PatchSiren cyber security CVE debrief
CVE-2026-46360 thorsten CVE debrief
CVE-2026-46360 describes a stored cross-site scripting issue in phpMyFAQ’s SVG sanitization path. The sanitizer’s recursive entity decoding stops after 5 iterations, which can let deeply nested entity encodings survive filtering and reconstruct a dangerous javascript: URL. In the affected workflow, an authenticated user with FAQ_EDIT permission can upload a crafted SVG that later executes arbitrary JavaScript when another user views and clicks the file.
- Vendor
- thorsten
- Product
- phpmyfaq
- CVSS
- MEDIUM 5.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-15
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-15
- Advisory updated
- 2026-05-18
Who should care
Administrators and security teams running phpMyFAQ, especially deployments that allow SVG uploads or grant FAQ_EDIT permission to non-admin users. Reviewers responsible for file-upload handling, content sanitization, and browser-side exposure to uploaded SVG content should prioritize this issue.
Technical summary
The vulnerability is a stored XSS in SvgSanitizer::decodeAllEntities(). According to the supplied description, recursive entity decoding is limited to 5 iterations, which can be bypassed by using deeply nested ampersand encoding around numeric HTML entities. That allows a malicious SVG to evade sanitization, preserve a javascript: URL, and execute script in the browser when the uploaded SVG is rendered and interacted with. The source metadata maps the weakness to CWE-79 and the CVSS vector to AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N.
Defensive priority
High for any environment that accepts user-uploaded SVGs or delegates FAQ_EDIT to accounts that are not fully trusted. The attack requires authentication and user interaction, so it is not the highest-severity class, but the impact includes script execution in another user’s browser and potential session or content compromise.
Recommended defensive actions
- Upgrade phpMyFAQ to 4.1.2 or later, per the supplied vulnerability description.
- Restrict SVG upload capability to trusted administrators until remediation is in place.
- Minimize and review who receives FAQ_EDIT permission; treat it as security-sensitive.
- Add server-side upload controls that reject or strictly sanitize SVG content before storage and display.
- Review existing uploaded SVG files for unexpected entity nesting or script-like URLs.
- Use browser-side hardening such as a restrictive Content Security Policy to reduce XSS impact.
- Monitor for suspicious edits or uploads by authenticated users with content-edit permissions.
Evidence notes
This debrief is based on the supplied CVE description and the linked disclosure references in the NVD record. The source metadata lists phpMyFAQ as the affected product context, the weakness as CWE-79, and the CVSS vector as CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The NVD record shown in the supplied corpus has vulnStatus set to Deferred and no KEV entry is present in the provided timeline.
Official resources
Publicly disclosed on 2026-05-15 in the linked GitHub Security Advisory and VulnCheck advisory, with the NVD record last modified on 2026-05-18. No KEV listing was supplied for this CVE.