Home

Description

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in SvgSanitizer::decodeAllEntities() that limits recursive entity decoding to 5 iterations, allowing attackers to bypass sanitization. Authenticated users with FAQ_EDIT permission can upload malicious SVG files with deeply nested ampersand encoding around numeric HTML entities to reconstruct javascript: URLs, which execute arbitrary JavaScript when clicked by other users viewing the uploaded SVG.

PUBLISHED Reserved 2026-05-13 | Published 2026-05-15 | Updated 2026-05-15 | Assigner VulnCheck




MEDIUM: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status
unaffected

Any version before 4.1.2
affected

4.1.2 (semver)
unaffected

Credits

offset reporter

References

github.com/...pMyFAQ/security/advisories/GHSA-whqh-9pq5-c7r3 exploit

github.com/...pMyFAQ/security/advisories/GHSA-whqh-9pq5-c7r3 (GHSA Advisory GHSA-whqh-9pq5-c7r3) vendor-advisory

www.vulncheck.com/...ing-depth-limit-bypass-in-svg-sanitizer (VulnCheck Advisory: phpMyFAQ - Stored XSS via Entity Decoding Depth Limit Bypass in SVG Sanitizer) third-party-advisory

cve.org (CVE-2026-46360)

nvd.nist.gov (CVE-2026-46360)

Download JSON