CVE-2026-32629

Name of the Vulnerable Software and Affected Versions phpMyFAQ versions prior to 4.1.1

Description prior to version 4.1.1, an unauthenticated attacker can submit a guest FAQ with an email address containing raw HTML that is accepted as valid by PHP's FILTER VALIDATE EMAIL function. This email is stored in the database without sanitization and rendered in the admin FAQ editor template using Twig's |raw filter, bypassing auto-escaping. This allows for the execution of arbitrary scripts in the administrator's browser when reviewing the FAQ, potentially leading to session cookie theft and full admin account takeover.

Recommendations Update to version 4.1.1 or later.