CVE-2026-46363

MEDIUM CVSS 5.4 View on NVD ↗

Description

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in FAQ creation and update endpoints that bypass sanitization through encode-decode cycles. The vulnerability allows authenticated attackers with FAQ_ADD permission to inject malicious script tags via question or answer parameters, which execute in every visitor's browser when FAQ content is rendered with the raw Twig filter.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References

https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-f5p7-2c9q-8896
https://www.vulncheck.com/advisories/phpmyfaq-stored-xss-in-faq-question-answer-via-encode-decode-bypass
https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-f5p7-2c9q-8896

Published: May 15, 2026 19:17 UTC Modified: May 15, 2026 21:16 UTC