GHSA-98gw-w575-h2ph

Suggest an improvement
Source
https://github.com/advisories/GHSA-98gw-w575-h2ph
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-98gw-w575-h2ph/GHSA-98gw-w575-h2ph.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-98gw-w575-h2ph
Aliases
  • CVE-2026-32629
Published
2026-03-31T22:48:45Z
Modified
2026-04-06T17:38:57.060243Z
Severity
  • 5.4 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P CVSS Calculator
Summary
phpMyFAQ is Vulnerable to Stored XSS via Unsanitized Email Field in Admin FAQ Editor
Details

Summary

An unauthenticated attacker can submit a guest FAQ with an email address that is syntactically valid per RFC 5321 (quoted local part) yet contains raw HTML — for example "<script>alert(1)</script>"@evil.com. PHP's FILTERVALIDATEEMAIL accepts this email as valid. The email is stored in the database without HTML sanitization and later rendered in the admin FAQ editor template using Twig's |raw filter, which bypasses auto-escaping entirely.

Details

  1. PHP FILTERVALIDATEEMAIL accepts RFC-valid quoted local parts with dangerous characters

phpmyfaq/src/phpMyFAQ/Controller/Frontend/Api/FaqController.php:99 $email = trim((string) Filter::filterVar($data->email, FILTERVALIDATEEMAIL)); PHP accepts "<script>alert(1)</script>"@evil.com as a valid email (RFC 5321 allows <, > inside quoted local parts). Confirmed: "<script>alert(1)</script>"@evil.com => string (valid, not false)

  1. Email stored raw without HTML sanitization

phpmyfaq/src/phpMyFAQ/Faq.php — email retrieved directly as $row->email from the database.

  1. Admin Twig template renders email with |raw

phpmyfaq/assets/templates/admin/content/faq.editor.twig:296 <input type="email" name="email" id="email" value="{{ faqData['email'] | raw }}" class="form-control">

Affected version: 4.2.0-alpha, commit f0dc86c8f

PoC

The reproduction of the vulnerability was implemented with the help of AI while reviewing the source code to generate the proof-of-concept. Please kindly note this for reference. Since the vulnerability has already been confirmed directly in the source code, the proof-of-concept code may be considered as a reference only.

Please extract the attached compressed file and proceed. poc.zip

  1. (docker compose -f docker-compose.yml down -v)

  2. docker compose -f docker-compose.yml up -d mariadb php-fpm nginx

    2. bash exploit.sh

  3. Access http://localhost:8888/admin/

  4. Log in with admin / Admin1234!
  5. After logging in, check whether the URL remains http://localhost:8888/admin/
  6. Go to Content → FAQ Administration → edit "poc" → alert popup should appear If it does not appear, you can also access it directly via: http://localhost:8888/admin/faq/edit/1/en

<img width="1388" height="239" alt="스크린샷 2026-03-12 오후 11 42 52" src="https://github.com/user-attachments/assets/b6d5446f-4eba-4cb2-9284-1bca4855142e" /> <img width="1171" height="92" alt="스크린샷 2026-03-12 오후 11 16 17" src="https://github.com/user-attachments/assets/3578e429-7106-4616-92ed-4167816d40f0" />

Impact

When an administrator opens /admin/faq/edit/{id}/{lang} to review the pending FAQ, the injected script executes in the admin's browser context. This allows an attacker to:

  • Steal the administrator's session cookie → full admin account takeover
  • Perform arbitrary admin actions (create users, modify content, change configuration)
  • Pivot to further attacks on the server

The attack chain requires no authentication. By default, records.allowNewFaqsForGuests=true allows unauthenticated FAQ submission, and records.defaultActivation=false guarantees the administrator must visit the edit page to review it.

Note on captcha: The built-in captcha is enabled by default when the PHP gd extension is present (spam.enableCaptchaCode=true). This prevents fully automated exploitation but does not prevent a targeted manual attack — an attacker can solve the captcha once and submit the payload.

Credits

wooseokdotkim

Database specific 
{
    "cwe_ids": [
        "CWE-20",
        "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-31T22:48:45Z",
    "nvd_published_at": "2026-04-02T15:16:38Z",
    "severity": "MODERATE"
}
References

Affected packages

Packagist / thorsten/phpmyfaq

Package

Name
thorsten/phpmyfaq
Purl
pkg:composer/thorsten/phpmyfaq

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.1.1

Affected versions

2.*
2.8.0-alpha2
2.8.0-alpha3
2.8.0-beta
2.8.0-beta2
2.8.0-beta3
2.8.0-RC
2.8.0-RC2
2.8.0-RC3
2.8.0-RC4
2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.8.7
2.8.8
2.8.9
2.8.10
2.8.11
2.8.12
2.8.13
2.8.14
2.8.15
2.8.16
2.8.17
2.8.18
2.8.19
2.8.20
2.8.21
2.8.22
2.8.23
2.8.24
2.8.25
2.8.26
2.8.27
2.8.28
2.8.29
2.9.0-alpha
2.9.0-alpha2
2.9.0-alpha3
2.9.0-alpha4
2.9.0-beta
2.9.0-beta2
2.9.0-rc
2.9.0-rc2
2.9.0-rc3
2.9.0-rc4
2.9.0
2.9.1
2.9.2
2.9.3
2.9.4
2.9.5
2.9.6
2.9.7
2.9.8
2.9.9
2.9.10
2.9.11
2.9.12
2.9.13
2.10.0-alpha
3.*
3.0.0-alpha
3.0.0-alpha.2
3.0.0-alpha.3
3.0.0-alpha.4
3.0.0-beta
3.0.0-beta.2
3.0.0-beta.3
3.0.0-RC
3.0.0-RC.2
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.0.10
3.0.11
3.0.12
3.1.0-alpha
3.1.0-alpha.2
3.1.0-alpha.3
3.1.0-beta
3.1.0-RC
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10
3.1.11
3.1.12
3.1.13
3.1.14
3.1.15
3.1.16
3.1.17
3.1.18
3.2.0-alpha
3.2.0-beta
3.2.0-beta.2
3.2.0-RC
3.2.0-RC.2
3.2.0-RC.4
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.2.8
3.2.9
3.2.10
4.*
4.0.0-alpha
4.0.0-alpha.2
4.0.0-alpha.3
4.0.0-alpha.4
4.0.0-beta
4.0.0-beta.2
4.0.0-RC
4.0.0-RC.2
4.0.0-RC.3
4.0.0-RC.4
4.0.0-RC.5
4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.0.7
4.0.8
4.0.9
4.0.10
4.0.11
4.0.12
4.0.13
4.0.14
4.0.15
4.0.16
4.0.18
4.0.19
4.1.0-alpha
4.1.0-alpha.2
4.1.0-alpha.3
4.1.0-beta
4.1.0-beta.2
4.1.0-RC
4.1.0-RC.2
4.1.0-RC.4
4.1.0-RC.5
4.1.0-RC.6
4.1.0-RC.7
4.1.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-98gw-w575-h2ph/GHSA-98gw-w575-h2ph.json"
last_known_affected_version_range 
"<= 4.1.0"

Packagist / phpmyfaq/phpmyfaq

Package

Name
phpmyfaq/phpmyfaq
Purl
pkg:composer/phpmyfaq/phpmyfaq

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.1.1

Affected versions

2.*
2.8.0-alpha2
2.8.0-alpha3
2.8.0-beta
2.8.0-beta2
2.8.0-beta3
2.8.0-RC
2.8.0-RC2
2.8.0-RC3
2.8.0-RC4
2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.8.7
2.8.8
2.8.9
2.8.10
2.8.11
2.8.12
2.8.13
2.8.14
2.8.15
2.8.16
2.8.17
2.8.18
2.8.19
2.8.20
2.8.21
2.8.22
2.8.23
2.8.24
2.8.25
2.8.26
2.8.27
2.8.28
2.8.29
2.9.0-alpha
2.9.0-alpha2
2.9.0-alpha3
2.9.0-alpha4
2.9.0-beta
2.9.0-beta2
2.9.0-rc
2.9.0-rc2
2.9.0-rc3
2.9.0-rc4
2.9.0
2.9.1
2.9.2
2.9.3
2.9.4
2.9.5
2.9.6
2.9.7
2.9.8
2.9.9
2.9.10
2.9.11
2.9.12
2.9.13
2.10.0-alpha
3.*
3.0.0-alpha
3.0.0-alpha.2
3.0.0-alpha.3
3.0.0-alpha.4
3.0.0-beta
3.0.0-beta.2
3.0.0-beta.3
3.0.0-RC
3.0.0-RC.2
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.0.10
3.0.11
3.0.12
3.1.0-alpha
3.1.0-alpha.2
3.1.0-alpha.3
3.1.0-beta
3.1.0-RC
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10
3.1.11
3.1.12
3.1.13
3.1.14
3.1.15
3.1.16
3.1.17
3.1.18
3.2.0-alpha
3.2.0-beta
3.2.0-beta.2
3.2.0-RC
3.2.0-RC.2
3.2.0-RC.4
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.2.8
3.2.9
3.2.10
4.*
4.0.0-alpha
4.0.0-alpha.2
4.0.0-alpha.3
4.0.0-alpha.4
4.0.0-beta
4.0.0-beta.2
4.0.0-RC
4.0.0-RC.2
4.0.0-RC.3
4.0.0-RC.4
4.0.0-RC.5
4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.0.7
4.0.8
4.0.9
4.0.10
4.0.11
4.0.12
4.0.13
4.0.14
4.0.15
4.0.16
4.0.18
4.0.19
4.1.0-alpha
4.1.0-alpha.2
4.1.0-alpha.3
4.1.0-beta
4.1.0-beta.2
4.1.0-RC
4.1.0-RC.2
4.1.0-RC.4
4.1.0-RC.5
4.1.0-RC.6
4.1.0-RC.7
4.1.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-98gw-w575-h2ph/GHSA-98gw-w575-h2ph.json"
last_known_affected_version_range 
"<= 4.1.0"