phpMyFAQ - Stored Cross-Site Scripting via raw Filter in search.twig | Advisories

Advisories

phpMyFAQ - Stored Cross-Site Scripting via raw Filter in search.twig

severity: medium
date: 5/15/2026
Affecting: phpmyfaq >= 0, < 4.1.2
CVE: CVE-2026-46361
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS: 6.9
References: GHSA Advisory GHSA-pqh6-8fxf-jx22
Credit: Doodi101
Description: phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in search.twig where result.question and result.answerPreview are rendered with the raw filter, disabling autoescape protection. Attackers with FAQ editor privileges can inject HTML-entity-encoded payloads that bypass html_entity_decode(strip_tags()) processing in SearchController.php, executing arbitrary JavaScript in every visitor's browser context including administrators.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo