CVE-2026-46361— phpMyFAQ - Stored Cross-Site Scripting via raw Filter in search.twig
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-46361
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
phpMyFAQ - Stored Cross-Site Scripting via raw Filter in search.twig
Source: NVD (National Vulnerability Database)
Vulnerability Description
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in search.twig where result.question and result.answerPreview are rendered with the raw filter, disabling autoescape protection. Attackers with FAQ editor privileges can inject HTML-entity-encoded payloads that bypass html_entity_decode(strip_tags()) processing in SearchController.php, executing arbitrary JavaScript in every visitor's browser context including administrators.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-46361
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-46361
请登录查看更多情报信息。
Same Patch Batch · thorsten · 2026-05-15 · 13 CVEs total
| CVE-2026-46364 | 9.8 CRITICAL | phpMyFAQ - SQL Injection via User-Agent Header in BuiltinCaptcha |
| CVE-2026-45010 | 9.1 CRITICAL | phpMyFAQ - Unauthenticated Two-Factor Authentication Brute-Force via /admin/check Endpoint |
| CVE-2026-46367 | 7.6 HIGH | phpMyFAQ - Stored XSS via Utils::parseUrl() in Comment Rendering |
| CVE-2026-46359 | 7.5 HIGH | phpMyFAQ - SQL Injection in CurrentUser::setTokenData via Unescaped OAuth Token Fields |
| CVE-2026-46366 | 7.5 HIGH | phpMyFAQ - Unauthenticated Information Disclosure via getIdFromSolutionId Permission Bypas |
| CVE-2026-45008 | 6.5 MEDIUM | phpMyFAQ - Path Traversal in Client::deleteClientFolder via URL Parameter |
| CVE-2026-46362 | 6.5 MEDIUM | phpMyFAQ - Authorization Bypass in Admin Pages via Non-Terminating Permission Check |
| CVE-2026-46360 | 5.4 MEDIUM | phpMyFAQ - Stored XSS via Entity Decoding Depth Limit Bypass in SVG Sanitizer |
| CVE-2026-46363 | 5.4 MEDIUM | phpMyFAQ - Stored XSS in FAQ Question/Answer via Encode-Decode Bypass |
| CVE-2026-46365 | 5.4 MEDIUM | phpMyFAQ - Missing Authorization in Tag Deletion Endpoint |
| CVE-2026-45007 | 4.3 MEDIUM | phpMyFAQ - Missing Permission Check on 12 Configuration API Endpoints Allows Information D |
| CVE-2026-45009 | 4.3 MEDIUM | phpMyFAQ - Insufficient Authorization Check in Admin API Endpoints |
IV. Related Vulnerabilities
Same product: phpmyfaq
- CVE-2026-46367
phpMyFAQ - Stored XSS via Utils::parseUrl() in Comment Rende - CVE-2026-46366
phpMyFAQ - Unauthenticated Information Disclosure via getIdF - CVE-2026-46365
phpMyFAQ - Missing Authorization in Tag Deletion Endpoint - CVE-2026-46364
phpMyFAQ - SQL Injection via User-Agent Header in BuiltinCap - CVE-2026-46363
phpMyFAQ - Stored XSS in FAQ Question/Answer via Encode-Deco
Same vendor: thorsten
- CVE-2026-46367
phpMyFAQ - Stored XSS via Utils::parseUrl() in Comment Rende - CVE-2026-46366
phpMyFAQ - Unauthenticated Information Disclosure via getIdF - CVE-2026-46365
phpMyFAQ - Missing Authorization in Tag Deletion Endpoint - CVE-2026-46364
phpMyFAQ - SQL Injection via User-Agent Header in BuiltinCap - CVE-2026-46363
phpMyFAQ - Stored XSS in FAQ Question/Answer via Encode-Deco
Same weakness: CWE-79
- CVE-2026-44549
Open WebUI: Stored XSS in excel file preview - CVE-2026-45299
Open WebUI: Stored Cross-Site Scripting In Profile Picture - CVE-2026-45665
Open WebUI: Stored XSS in Banner Component via Improper Sani - CVE-2026-45318
Open WebUI: Stored XSS via unsanitized Office/Excel/DOCX fil - CVE-2026-45315
Open WebUI: Stored XSS via attacker-controlled file extensio
V. Comments for CVE-2026-46361
No comments yet