CVE-2026-32629 - Vulnerability Details

Description

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, an unauthenticated attacker can submit a guest FAQ with an email address that is syntactically valid per RFC 5321 (quoted local part) yet contains raw HTML — for example "<script>alert(1)</script>"@evil.com. PHP's FILTER_VALIDATE_EMAIL accepts this email as valid. The email is stored in the database without HTML sanitization and later rendered in the admin FAQ editor template using Twig's |raw filter, which bypasses auto-escaping entirely. This issue has been patched in version 4.1.1.

Published: 2026-04-02

Score: 5.4 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

An unauthenticated attacker can submit an email address containing raw HTML into the guest FAQ form. PHP’s FILTER_VALIDATE_EMAIL accepts the string, and the application stores it without escaping. Later, the value is rendered in the admin FAQ editor template using Twig’s raw filter, bypassing all escaping. When an administrator opens the FAQ, the injected code runs in their browser, which can lead to credential theft, session hijacking, or page defacement.

Affected Systems

The issue affects phpMyFAQ version 4.1.0 and earlier. Thorsten’s phpMyFAQ project releases a fix in version 4.1.1, which removes the unsanitized email field usage. Only installations that use the guest FAQ feature and have not applied the 4.1.1 patch are vulnerable.

Risk and Exploitability

The CVSS score of 5.4 indicates a medium severity. An EPSS score is not available, so the exploitation probability cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by simply submitting a crafted email address via the public forum; execution occurs only when an administrator later views the FAQ, so the impact is limited to admin users but could result in full compromise of the administration session if the injected code is malicious.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

thorsten

phpMyFAQ

affected

Version	Status	Constraints
`< 4.1.1`	affected	—

No data.

Vendor Product Confidence Versions

Thorsten

Phpmyfaq

100%

Version	Status	Scheme	Platform
`[0,4.1.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade phpMyFAQ to version 4.1.1 or a later release that removes the unsanitized email field.
If an upgrade is not possible, configure the application to reject or strip HTML characters from the email field before storing guest FAQs.
Temporarily disable guest FAQ submissions until the upstream patch is applied to eliminate the injection vector.

Generated by OpenCVE AI on April 2, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-98gw-w575-h2ph	phpMyFAQ is Vulnerable to Stored XSS via Unsanitized Email Field in Admin FAQ Editor

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1
https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-98gw-w575-h2ph

History

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Thorsten Thorsten phpmyfaq
Vendors & Products		Thorsten Thorsten phpmyfaq

Thu, 02 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Description		phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, an unauthenticated attacker can submit a guest FAQ with an email address that is syntactically valid per RFC 5321 (quoted local part) yet contains raw HTML — for example "<script>alert(1)</script>"@evil.com. PHP's FILTER_VALIDATE_EMAIL accepts this email as valid. The email is stored in the database without HTML sanitization and later rendered in the admin FAQ editor template using Twig's \|raw filter, which bypasses auto-escaping entirely. This issue has been patched in version 4.1.1.
Title		phpMyFAQ: Stored XSS via Unsanitized Email Field in Admin FAQ Editor
Weaknesses		CWE-20 CWE-79
References		https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1 https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-98gw-w575-h2ph
Metrics		cvssV4_0 `{'score': 5.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P'}`

Subscriptions

Thorsten Phpmyfaq

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-02T14:43:14.799Z

Updated: 2026-04-02T16:23:06.203Z

Reserved: 2026-03-12T15:29:36.558Z

Link: CVE-2026-32629

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-02T15:16:38.017

Modified: 2026-04-02T17:16:22.527

Link: CVE-2026-32629

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-02T20:20:56Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object