Cross-site scripting in phpMyFAQ - #VU130119
Published: May 5, 2026
Vulnerability identifier: #VU130119
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Thorsten Rinne
Affected software:
phpMyFAQ
phpMyFAQ
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary script in a victim's browser and disclose sensitive information.
The vulnerability exists due to improper neutralization of input during web page generation in search result rendering in search.twig and SearchController.php when processing stored FAQ content in search results. A remote privileged user can store HTML-entity-encoded script payloads in FAQ content to execute arbitrary script in a victim's browser and disclose sensitive information.
User interaction is required when a victim visits a search results page containing the poisoned content, and the issue can affect unauthenticated visitors as well as administrators.
Remediation
Install security update from vendor's website.