CVE-2026-46367

Source
https://cve.org/CVERecord?id=CVE-2026-46367
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46367.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-46367
Aliases
Published
2026-05-15T18:36:46.103Z
Modified
2026-07-08T08:13:37.967309845Z
Severity
  • 8.3 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N CVSS Calculator
Summary
phpMyFAQ - Stored XSS via Utils::parseUrl() in Comment Rendering
Details

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl() that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craft URLs with unescaped quotes to inject event handlers, stealing admin session cookies and achieving full application takeover when visitors view affected FAQ pages.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46367.json",
    "cna_assigner": "VulnCheck",
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

Git / github.com/thorsten/phpmyfaq

Affected ranges

Type
GIT
Repo
https://github.com/thorsten/phpmyfaq
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "4.1.1"
        },
        {
            "fixed": "4.1.2"
        },
        {
            "introduced": "0"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "DESCRIPTION"
    ]
}

Affected versions

4.*
4.1.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46367.json"