Cross-site scripting in phpMyFAQ - #VU130125
Published: May 5, 2026
Vulnerability identifier: #VU130125
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Thorsten Rinne
Affected software:
phpMyFAQ
phpMyFAQ
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary script in a victim's browser.
The vulnerability exists due to cross-site scripting in Utils::parseUrl() and comment rendering when rendering stored comment content containing a crafted URL. A remote user can submit a specially crafted comment to execute arbitrary script in a victim's browser.
Only instances with main.enableCommentEditor enabled are vulnerable. User interaction is required to view the affected FAQ or News page or the admin comment panel.
Remediation
Install security update from vendor's website.