PT-2026-41362 · Phpmyfaq · Phpmyfaq

Offset

·

Published

2026-05-06

·

Updated

2026-05-15

·

CVE-2026-46360

CVSS v3.1

5.4

Medium

VectorAV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions phpMyFAQ versions prior to 4.1.2
Description A stored cross-site scripting issue exists in the decodeAllEntities() function of the SvgSanitizer class. The function limits recursive entity decoding to 5 iterations, which allows the sanitization process to be bypassed. Authenticated users with FAQ EDIT permission can upload malicious SVG files containing deeply nested ampersand encoding around numeric HTML entities. This technique reconstructs javascript: URLs, leading to the execution of arbitrary JavaScript when other users view the uploaded SVG file.
Recommendations Update to version 4.1.2 or later. As a temporary mitigation, restrict the FAQ EDIT permission to trusted users only.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-46360
GHSA-WHQH-9PQ5-C7R3
GHSA-WJ3Q-VW2V-3RJ3

Affected Products

Phpmyfaq