cbcvebase.
CVE-2026-46367
published 2026-05-15

CVE-2026-46367: phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl() that allows authenticated users to inject JavaScript via…

PriorityP433high7.6CVSS 3.1
AVNACLPRLUIRSCCHILAN
EPSS
0.21%
11.8th percentile
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl() that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craft URLs with unescaped quotes to inject event handlers, stealing admin session cookies and achieving full application takeover when visitors view affected FAQ pages.

Affected

2 ranges
VendorProductVersion rangeFixed in
phpmyfaqphpmyfaq>= 0 < 4.1.24.1.2
thorstenphpmyfaq>= 4.1.1 < 4.1.24.1.2

CVSS provenance

nvdv3.17.6HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
nvdv4.08.3HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.