CVE-2026-46367

HIGH7.6EPSS 0.01%

phpMyFAQ: Stored XSS via Utils::parseUrl() in comment rendering

發布日:2026/5/15修改日:2026/5/21

描述

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl() that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craft URLs with unescaped quotes to inject event handlers, stealing admin session cookies and achieving full application takeover when visitors view affected FAQ pages.

受影響套件(2)

Packagist/phpMyFAQfrom 0, < 4.1.2
Packagist/phpMyFAQ/phpMyFAQfrom 0, < 4.1.2

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH7.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-46367
PATCHhttps://github.com/thorsten/phpMyFAQ
WEBhttps://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9525-27vj-c8r8
WEBhttps://www.vulncheck.com/advisories/phpmyfaq-stored-xss-via-utils-parseurl-in-comment-rendering