Description
phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the regex-based SVG sanitizer in phpMyFAQ (SvgSanitizer.php) can be bypassed using HTML entity encoding in javascript: URLs within SVG <a href> attributes. Any user with edit_faq permission can upload a malicious SVG that executes arbitrary JavaScript when viewed, enabling privilege escalation from editor to full admin takeover. This issue has been patched in version 4.1.1.
Published: 2026-04-02
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS enabling privilege escalation
Action: Immediate Patch
AI Analysis

Impact

A regex-based SVG sanitizer in phpMyFAQ can be bypassed using HTML entity encoding inside javascript: URLs within SVG <a href> attributes. This allows an attacker who can upload an SVG as an editor to execute arbitrary JavaScript in the context of FAQ viewers, leading to stored cross‑site scripting and a privilege escalation from editor to administrator.

Affected Systems

The vulnerability affects the open source FAQ application phpMyFAQ (developed by thorsten) prior to version 4.1.1. Versions 4.1.1 and later contain the patch that fixes the sanitizer bypass.

Risk and Exploitability

The flaw has a CVSS score of 5.4, indicating moderate severity, and an EPSS score of less than 1%, suggesting low likelihood of exploitation. It is not listed in CISA’s KEV catalog. An attacker must be able to upload SVG content with edit_faq permission, meaning the attack vector is an authenticated internal attacker. When successful, the attacker can run arbitrary code and elevate privileges to full administrator.

Generated by OpenCVE AI on April 6, 2026 at 19:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade phpMyFAQ to version 4.1.1 or newer, which contains the fixed SVG sanitizer.
  • If an immediate upgrade is not feasible, disable or restrict SVG uploads for users with edit_faq permission, or remove the offending SVG files from the FAQ database.
  • Continuously monitor for suspicious SVG uploads and validate uploaded content against a tight whitelist.

Generated by OpenCVE AI on April 6, 2026 at 19:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5crx-pfhq-4hgg phpMyFAQ: SVG Sanitizer Bypass via HTML Entity Encoding Leads to Stored XSS and Privilege Escalation
History

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Phpmyfaq
Phpmyfaq phpmyfaq
CPEs cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:*
Vendors & Products Phpmyfaq
Phpmyfaq phpmyfaq

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Thorsten
Thorsten phpmyfaq
Vendors & Products Thorsten
Thorsten phpmyfaq

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the regex-based SVG sanitizer in phpMyFAQ (SvgSanitizer.php) can be bypassed using HTML entity encoding in javascript: URLs within SVG <a href> attributes. Any user with edit_faq permission can upload a malicious SVG that executes arbitrary JavaScript when viewed, enabling privilege escalation from editor to full admin takeover. This issue has been patched in version 4.1.1.
Title phpMyFAQ: SVG Sanitizer Bypass via HTML Entity Encoding leads to Stored XSS and Privilege Escalation
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Phpmyfaq Phpmyfaq
Thorsten Phpmyfaq
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T16:22:14.990Z

Reserved: 2026-03-31T19:38:31.616Z

Link: CVE-2026-34974

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T15:16:51.903

Modified: 2026-04-06T16:09:58.670

Link: CVE-2026-34974

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:56:09Z

Weaknesses