Description
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in FAQ creation and update endpoints that bypass sanitization through encode-decode cycles. The vulnerability allows authenticated attackers with FAQ_ADD permission to inject malicious script tags via question or answer parameters, which execute in every visitor's browser when FAQ content is rendered with the raw Twig filter.
Published: 2026-05-15
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a stored XSS in the FAQ creation and update endpoints that lets an authenticated user with FAQ_ADD permission inject arbitrary JavaScript into question or answer fields. When the FAQ page is rendered with the raw Twig filter, the malicious code executes in every visitor's browser. This issue belongs to CWE‑79.

Affected Systems

The vulnerability affects the community edition of phpMyFAQ versions prior to 4.1.2. Users running phpMyFAQ 4.0, 4.1.1 or earlier are exposed.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, impacting mainly the integrity of rendered content. An attacker needs authentication and FAQ_ADD rights to store script tags; every viewer of the affected FAQ will execute the code. EPSS is not available and the flaw is not listed in CISA KEV.

Generated by OpenCVE AI on May 15, 2026 at 20:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade phpMyFAQ to version 4.1.2 or later, where the sanitization routine removes the encode‑decode bypass.
  • Restrict the FAQ_ADD permission to trusted administrators only, removing it from users who do not need to create or edit FAQs.
  • Configure Twig to use safe filters or auto‑escape and avoid the raw filter when rendering FAQ content.

Generated by OpenCVE AI on May 15, 2026 at 20:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Thorsten
Thorsten phpmyfaq
Vendors & Products Thorsten
Thorsten phpmyfaq

Fri, 15 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in FAQ creation and update endpoints that bypass sanitization through encode-decode cycles. The vulnerability allows authenticated attackers with FAQ_ADD permission to inject malicious script tags via question or answer parameters, which execute in every visitor's browser when FAQ content is rendered with the raw Twig filter.
Title phpMyFAQ - Stored XSS in FAQ Question/Answer via Encode-Decode Bypass
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Thorsten Phpmyfaq
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-15T20:01:46.557Z

Reserved: 2026-05-13T19:40:27.809Z

Link: CVE-2026-46363

cve-icon Vulnrichment

Updated: 2026-05-15T20:00:31.037Z

cve-icon NVD

Status : Received

Published: 2026-05-15T19:17:03.633

Modified: 2026-05-15T21:16:38.863

Link: CVE-2026-46363

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T20:45:08Z

Weaknesses