Description
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl() that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craft URLs with unescaped quotes to inject event handlers, stealing admin session cookies and achieving full application takeover when visitors view affected FAQ pages.
Published: 2026-05-15
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

phpMyFAQ versions prior to 4.1.2 contain a stored cross‑site scripting flaw in the Utils::parseUrl() routine used when rendering comments. Attackers who are authenticated can submit comments that include specially crafted URLs with unescaped quotes. When visitors load the affected FAQ page, the embedded JavaScript executes in the victims’ browsers, allowing cookie theft and ultimately full control of the application.

Affected Systems

The vulnerability affects the phpMyFAQ application provided by the vendor thorsten. Any deployment using a version older than 4.1.2 is susceptible; the vulnerability is tied to the comment rendering feature that processes URLs via the Utils::parseUrl() function.

Risk and Exploitability

The flaw has a CVSS score of 7.6, indicating medium‑to‑high severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited in the wild. Exploitation requires an authenticated user with permission to post comments, which can then be viewed by any visitor, providing a straightforward attack path to inject malicious code into the application’s output. Once the code runs, attackers can steal session cookies and gain complete control of the phpMyFAQ installation.

Generated by OpenCVE AI on May 15, 2026 at 20:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest phpMyFAQ version (4.1.2 or newer) to eliminate the stored XSS issue.
  • Sanitize or escape URLs in comment content before rendering to prevent execution of injected scripts.
  • Deploy a content security policy that blocks inline event handlers and restricts script origins to mitigate any remnant XSS vectors.

Generated by OpenCVE AI on May 15, 2026 at 20:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Thorsten
Thorsten phpmyfaq
Vendors & Products Thorsten
Thorsten phpmyfaq

Fri, 15 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl() that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craft URLs with unescaped quotes to inject event handlers, stealing admin session cookies and achieving full application takeover when visitors view affected FAQ pages.
Title phpMyFAQ - Stored XSS via Utils::parseUrl() in Comment Rendering
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N'}

Subscriptions

Thorsten Phpmyfaq
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-16T01:19:16.638Z

Reserved: 2026-05-13T19:40:27.809Z

Link: CVE-2026-46367

cve-icon Vulnrichment

Updated: 2026-05-16T01:19:09.213Z

cve-icon NVD

Status : Received

Published: 2026-05-15T19:17:04.087

Modified: 2026-05-16T02:16:15.703

Link: CVE-2026-46367

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T21:45:08Z

Weaknesses