Phpmyfaq · Phpmyfaq · CVE-2026-46367
**Name of the Vulnerable Software and Affected Versions**
phpMyFAQ versions prior to 4.1.2
**Description**
A stored cross-site scripting issue exists in the `parseUrl()` function of the `Utils` class. Authenticated users can inject JavaScript by submitting malformed URLs in comments. By using unescaped quotes to inject event handlers, attackers can steal administrator session cookies, potentially leading to a full application takeover when users view the affected FAQ pages.
**Recommendations**
Update to version 4.1.2 or later.
As a temporary workaround, restrict the ability of users to post URLs in comments until the update is applied.