Description
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in FAQ creation and update endpoints that bypass sanitization through encode-decode cycles. The vulnerability allows authenticated attackers with FAQ_ADD permission to inject malicious script tags via question or answer parameters, which execute in every visitor's browser when FAQ content is rendered with the raw Twig filter.
Published: 2026-05-15
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a stored XSS in the FAQ creation and update endpoints that lets an authenticated user with FAQ_ADD permission inject arbitrary JavaScript into question or answer fields. When the FAQ page is rendered with the raw Twig filter, the malicious code executes in every visitor's browser. This issue belongs to CWE‑79.

Affected Systems

The vulnerability affects the community edition of phpMyFAQ versions prior to 4.1.2. Users running phpMyFAQ 4.0, 4.1.1 or earlier are exposed.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. An attacker needs authentication and FAQ_ADD rights to store script tags; every viewer of the affected FAQ will execute the code. The EPSS score of < 1% indicates a very low but non‑zero exploitation probability, and the flaw is not listed in CISA KEV.

Generated by OpenCVE AI on May 28, 2026 at 17:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade phpMyFAQ to version 4.1.2 or later, where the sanitization routine removes the encode‑decode bypass.
  • Restrict the FAQ_ADD permission to trusted administrators only, removing it from users who do not need to create or edit FAQs.
  • Configure Twig to use safe filters or auto‑escape and avoid the raw filter when rendering FAQ content.

Generated by OpenCVE AI on May 28, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h36g-93qx-rxgr phpMyFAQ: Stored XSS in FAQ Question/Answer via Encode-Decode Bypass of removeAttributes() Sanitization
History

Thu, 28 May 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Phpmyfaq
Phpmyfaq phpmyfaq
CPEs cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:*
Vendors & Products Phpmyfaq
Phpmyfaq phpmyfaq
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Fri, 15 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Thorsten
Thorsten phpmyfaq
Vendors & Products Thorsten
Thorsten phpmyfaq

Fri, 15 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in FAQ creation and update endpoints that bypass sanitization through encode-decode cycles. The vulnerability allows authenticated attackers with FAQ_ADD permission to inject malicious script tags via question or answer parameters, which execute in every visitor's browser when FAQ content is rendered with the raw Twig filter.
Title phpMyFAQ - Stored XSS in FAQ Question/Answer via Encode-Decode Bypass
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Phpmyfaq Phpmyfaq
Thorsten Phpmyfaq
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-28T14:15:26.247Z

Reserved: 2026-05-13T19:40:27.809Z

Link: CVE-2026-46363

cve-icon Vulnrichment

Updated: 2026-05-15T20:00:31.037Z

cve-icon NVD

Status : Deferred

Published: 2026-05-15T19:17:03.633

Modified: 2026-05-28T16:16:26.970

Link: CVE-2026-46363

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T17:30:15Z

Weaknesses