CVE-2026-46367

Sažetak

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl() that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craft URLs with unescaped quotes to inject event handlers, stealing admin session cookies and achieving full application takeover when visitors view affected FAQ pages.

Reference

https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9525-27vj-c8r8
https://www.vulncheck.com/advisories/phpmyfaq-stored-xss-via-utils-parseurl-in-comment-rendering
https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9525-27vj-c8r8

CVSS

Base:	7.6
Impact:	4.7
Exploitability:	2.3

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	LOW

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	LOW	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Zadnje važnije ažuriranje

16-05-2026 - 02:16

Objavljeno

15-05-2026 - 19:17