High severity7.6NVD Advisory· Published May 15, 2026· Updated May 16, 2026

CVE-2026-46367

Description

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl() that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craft URLs with unescaped quotes to inject event handlers, stealing admin session cookies and achieving full application takeover when visitors view affected FAQ pages.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9525-27vj-c8r8nvd
www.vulncheck.com/advisories/phpmyfaq-stored-xss-via-utils-parseurl-in-comment-renderingnvd

News mentions

No linked articles in our index yet.

cvss	0.494
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000