HIGHCVE-2026-46361Published Modified CNA VulnCheck
CVE-2026-46361: phpMyFAQ - Stored Cross-Site Scripting via raw Filter in search.twig
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in search.twig where result.question and result.answerPreview are rendered with the raw filter, disabling autoescape protection. Attackers with FAQ editor privileges can inject HTML-entity-encoded payloads that bypass html_entity_decode(strip_tags()) processing in SearchController.php, executing arbitrary JavaScript in every visitor's browser context including administrators.
Metrics
- CVSS v4.0
- 8.2
- Severity
- HIGH
- Fixed in
- 4.1.2
- Affected Products
- 1
Fix available
4.1.2
Affected packages
- thorsten / phpmyfaq< 4.1.2 (from 0)Fixed in 4.1.2
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N