PT-2026-41365 · Phpmyfaq · Phpmyfaq

Offset

·

Published

2026-05-06

·

Updated

2026-05-16

·

CVE-2026-46363

CVSS v3.1

5.4

Medium

VectorAV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions phpMyFAQ versions prior to 4.1.2
Description A stored cross-site scripting issue exists in the FAQ creation and update endpoints. Authenticated attackers with FAQ ADD permission can bypass sanitization through encode-decode cycles to inject malicious script tags via the question or answer parameters. These scripts execute in the browser of any visitor when the FAQ content is rendered using the raw Twig filter (a filter that outputs content without escaping).
Recommendations Update to version 4.1.2 or later.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-46363
GHSA-F5P7-2C9Q-8896
GHSA-H36G-93QX-RXGR

Affected Products

Phpmyfaq