HTML Injection Vulnerability in phpMyFAQ by Thorsten
CVE-2026-32629

5.4MEDIUM

Key Information:

Vendor: Thorsten
Status: pHPMyFAQ
Vendor: CVE Published:; 2 April 2026

What is CVE-2026-32629?

A vulnerability exists in phpMyFAQ, an open-source FAQ web application, allowing unauthenticated attackers to exploit a weakness in email validation. Prior to version 4.1.1, an attacker could submit a guest FAQ with a syntactically valid email that includes raw HTML content. The email was stored without proper HTML sanitization and later displayed in the admin FAQ editor without escaping. This issue has been addressed in the latest update, enhancing the security of the application.

Affected Version(s)

phpMyFAQ < 4.1.1

References

https://github.com/thorsten/phpMyFAQ/security/advisories/...

x_refsource_CONFIRM

https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1

x_refsource_MISC

CVSS V4

Score:

5.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 2, 2026
Vulnerability Reserved
Mar 12, 2026

CVE-2026-32629 Data

JSON