CVE-2026-46361 thorsten CVE debrief

Who should care

Administrators of phpMyFAQ deployments, especially environments that allow FAQ editor privileges, moderate user-submitted content, or expose search results to authenticated staff and administrators.

Technical summary

The supplied CVE description says phpMyFAQ before 4.1.2 renders search results in search.twig using the raw filter for result.question and result.answerPreview. That disables autoescape and creates a stored XSS condition. The content path described by the record indicates html_entity_decode(strip_tags()) in SearchController.php does not prevent HTML-entity-encoded payloads from reaching the template, allowing script execution when users view affected search results.

Defensive priority

Medium. The CVSS base score is 6.9, but the impact can be broad because the payload is stored and executes in visitor and administrator browser contexts. Prioritize remediation if FAQ editor access is available to multiple users or if the search result page is heavily used.

Recommended defensive actions

• Upgrade phpMyFAQ to 4.1.2 or later as soon as practical.
• Review search.twig and remove or minimize raw rendering for result.question and result.answerPreview unless output is explicitly sanitized and intended to be trusted.
• Audit FAQ editor accounts and limit who can create or modify FAQ content.
• Search existing FAQ entries and related stored content for suspicious HTML-entity-encoded payloads and remove malicious records.
• Validate that server-side processing and template output use a consistent allowlist/escaping approach for user-controlled fields.

Evidence notes

This debrief is based on the supplied CVE description, the NVD record, and the linked GitHub Security Advisory/Vulncheck advisory references. The record is classified as CWE-79 (stored XSS) and the NVD source item lists vulnStatus as Deferred, so the detailed behavior is taken from the advisory-linked description rather than additional enrichment.

Official resources