{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/phpmyfaq--4.1.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.6,"id":"CVE-2026-46367"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["phpMyFAQ \u003c 4.1.2"],"_cs_severities":["high"],"_cs_tags":["stored-xss","xss","phpmyfaq"],"_cs_type":"advisory","_cs_vendors":["phpMyFAQ"],"content_html":"\u003cp\u003ephpMyFAQ before version 4.1.2 is vulnerable to stored cross-site scripting (XSS) in the \u003ccode\u003eUtils::parseUrl()\u003c/code\u003e function. The vulnerability, identified as CVE-2026-46367, allows authenticated users to inject arbitrary JavaScript code into comments by crafting malformed URLs containing unescaped quotes. When other users, including administrators, view the FAQ pages containing the malicious comments, the injected JavaScript executes in their browsers. This can lead to the theft of sensitive information like admin session cookies, ultimately enabling full application takeover. The vulnerability was reported by VulnCheck and affects deployments where user comments are enabled and not properly sanitized.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the phpMyFAQ application with a valid user account.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious URL containing unescaped quotes and JavaScript code (e.g., \u003ccode\u003e\u0026lt;a href=\u0026quot;javascript:alert('XSS')\u0026quot;\u0026gt;Click Here\u0026lt;/a\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAttacker submits a comment containing the crafted malicious URL to a FAQ page.\u003c/li\u003e\n\u003cli\u003eThe phpMyFAQ application stores the comment, including the malicious URL, in the database without proper sanitization or escaping.\u003c/li\u003e\n\u003cli\u003eA victim user (including an administrator) views the FAQ page containing the attacker\u0026rsquo;s comment.\u003c/li\u003e\n\u003cli\u003eThe phpMyFAQ application renders the FAQ page, embedding the malicious URL within the HTML.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s web browser parses the HTML and executes the injected JavaScript code from the malicious URL.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s JavaScript code steals the victim\u0026rsquo;s session cookies and sends them to an attacker-controlled server, allowing session hijacking.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this stored XSS vulnerability (CVE-2026-46367) can lead to the theft of administrator session cookies, resulting in a complete takeover of the phpMyFAQ application. An attacker could then modify FAQs, inject further malicious code, or compromise sensitive data stored within the application. The severity is rated as HIGH with a CVSS v3.1 score of 7.6. The number of victims depends on the number of users who view the FAQ pages containing the injected malicious URLs.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade phpMyFAQ to version 4.1.2 or later to patch the CVE-2026-46367 vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement proper input validation and sanitization in the \u003ccode\u003eUtils::parseUrl()\u003c/code\u003e function to prevent the injection of malicious JavaScript code, specifically escaping single and double quotes.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect phpMyFAQ XSS in FAQ Comments\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eRegularly review user-submitted content (comments, URLs) for suspicious patterns or malicious code.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-15T19:20:47Z","date_published":"2026-05-15T19:20:47Z","id":"https://feed.craftedsignal.io/briefs/2026-05-phpmyfaq-xss/","summary":"phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl() that allows authenticated users to inject JavaScript via malformed URLs in comments, potentially leading to session hijacking and application takeover.","title":"phpMyFAQ Stored XSS Vulnerability via Malformed URLs (CVE-2026-46367)","url":"https://feed.craftedsignal.io/briefs/2026-05-phpmyfaq-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — PhpMyFAQ \u003c 4.1.2","version":"https://jsonfeed.org/version/1.1"}