PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46363 thorsten CVE debrief

CVE-2026-46363 is a medium-severity stored cross-site scripting issue in phpMyFAQ before 4.1.2. Authenticated users with FAQ_ADD permission can inject malicious content through FAQ create/update paths, and the payload can persist until it is rendered to other users.

Vendor
thorsten
Product
phpmyfaq
CVSS
MEDIUM 5.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-15
Original CVE updated
2026-05-18
Advisory published
2026-05-15
Advisory updated
2026-05-18

Who should care

Administrators and developers running phpMyFAQ, especially teams that allow non-admin users to create or edit FAQ content. Security teams should also review any deployment that renders user-controlled FAQ fields to the browser.

Technical summary

The issue is a stored XSS vulnerability (CWE-79) in FAQ creation and update flows. According to the provided description and NVD metadata, the attack requires authentication and FAQ_ADD permission, uses question or answer parameters, and bypasses sanitization through encode-decode cycles. When the affected FAQ content is later rendered with a raw Twig filter, the injected script executes in visitors' browsers. The provided CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, reflecting network reachability, low attack complexity, low required privileges, and user interaction.

Defensive priority

Medium. The CVSS score is moderate, but the impact is persistent and browser-side, so teams using phpMyFAQ should patch promptly and review any workflow that allows authenticated content creation.

Recommended defensive actions

  • Upgrade phpMyFAQ to 4.1.2 or later.
  • Review FAQ entries created or modified by accounts with FAQ_ADD permission for unexpected script content or other untrusted markup.
  • Restrict FAQ_ADD permission to the smallest practical set of trusted users.
  • Audit the FAQ rendering path to ensure user-controlled fields are escaped and not passed through raw template rendering.
  • Check for other pages or templates that reuse the same FAQ content fields and may inherit the same exposure.
  • Monitor logs and recent content changes for suspicious FAQ creation or update activity.

Evidence notes

The supplied description states that phpMyFAQ before 4.1.2 is affected by a stored XSS that bypasses sanitization through encode-decode cycles and executes when rendered with a raw Twig filter. NVD metadata lists CWE-79 and the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The provided NVD source record shows vulnStatus as Deferred. PublishedAt is 2026-05-15T19:17:03.633Z and ModifiedAt is 2026-05-18T17:25:39.493Z.

Official resources

Publicly disclosed on 2026-05-15 and updated on 2026-05-18. The supplied NVD record marks the CVE as Deferred. No KEV data was provided. References in the corpus point to the GitHub security advisory and the VulnCheck advisory.