Description
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in SvgSanitizer::decodeAllEntities() that limits recursive entity decoding to 5 iterations, allowing attackers to bypass sanitization. Authenticated users with FAQ_EDIT permission can upload malicious SVG files with deeply nested ampersand encoding around numeric HTML entities to reconstruct javascript: URLs, which execute arbitrary JavaScript when clicked by other users viewing the uploaded SVG.
Published: 2026-05-15
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an authenticated user with FAQ_EDIT rights to embed malicious SVG files that bypass a depth‑limit check in the SvgSanitizer component, resulting in stored cross‑site scripting. The attacker can use deeply nested ampersand encodings around numeric HTML entities to reconstruct javascript: URLs that are executed when another user opens the SVG. The flaw is a classic client‑side flaw identified as CWE‑79, exposing affected users to arbitrary script execution in the browser, potentially leading to session hijacking, credential theft or defacement.

Affected Systems

Affected systems include the phpMyFAQ content‑management solution from thorsten with any version earlier than 4.1.2. Users running these releases cannot avoid the vulnerable sanitization logic, and anyone able to add entries to the FAQ can insert otherwise sanitized code into the database and serve it to visitors.

Risk and Exploitability

Risk assessment shows a CVSS score of 5.4, indicating moderate severity. No EPSS score is recorded, and the vulnerability does not appear in the CISA KEV list. Exploitability requires that the attacker possess authenticated FAQ_EDIT privileges, but otherwise there are no additional prerequisites, so the flaw can be leveraged inside trusted editor accounts to persistently deliver malicious script to other users.

Generated by OpenCVE AI on May 15, 2026 at 20:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade phpMyFAQ to version 4.1.2 or later, which resolves the entity decoding depth check issue.
  • If an upgrade is not immediately possible, disable SVG file uploads altogether or restrict uploads to trusted administrators only by configuring the platform’s file‑type settings.
  • Apply HTTP security headers such as X‑Content‑Type‑Options, X‑XSS‑Protection, and Content‑Security‑Policy to limit script execution capabilities in any page that may display SVG content.
  • As a temporary workaround, implement server‑side filtering that strips out script or javascript: URLs from uploaded SVG files before storage.

Generated by OpenCVE AI on May 15, 2026 at 20:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Thorsten
Thorsten phpmyfaq
Vendors & Products Thorsten
Thorsten phpmyfaq

Fri, 15 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in SvgSanitizer::decodeAllEntities() that limits recursive entity decoding to 5 iterations, allowing attackers to bypass sanitization. Authenticated users with FAQ_EDIT permission can upload malicious SVG files with deeply nested ampersand encoding around numeric HTML entities to reconstruct javascript: URLs, which execute arbitrary JavaScript when clicked by other users viewing the uploaded SVG.
Title phpMyFAQ - Stored XSS via Entity Decoding Depth Limit Bypass in SVG Sanitizer
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Thorsten Phpmyfaq
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-15T20:16:21.024Z

Reserved: 2026-05-13T19:40:27.808Z

Link: CVE-2026-46360

cve-icon Vulnrichment

Updated: 2026-05-15T20:16:17.036Z

cve-icon NVD

Status : Received

Published: 2026-05-15T19:17:03.263

Modified: 2026-05-15T21:16:38.753

Link: CVE-2026-46360

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T20:45:08Z

Weaknesses