Medium severity6.9NVD Advisory· Published May 15, 2026· Updated May 16, 2026

CVE-2026-46361

Description

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in search.twig where result.question and result.answerPreview are rendered with the raw filter, disabling autoescape protection. Attackers with FAQ editor privileges can inject HTML-entity-encoded payloads that bypass html_entity_decode(strip_tags()) processing in SearchController.php, executing arbitrary JavaScript in every visitor's browser context including administrators.

Affected products

Thorsten/Phpmyfaqinferred
Range: <4.1.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/thorsten/phpMyFAQ/security/advisories/GHSA-pqh6-8fxf-jx22nvd
www.vulncheck.com/advisories/phpmyfaq-stored-cross-site-scripting-via-raw-filter-in-search-twignvd

News mentions

No linked articles in our index yet.

cvss	0.449
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000