using Twig’s |raw filter, which bypasses the framework’s auto‑escaping. When an administrator opens the editor, the e‑mail address is injected into the page’s HTML, allowing arbitrary JavaScript to execute in the context of any admin user who views the page. This can lead to session hijacking, theft of administrative credentials, or defacement of the internal interface.

Affected Systems

The vulnerability exists in all phpMyFAQ releases prior to version 4.1.1. Administrators running older versions should verify whether the guest FAQ submission feature is enabled, as it is the entry point for the malicious e‑mail address.

Risk and Exploitability

The CVSS base score of 5.4 indicates moderate severity, while the EPSS score of less than 1 % suggests a low probability of exploitation in the wild. The issue is not listed in CISA's KEV catalog. The likely attack vector is a web submission of a malicious e‑mail address by an unauthenticated attacker—this inference is based on the description of how the email is accepted and stored.

Generated by OpenCVE AI on April 7, 2026 at 23:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade phpMyFAQ to version 4.1.1 or newer
  • Disable or restrict guest FAQ submissions until an update is applied
  • Implement server‑side filtering to reject or strip HTML tags from e‑mail addresses and avoid using Twig’s raw filter when rendering user data

Generated by OpenCVE AI on April 7, 2026 at 23:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-98gw-w575-h2ph phpMyFAQ is Vulnerable to Stored XSS via Unsanitized Email Field in Admin FAQ Editor
History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Phpmyfaq
Phpmyfaq phpmyfaq
CPEs cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:*
Vendors & Products Phpmyfaq
Phpmyfaq phpmyfaq
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Thorsten
Thorsten phpmyfaq
Vendors & Products Thorsten
Thorsten phpmyfaq

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, an unauthenticated attacker can submit a guest FAQ with an email address that is syntactically valid per RFC 5321 (quoted local part) yet contains raw HTML — for example "<script>alert(1)</script>"@evil.com. PHP's FILTER_VALIDATE_EMAIL accepts this email as valid. The email is stored in the database without HTML sanitization and later rendered in the admin FAQ editor template using Twig's |raw filter, which bypasses auto-escaping entirely. This issue has been patched in version 4.1.1.
Title phpMyFAQ: Stored XSS via Unsanitized Email Field in Admin FAQ Editor
Weaknesses CWE-20
CWE-79
References
Metrics cvssV4_0

{'score': 5.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P'}

Subscriptions

Phpmyfaq Phpmyfaq
Thorsten Phpmyfaq
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T16:23:06.203Z

Reserved: 2026-03-12T15:29:36.558Z

Link: CVE-2026-32629

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T15:16:38.017

Modified: 2026-04-07T16:10:02.627

Link: CVE-2026-32629

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:56:18Z

Weaknesses