VYPR
\"@evil.com. ","datePublished":"2026-04-02T15:16:38.017Z","dateModified":"2026-04-07T16:10:02.627Z","publisher":{"@type":"Organization","@id":"https://portal.vyprsec.ai#publisher","name":"VYPR","url":"https://portal.vyprsec.ai","logo":{"@type":"ImageObject","url":"https://portal.vyprsec.ai/icon.svg","width":64,"height":64},"description":"Real-time CVE intelligence newsroom — feeds, exploits, vendor advisories, and AI-synthesized insights."},"author":{"@type":"Organization","@id":"https://portal.vyprsec.ai#publisher","name":"VYPR","url":"https://portal.vyprsec.ai","logo":{"@type":"ImageObject","url":"https://portal.vyprsec.ai/icon.svg","width":64,"height":64},"description":"Real-time CVE intelligence newsroom — feeds, exploits, vendor advisories, and AI-synthesized insights."},"proficiencyLevel":"Expert","about":{"@type":"Thing","@id":"https://nvd.nist.gov/vuln/detail/CVE-2026-32629","name":"CVE-2026-32629","identifier":"CVE-2026-32629","description":"phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, an unauthenticated attacker can submit a guest FAQ with an email address that is syntactically valid per RFC 5321 (quoted local part) yet contains raw HTML — for example \"\"@evil.com. PHP's FILTER_VALIDATE_EMAIL accepts this email as valid. The email is stored in the database without HTML sanitization and later rendered in the admin FAQ editor template using Twig's |raw filter, which bypasses auto-escaping entirely. This issue has been patched in version 4.1.1.","additionalType":"https://schema.org/SoftwareApplication","sameAs":["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-32629"]},"keywords":"CVE-2026-32629, Medium, CWE-20, CWE-79, PhpMyAdmin Phpmyfaq","mentions":[{"@type":"SoftwareApplication","name":"Phpmyfaq","applicationCategory":"SecurityApplication","publisher":{"@type":"Organization","name":"PhpMyAdmin"}}],"isAccessibleForFree":true},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://portal.vyprsec.ai/"},{"@type":"ListItem","position":2,"name":"CVEs","item":"https://portal.vyprsec.ai/cves"},{"@type":"ListItem","position":3,"name":"CVE-2026-32629","item":"https://portal.vyprsec.ai/cves/CVE-2026-32629"}]}]}
Medium severity6.1NVD Advisory· Published Apr 2, 2026· Updated Apr 7, 2026

CVE-2026-32629

CVE-2026-32629

Description

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, an unauthenticated attacker can submit a guest FAQ with an email address that is syntactically valid per RFC 5321 (quoted local part) yet contains raw HTML — for example ""@evil.com. PHP's FILTER_VALIDATE_EMAIL accepts this email as valid. The email is stored in the database without HTML sanitization and later rendered in the admin FAQ editor template using Twig's |raw filter, which bypasses auto-escaping entirely. This issue has been patched in version 4.1.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
thorsten/phpmyfaqPackagist
< 4.1.14.1.1
phpmyfaq/phpmyfaqPackagist
< 4.1.14.1.1

Affected products

3

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.