PT-2026-41362 · Phpmyfaq · Phpmyfaq
Offset
·
Published
2026-05-06
·
Updated
2026-05-15
·
CVE-2026-46360
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
phpMyFAQ versions prior to 4.1.2
Description
A stored cross-site scripting issue exists in the
decodeAllEntities() function of the SvgSanitizer class. The function limits recursive entity decoding to 5 iterations, which allows the sanitization process to be bypassed. Authenticated users with FAQ EDIT permission can upload malicious SVG files containing deeply nested ampersand encoding around numeric HTML entities. This technique reconstructs javascript: URLs, leading to the execution of arbitrary JavaScript when other users view the uploaded SVG file.Recommendations
Update to version 4.1.2 or later.
As a temporary mitigation, restrict the
FAQ EDIT permission to trusted users only.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Phpmyfaq