PT-2026-42648 — XSS in Packagist Phpmyfaq+2

PT-2026-42648 · Packagist · Phpmyfaq+2

Published

2026-05-15

Updated

2026-05-15

CVSS v4.0

8.3

High

Vector

AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-9525-27vj-c8r8. This link is maintained to preserve external references.

Original Description

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl() that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craft URLs with unescaped quotes to inject event handlers, stealing admin session cookies and achieving full application takeover when visitors view affected FAQ pages.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

GHSA-W42G-JJ8W-FJ77

Affected Products

Phpmyfaq

Phpmyfaq/Phpmyfaq

Thorsten/Phpmyfaq