Description
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in SvgSanitizer::decodeAllEntities() that limits recursive entity decoding to 5 iterations, allowing attackers to bypass sanitization. Authenticated users with FAQ_EDIT permission can upload malicious SVG files with deeply nested ampersand encoding around numeric HTML entities to reconstruct javascript: URLs, which execute arbitrary JavaScript when clicked by other users viewing the uploaded SVG.
Published: 2026-05-15
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an authenticated user with FAQ_EDIT rights to embed malicious SVG files that bypass a depth‑limit check in the SvgSanitizer component, resulting in stored cross‑site scripting. The attacker can use deeply nested ampersand encodings around numeric HTML entities to reconstruct javascript: URLs that are executed when another user opens the SVG.

Affected Systems

Affected systems include the phpMyFAQ content‑management solution from thorsten with any version earlier than 4.1.2. Users running these releases cannot avoid the vulnerable sanitization logic, and anyone able to add entries to the FAQ can insert otherwise sanitized code into the database and serve it to visitors.

Risk and Exploitability

Risk assessment shows a CVSS score of 5.1, indicating moderate severity. The EPSS score is <1% (0.00029), and the vulnerability does not appear in the CISA KEV list. Exploitability requires that the attacker possess authenticated FAQ_EDIT privileges, but otherwise there are no additional prerequisites, so the flaw can be leveraged inside trusted editor accounts to persistently deliver malicious script to other users.

Generated by OpenCVE AI on May 28, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade phpMyFAQ to version 4.1.2 or later, which resolves the entity decoding depth check issue.
  • If an upgrade is not immediately possible, disable SVG file uploads altogether or restrict uploads to trusted administrators only by configuring the platform’s file‑type settings.
  • Apply HTTP security headers such as X‑Content‑Type‑Options, X‑XSS‑Protection, and Content‑Security‑Policy to limit script execution capabilities in any page that may display SVG content.
  • As a temporary workaround, implement server‑side filtering that strips out script or javascript: URLs from uploaded SVG files before storage.

Generated by OpenCVE AI on May 28, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wj3q-vw2v-3rj3 phpMyFAQ: SVG Sanitizer Entity Decoding Depth Limit Bypass Leading to Stored XSS
History

Thu, 28 May 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Phpmyfaq
Phpmyfaq phpmyfaq
CPEs cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:*
Vendors & Products Phpmyfaq
Phpmyfaq phpmyfaq
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Fri, 15 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Thorsten
Thorsten phpmyfaq
Vendors & Products Thorsten
Thorsten phpmyfaq

Fri, 15 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in SvgSanitizer::decodeAllEntities() that limits recursive entity decoding to 5 iterations, allowing attackers to bypass sanitization. Authenticated users with FAQ_EDIT permission can upload malicious SVG files with deeply nested ampersand encoding around numeric HTML entities to reconstruct javascript: URLs, which execute arbitrary JavaScript when clicked by other users viewing the uploaded SVG.
Title phpMyFAQ - Stored XSS via Entity Decoding Depth Limit Bypass in SVG Sanitizer
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Phpmyfaq Phpmyfaq
Thorsten Phpmyfaq
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-28T14:15:24.169Z

Reserved: 2026-05-13T19:40:27.808Z

Link: CVE-2026-46360

cve-icon Vulnrichment

Updated: 2026-05-15T20:16:17.036Z

cve-icon NVD

Status : Deferred

Published: 2026-05-15T19:17:03.263

Modified: 2026-05-28T16:16:26.623

Link: CVE-2026-46360

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T18:00:13Z

Weaknesses