cbcvebase.

Thorsten Phpmyfaq vulnerabilities

117 known vulnerabilities affecting thorsten/phpmyfaq.

Total CVEs
117
CISA KEV
0
Public exploits
8
Exploited in wild
1
Severity breakdown
CRITICAL9HIGH37MEDIUM69LOW2

Vulnerabilities

Page 4 of 6
CVE-2026-46360P4MEDIUMCVSS 5.4fixed in 4.1.22026-05-15
CVE-2026-46360 [MEDIUM] CWE-79 CVE-2026-46360: phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in SvgSanitizer::decodeAl phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in SvgSanitizer::decodeAllEntities() that limits recursive entity decoding to 5 iterations, allowing attackers to bypass sanitization. Authenticated users with FAQ_EDIT permission can upload malicious SVG files with deeply nested ampersand encoding around numeric HTML entities
ghsanvd
CVE-2026-46363P4MEDIUMCVSS 5.4fixed in 4.1.22026-05-15
CVE-2026-46363 [MEDIUM] CWE-79 CVE-2026-46363: phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in FAQ creation and updat phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in FAQ creation and update endpoints that bypass sanitization through encode-decode cycles. The vulnerability allows authenticated attackers with FAQ_ADD permission to inject malicious script tags via question or answer parameters, which execute in every visitor's browser when
ghsanvd
CVE-2026-45009P4MEDIUMCVSS 4.3≥ 4.1.1, < 4.1.22026-05-15
CVE-2026-45009 [MEDIUM] CWE-863 CVE-2026-45009: phpMyFAQ before 4.1.2 contains an insufficient authorization vulnerability in admin-api routes that phpMyFAQ before 4.1.2 contains an insufficient authorization vulnerability in admin-api routes that allows authenticated ordinary users to access administrative endpoints by only checking login status instead of verifying backend privileges. Attackers with valid frontend user accounts can access sensitive backend operational information including das
ghsanvd
CVE-2023-1883P4MEDIUM≥ 0, < 3.1.122023-04-05
CVE-2023-1883 [MEDIUM] CWE-284 thorsten/phpmyfaq vulnerable to improper access control thorsten/phpmyfaq vulnerable to improper access control thorsten/phpmyfaq prior to 3.1.12 is vulnerable to improper access control when FAQ News is marked as inactive in settings and have comments enabled, allowing comments to be posted on inactive FAQs. This has been fixed in 3.1.12.
ghsaosv
CVE-2026-45007P4MEDIUMCVSS 4.3fixed in 4.1.22026-05-15
CVE-2026-45007 [MEDIUM] CWE-862 CVE-2026-45007: phpMyFAQ before 4.1.2 contains missing permission checks in ConfigurationTabController.php where 12 phpMyFAQ before 4.1.2 contains missing permission checks in ConfigurationTabController.php where 12 endpoints use userIsAuthenticated() instead of userHasPermission(CONFIGURATION_EDIT). Any authenticated user can enumerate system configuration metadata including permission model, cache backend, mail provider, and translation provider by querying /adm
nvd
CVE-2023-0312P4MEDIUM≥ 0, < 3.1.102023-01-16
CVE-2023-0312 [MEDIUM] CWE-79 thorsten/phpmyfaq is vulnerable to cross-site scripting (XSS) thorsten/phpmyfaq is vulnerable to cross-site scripting (XSS) Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.10.
ghsaosv
CVE-2023-2428P4MEDIUM≥ 0, < 3.1.132023-04-30
CVE-2023-2428 [MEDIUM] CWE-79 phpMyFAQ vulnerable to Stored Cross-site Scripting phpMyFAQ vulnerable to Stored Cross-site Scripting phpMyFAQ prior to version 3.1.13 has a stored cross site scripting vulnerability in `name` field in add question module. This allows an attacker to steal user cookies.
ghsaosv
CVE-2023-0310P4MEDIUM≥ 0, < 3.1.102023-01-16
CVE-2023-0310 [MEDIUM] CWE-79 phpMyFAQ Stored Cross-site Scripting vulnerability phpMyFAQ Stored Cross-site Scripting vulnerability Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.10.
ghsaosv
CVE-2023-0306P4MEDIUM≥ 0, < 3.1.102023-01-16
CVE-2023-0306 [MEDIUM] CWE-79 phpMyFAQ Stored Cross-site Scripting vulnerability phpMyFAQ Stored Cross-site Scripting vulnerability Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.10.
ghsaosv
CVE-2023-1758P4HIGH≥ 0, < 3.1.122023-04-05
CVE-2023-1758 [HIGH] CWE-75 thorsten/phpmyfaq vulnerable to stored cross-site scripting (XSS) in FAQ comment username parameter thorsten/phpmyfaq vulnerable to stored cross-site scripting (XSS) in FAQ comment username parameter thorsten/phpmyfaq prior to 3.1.12 is vulnerable to stored cross-site scripting (XSS) because it fails to sanitize user input in the FAQ comment username parameter. This has been fixed in 3.1.12.
ghsaosv
CVE-2023-2998P4MEDIUM≥ 0, < 3.1.142023-05-31
CVE-2023-2998 [MEDIUM] CWE-79 thorsten/phpmyfaq vulnerable to cross-site scripting thorsten/phpmyfaq vulnerable to cross-site scripting In thorsten/phpmyfaq prior to 3.1.14, when admins create a FAQ News, they can pass xss to the "text of the record" section.
ghsaosv
CVE-2023-1755P4MEDIUM≥ 0, < 3.1.122023-03-31
CVE-2023-1755 [MEDIUM] CWE-79 phpMyFAQ Cross-site Scripting vulnerability phpMyFAQ Cross-site Scripting vulnerability Cross-site Scripting (XSS) - Generic in GitHub repository thorsten/phpmyfaq prior to 3.1.12.
ghsaosv
CVE-2023-2753P4MEDIUM≥ 0, < 3.2.0-beta2023-05-17
CVE-2023-2753 [MEDIUM] CWE-79 phpMyFAQ vulnerable to stored Cross-site Scripting phpMyFAQ vulnerable to stored Cross-site Scripting Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.2.0-beta.
ghsaosv
CVE-2023-2752P4MEDIUM≥ 0, < 3.2.0-beta2023-05-17
CVE-2023-2752 [MEDIUM] CWE-79 phpMyFAQ vulnerable to stored Cross-site Scripting phpMyFAQ vulnerable to stored Cross-site Scripting Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.2.0-beta.
ghsaosv
CVE-2023-1878P4HIGH≥ 0, < 3.1.122023-04-05
CVE-2023-1878 [HIGH] CWE-79 thorsten/phpmyfaq vulnerable to stored cross-site scripting (XSS) via adminlog thorsten/phpmyfaq vulnerable to stored cross-site scripting (XSS) via adminlog thorsten/phpmyfaq prior to 3.1.12 is vulnerable to stored cross-site scripting (XSS) because it fails to sanitize user input in the adminlog. This has been fixed in 3.1.12.
ghsaosv
CVE-2023-1757P4HIGH≥ 0, < 3.1.122023-04-05
CVE-2023-1757 [HIGH] CWE-79 thorsten/phpmyfaq vulnerable to stored cross-site scripting (XSS) via FAQ News link parameter thorsten/phpmyfaq vulnerable to stored cross-site scripting (XSS) via FAQ News link parameter thorsten/phpmyfaq prior to 3.1.12 is vulnerable to stored cross-site scripting (XSS) because it fails to sanitize user input in the FAQ News link parameter. This has been fixed in 3.1.12.
ghsaosv
CVE-2023-1882P4HIGH≥ 0, < 3.1.122023-04-05
CVE-2023-1882 [HIGH] CWE-79 thorsten/phpmyfaq vulnerable to DOM cross-site scripting (XSS) via configuration privacy note URL parameter thorsten/phpmyfaq vulnerable to DOM cross-site scripting (XSS) via configuration privacy note URL parameter thorsten/phpmyfaq prior to 3.1.12 is vulnerable to DOM cross-site scripting (XSS) because it fails to sanitize user input in the configuration privacy note URL parameter. This has been fixed in 3.1.12.
ghsaosv
CVE-2022-3765P4MEDIUM≥ 0, < 3.1.82022-10-31
CVE-2022-3765 [MEDIUM] CWE-79 phpMyFAQ vulnerable to stored Cross-site Scripting phpMyFAQ vulnerable to stored Cross-site Scripting phpMyFAQ prior to version 3.1.8 is vulnerable to stored Cross-site Scripting.
ghsaosv
CVE-2023-0314P4MEDIUM≥ 0, < 3.1.102023-01-16
CVE-2023-0314 [MEDIUM] CWE-79 phpMyFAQ Reflected Cross-site Scripting vulnerability phpMyFAQ Reflected Cross-site Scripting vulnerability Cross-site Scripting (XSS) - Reflected in GitHub repository thorsten/phpmyfaq prior to 3.1.10.
ghsaosv
CVE-2023-5320P4CRITICAL≥ 0, < 3.1.182023-09-30
CVE-2023-5320 [CRITICAL] CWE-79 phpMyFAQ Cross-site Scripting vulnerability phpMyFAQ Cross-site Scripting vulnerability Cross-site Scripting (XSS) - DOM in GitHub repository thorsten/phpmyfaq prior to 3.1.18.
ghsaosv
Thorsten Phpmyfaq vulnerabilities | cvebase