CVE-2026-46367

HIGH7.6EPSS 0.01%

phpMyFAQ: Stored XSS via Utils::parseUrl() in comment rendering

Published: 5/15/2026Modified: 5/21/2026

Description

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl() that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craft URLs with unescaped quotes to inject event handlers, stealing admin session cookies and achieving full application takeover when visitors view affected FAQ pages.

Affected packages (2)

Packagist/phpMyFAQfrom 0, < 4.1.2
Packagist/phpMyFAQ/phpMyFAQfrom 0, < 4.1.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-46367
PATCHhttps://github.com/thorsten/phpMyFAQ
WEBhttps://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9525-27vj-c8r8
WEBhttps://www.vulncheck.com/advisories/phpmyfaq-stored-xss-via-utils-parseurl-in-comment-rendering