Main Vulnerability Database Vulnerabilities #VU130121

Cross-site scripting in phpMyFAQ - #VU130121

Published: May 5, 2026

Vulnerability identifier: #VU130121

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Thorsten Rinne

Affected software:
phpMyFAQ

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary JavaScript in a victim's browser within the application origin.

The vulnerability exists due to improper neutralization of input during web page generation in SvgSanitizer::decodeAllEntities() when processing uploaded SVG files containing deeply nested entity-encoded javascript: links. A remote user can upload a specially crafted SVG file to execute arbitrary JavaScript in a victim's browser within the application origin.

User interaction is required, as the victim must click the malicious link embedded in the rendered SVG.

Remediation

Install security update from vendor's website.

Sources

https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-whqh-9pq5-c7r3

Cross-site scripting in phpMyFAQ - #VU130121

Detailed vulnerability description

Remediation

Sources

Please verify you're human