CVE-2026-46367
published 2026-05-15CVE-2026-46367: phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl() that allows authenticated users to inject JavaScript via…
PriorityP433high7.6CVSS 3.1
AVNACLPRLUIRSCCHILAN
EPSS
0.21%
11.8th percentile
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl() that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craft URLs with unescaped quotes to inject event handlers, stealing admin session cookies and achieving full application takeover when visitors view affected FAQ pages.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| phpmyfaq | phpmyfaq | >= 0 < 4.1.2 | 4.1.2 |
| thorsten | phpmyfaq | >= 4.1.1 < 4.1.2 | 4.1.2 |
CVSS provenance
nvdv3.17.6HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
nvdv4.08.3HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
phpMyFAQ: Stored XSS via Utils::parseUrl() in comment rendering
ghsa·2026-05-15
CVE-2026-46367 [HIGH] CWE-79 phpMyFAQ: Stored XSS via Utils::parseUrl() in comment rendering
phpMyFAQ: Stored XSS via Utils::parseUrl() in comment rendering
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl() that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craft URLs with unescaped quotes to inject event handlers, stealing admin session cookies and achieving full application takeover when visitors view affected FAQ pages.
GHSA
GHSA-w42g-jj8w-fj77: phpMyFAQ before 4
ghsa_unreviewed·2026-05-15
CVE-2026-46367 [HIGH] CWE-79 GHSA-w42g-jj8w-fj77: phpMyFAQ before 4
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl() that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craft URLs with unescaped quotes to inject event handlers, stealing admin session cookies and achieving full application takeover when visitors view affected FAQ pages.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-15
Published