Stored Cross-Site Scripting Vulnerability in phpMyFAQ by phpMyFAQ
CVE-2026-46361

6.9MEDIUM

Key Information:

Vendor: Thorsten
Status: pHPMyFAQ
Vendor: CVE Published:; 15 May 2026

What is CVE-2026-46361?

A stored cross-site scripting vulnerability exists in phpMyFAQ prior to version 4.1.2, specifically in the search.twig file. This issue arises because the result.question and result.answerPreview variables are rendered using the raw filter, which disables essential autoescape protection. Consequently, attackers with FAQ editor privileges can inject HTML-entity-encoded payloads, bypassing the protection mechanisms like html_entity_decode(strip_tags()). This allows malicious scripts to execute in the browser context of any visitor, including administrators, potentially compromising user data and site integrity.

Affected Version(s)

phpmyfaq 0 < 4.1.2

phpmyfaq 4.1.2

References

https://github.com/thorsten/phpMyFAQ/security/advisories/...

vendor-advisory

https://www.vulncheck.com/advisories/phpmyfaq-stored-cros...

third-party-advisory

CVSS V3.1

Score:

6.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2026
Vulnerability Reserved
May 13, 2026

Credit

Doodi101

CVE-2026-46361 Data

JSON

Thorsten

What is CVE-2026-46361?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit