CVE-2026-46361— phpMyFAQ - Stored Cross-Site Scripting via raw Filter in search.twig
Possible ATT&CK Techniques 2AI
T1189 · Drive-by Compromise T1059 · Command and Scripting InterpreterGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-46361
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
phpMyFAQ - Stored Cross-Site Scripting via raw Filter in search.twig
Source: NVD (National Vulnerability Database)
Vulnerability Description
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in search.twig where result.question and result.answerPreview are rendered with the raw filter, disabling autoescape protection. Attackers with FAQ editor privileges can inject HTML-entity-encoded payloads that bypass html_entity_decode(strip_tags()) processing in SearchController.php, executing arbitrary JavaScript in every visitor's browser context including administrators.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
phpMyFAQ 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
phpMyFAQ是Thorsten Rinne个人开发者的一个多语言、完全由数据库驱动的常见问题解答系统。 phpMyFAQ 4.1.2之前版本存在跨站脚本漏洞,该漏洞源于search.twig中result.question和result.answerPreview使用raw过滤器渲染,可能导致具有FAQ编辑器权限的攻击者注入HTML实体编码的有效载荷绕过html_entity_decode处理,在包括管理员在内的每个访问者浏览器中执行任意JavaScript。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-46361
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-46361
请登录查看更多情报信息。
Advisory · 2
Same Patch Batch · thorsten · 2026-05-15 · 13 CVEs total
| CVE-2026-46364 | 9.8 CRITICAL | phpMyFAQ - SQL Injection via User-Agent Header in BuiltinCaptcha |
| CVE-2026-45010 | 9.1 CRITICAL | phpMyFAQ - Unauthenticated Two-Factor Authentication Brute-Force via /admin/check Endpoint |
| CVE-2026-46367 | 7.6 HIGH | phpMyFAQ - Stored XSS via Utils::parseUrl() in Comment Rendering |
| CVE-2026-46359 | 7.5 HIGH | phpMyFAQ - SQL Injection in CurrentUser::setTokenData via Unescaped OAuth Token Fields |
| CVE-2026-46366 | 7.5 HIGH | phpMyFAQ - Unauthenticated Information Disclosure via getIdFromSolutionId Permission Bypas |
| CVE-2026-45008 | 6.5 MEDIUM | phpMyFAQ - Path Traversal in Client::deleteClientFolder via URL Parameter |
| CVE-2026-46362 | 6.5 MEDIUM | phpMyFAQ - Authorization Bypass in Admin Pages via Non-Terminating Permission Check |
| CVE-2026-46360 | 5.4 MEDIUM | phpMyFAQ - Stored XSS via Entity Decoding Depth Limit Bypass in SVG Sanitizer |
| CVE-2026-46363 | 5.4 MEDIUM | phpMyFAQ - Stored XSS in FAQ Question/Answer via Encode-Decode Bypass |
| CVE-2026-46365 | 5.4 MEDIUM | phpMyFAQ - Missing Authorization in Tag Deletion Endpoint |
| CVE-2026-45007 | 4.3 MEDIUM | phpMyFAQ - Missing Permission Check on 12 Configuration API Endpoints Allows Information D |
| CVE-2026-45009 | 4.3 MEDIUM | phpMyFAQ - Insufficient Authorization Check in Admin API Endpoints |
IV. Related Vulnerabilities
Same product: phpmyfaq
- CVE-2026-46367
phpMyFAQ - Stored XSS via Utils::parseUrl() in Comment Rende - CVE-2026-46366
phpMyFAQ - Unauthenticated Information Disclosure via getIdF - CVE-2026-46365
phpMyFAQ - Missing Authorization in Tag Deletion Endpoint - CVE-2026-46364
phpMyFAQ - SQL Injection via User-Agent Header in BuiltinCap - CVE-2026-46363
phpMyFAQ - Stored XSS in FAQ Question/Answer via Encode-Deco
Same vendor: thorsten
- CVE-2026-46367
phpMyFAQ - Stored XSS via Utils::parseUrl() in Comment Rende - CVE-2026-46366
phpMyFAQ - Unauthenticated Information Disclosure via getIdF - CVE-2026-46365
phpMyFAQ - Missing Authorization in Tag Deletion Endpoint - CVE-2026-46364
phpMyFAQ - SQL Injection via User-Agent Header in BuiltinCap - CVE-2026-46363
phpMyFAQ - Stored XSS in FAQ Question/Answer via Encode-Deco
Same weakness: CWE-79
- CVE-2026-3481
WP Blockade <= 0.9.14 - Reflected Cross-Site Scripting via ' - CVE-2026-7509
KIA Subtitle <= 4.0.1 - [Improper Neutralization of Input Du - CVE-2026-6864
CBX 5 Star Rating & Review <= 1.0.7 - Reflected Cross-Site S - CVE-2026-9104
Draft List <= 2.6.3 - Authenticated (Author+) Stored Cross-S - CVE-2026-4093
Stored XSS in Drupal 7 Term Reference Tree module (token dis
V. Comments for CVE-2026-46361
No comments yet