CVE-2026-32629

MEDIUM

phpMyFAQ: Stored XSS via Unsanitized Email Field in Admin FAQ Editor

Title source: cna

Description

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, an unauthenticated attacker can submit a guest FAQ with an email address that is syntactically valid per RFC 5321 (quoted local part) yet contains raw HTML — for example "<script>alert(1)</script>"@evil.com. PHP's FILTER_VALIDATE_EMAIL accepts this email as valid. The email is stored in the database without HTML sanitization and later rendered in the admin FAQ editor template using Twig's |raw filter, which bypasses auto-escaping entirely. This issue has been patched in version 4.1.1.

References (2)

[X_Refsource_Confirm] https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-98gw-w575-h2ph

[X_Refsource_Misc] https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1

Scores

CVSS v3 6.1

EPSS 0.0015

EPSS Percentile 35.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-20 CWE-79

Status published

Products (4)

phpmyfaq/phpmyfaq < 4.1.1

phpmyfaq/phpmyfaq 0 - 4.1.1Packagist

thorsten/phpmyfaq 0 - 4.1.1Packagist

thorsten/phpMyFAQ < 4.1.1

Published Apr 02, 2026

Tracked Since Apr 02, 2026