CVE-2026-46367
7.6 HIGHphpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl() that allows authenticated users to inject...
Published: 2026-05-15 · Last updated: 2026-05-28
Severity and scoring
- CVSS
- 7.6 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
- CWE
- CWE-79
Description
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl() that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craft URLs with unescaped quotes to inject event handlers, stealing admin session cookies and achieving full application takeover when visitors view affected FAQ pages.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-46367
- [Other]https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9525-27vj-c8r8
- [Other]https://www.vulncheck.com/advisories/phpmyfaq-stored-xss-via-utils-parseurl-in-comment-rendering
- [Other]https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9525-27vj-c8r8
Related CVEs
Same CWE
- CVE-2026-12425 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PowerSchool Employee Access ...
- CVE-2024-30476 — PowerStore contains a Stored Cross-Site Scripting Vulnerability in the PowerStore Manager (5.4 MEDIUM)
- CVE-2026-54198 — Unauthenticated Cross Site Scripting (XSS) in Media LIbrary Assistant <= 3.35 versions (7.1 HIGH)
- CVE-2026-54191 — Unauthenticated Cross Site Scripting (XSS) in Pods <= 3.3.8 versions (7.1 HIGH)
- CVE-2026-39437 — Unauthenticated Cross Site Scripting (XSS) in Min Max Step Quantity Limits Manager for WooCommerce <= 5.2.2 versions (7.1 HIGH)