CVE-2026-34974 - Vulnerability Details

- phpMyFAQ: SVG Sanitizer Bypass via HTML Entity Encoding leads to Stored XSS and Privilege Escalation

Description

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the regex-based SVG sanitizer in phpMyFAQ (SvgSanitizer.php) can be bypassed using HTML entity encoding in javascript: URLs within SVG <a href> attributes. Any user with edit_faq permission can upload a malicious SVG that executes arbitrary JavaScript when viewed, enabling privilege escalation from editor to full admin takeover. This issue has been patched in version 4.1.1.

Published: 2026-04-02

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A bypass of the SVG sanitizer that relies on regex patterns allows an attacker to embed malicious JavaScript in a stored SVG file by using HTML entity encoding inside a javascript: URL within an SVG <a href> attribute. The vulnerability is exploited when a user with edit_faq permission uploads the crafted SVG, which is later displayed to any user. This results in stored cross‑site scripting that enables the attacker to execute arbitrary code in the context of the web application and elevate their privileges from a regular editor to a full administrator.

Affected Systems

phpMyFAQ, the open source FAQ web application, is affected in all releases prior to version 4.1.1. Users running any version earlier than 4.1.1 and who have the ability to edit or upload FAQ content have a direct attack surface.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. EPSS data is not available, and the issue is not indexed in CISA’s KEV catalog. The attack is confined to authorized users who can edit FAQ entries; however, once a malicious SVG is uploaded, any visitor to the FAQ page can trigger the payload, resulting in a privilege escalation to administrator level. The vulnerability is mitigated by applying the patch released in 4.1.1, thereby eliminating the sanitizer bypass and preventing stored XSS.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

thorsten

phpMyFAQ

affected

Version	Status	Constraints
`< 4.1.1`	affected	—

No data.

Vendor Product Confidence Versions

Thorsten

Phpmyfaq

100%

Version	Status	Scheme	Platform
`[0,4.1.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the official patch found in the phpMyFAQ 4.1.1 release.
Upgrade all affected installations to version 4.1.1 or later.
Audit and reduce the number of users with edit_faq permission, limiting the potential impact area.
Verify that all stored SVG files have been sanitized or vacated after the upgrade.
Implement a rigorous update policy to apply future security patches promptly.

Generated by OpenCVE AI on April 2, 2026 at 16:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-5crx-pfhq-4hgg	phpMyFAQ: SVG Sanitizer Bypass via HTML Entity Encoding Leads to Stored XSS and Privilege Escalation

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00029.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1
https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-5crx-pfhq-4hgg

History

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Thorsten Thorsten phpmyfaq
Vendors & Products		Thorsten Thorsten phpmyfaq

Thu, 02 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Description		phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the regex-based SVG sanitizer in phpMyFAQ (SvgSanitizer.php) can be bypassed using HTML entity encoding in javascript: URLs within SVG <a href> attributes. Any user with edit_faq permission can upload a malicious SVG that executes arbitrary JavaScript when viewed, enabling privilege escalation from editor to full admin takeover. This issue has been patched in version 4.1.1.
Title		phpMyFAQ: SVG Sanitizer Bypass via HTML Entity Encoding leads to Stored XSS and Privilege Escalation
Weaknesses		CWE-79
References		https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1 https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-5crx-pfhq-4hgg
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}`

Subscriptions

Thorsten Phpmyfaq

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-02T14:48:22.619Z

Updated: 2026-04-02T16:22:14.990Z

Reserved: 2026-03-31T19:38:31.616Z

Link: CVE-2026-34974

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-04-02T15:16:51.903

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-34974

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-02T20:20:18Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object