CVE-2026-34974

Name of the Vulnerable Software and Affected Versions phpMyFAQ versions prior to 4.1.1

Description pMyFAQ, an open source FAQ web application, contains a flaw in its SVG sanitizer (SvgSanitizer.php). The regex-based sanitization can be bypassed by using HTML entity encoding within javascript: URLs inside SVG <a href> attributes. A user with edit faq permission can upload a malicious SVG file that executes arbitrary JavaScript when viewed. This allows for privilege escalation from an editor to a full admin takeover. The vulnerable file, phpmyfaq/src/phpMyFAQ/Helper/SvgSanitizer.php, uses a regex pattern that fails to detect HTML entity encoded javascript: URLs. The vulnerability is exploitable through the image upload endpoint /admin/api/content/images which requires only edit faq permission. The uploaded SVG files are served with Content-Type: image/svg+xml without a Content-Disposition: attachment header, enabling inline rendering and JavaScript execution.

Recommendations Update phpMyFAQ to version 4.1.1 or later.