SB2026042343 - Multiple vulnerabilities in phpMyFAQ

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Stored cross-site scripting (CVE-ID: CVE-2026-32629)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data within Email field in Admin FAQ editor. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) Stored cross-site scripting (CVE-ID: CVE-2026-34729)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the "Filter::removeAttributes()" function. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

3) Path traversal (CVE-ID: CVE-2026-34728)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in the "MediaBrowserController::index()" method. A remote user can send a specially crafted HTTP request and delete arbitrary files on the system.

4) Stored cross-site scripting (CVE-ID: CVE-2026-34974)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data within the regex-based SVG sanitizer. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

5) Improper Neutralization of Special Elements in Data Query Logic (CVE-ID: CVE-2026-34973)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to improper neutralization of special elements in data query logic within searchCustomPages() in Search.php. A remote attacker can gain access to sensitive information.

Remediation

Install update from vendor's website.

References

• https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-98gw-w575-h2ph
• https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-cv2g-8cj8-vgc7
• https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-38m8-xrfj-v38x
• https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-5crx-pfhq-4hgg
• https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-gcp9-5jc8-976x