EIP-2026-111163

PRE-CVE

phpMyFAQ 2.9.0 - Persistent Cross-Site Scripting

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-111163. PoCs published by Kacper Szurek.

AI-analyzed exploit summary This is a technical writeup detailing a stored XSS vulnerability in phpMyFAQ 2.9.0, where the `filter_input()` function with `FILTER_VALIDATE_URL` fails to sanitize user input, allowing malicious scripts to be injected via the 'Link for this FAQ' field. The exploit is triggered when an admin activates the article or when the `records.defaultActivation` option is enabled.

Description

phpMyFAQ 2.9.0 - Persistent Cross-Site Scripting

Exploits (1)

exploitdb WRITEUP

by Kacper Szurek · textwebappsphp

https://www.exploit-db.com/exploits/39913

View Code ZIP pw:eip

This is a technical writeup detailing a stored XSS vulnerability in phpMyFAQ 2.9.0, where the `filter_input()` function with `FILTER_VALIDATE_URL` fails to sanitize user input, allowing malicious scripts to be injected via the 'Link for this FAQ' field. The exploit is triggered when an admin activates the article or when the `records.defaultActivation` option is enabled.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: phpMyFAQ 2.9.0

Auth required

Prerequisites: User access to propose FAQ entries · Admin activation of the malicious FAQ entry or enabled `records.defaultActivation` option

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026