ByteOS Network

NVD Vulnerability Details :

CVE-2026-46363

Received

Source-disclosure@vulncheck.com

Published At-15 May, 2026 | 19:17

Updated At-15 May, 2026 | 21:16

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in FAQ creation and update endpoints that bypass sanitization through encode-decode cycles. The vulnerability allows authenticated attackers with FAQ_ADD permission to inject malicious script tags via question or answer parameters, which execute in every visitor's browser when FAQ content is rendered with the raw Twig filter.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Type: Secondary

Version: 3.1

Base score: 5.4

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Weaknesses

CWE ID	Type	Source
CWE-79	Secondary	disclosure@vulncheck.com

CWE ID: CWE-79

Type: Secondary

Source: disclosure@vulncheck.com

References

Hyperlink	Source	Resource
https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-f5p7-2c9q-8896	disclosure@vulncheck.com	N/A
https://www.vulncheck.com/advisories/phpmyfaq-stored-xss-in-faq-question-answer-via-encode-decode-bypass	disclosure@vulncheck.com	N/A
https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-f5p7-2c9q-8896	134c704f-9b21-4f2e-91b3-4a467353bcc0	N/A