PatchSiren cyber security CVE debrief
CVE-2026-46367 thorsten CVE debrief
CVE-2026-46367 is a HIGH-severity stored cross-site scripting issue in phpMyFAQ before 4.1.2. The flaw is in Utils::parseUrl() and affects comment rendering, where malformed URLs can be turned into stored script content. Because the attacker must be authenticated but the payload is stored and later rendered to other users, the risk includes session theft and application takeover when affected FAQ pages are viewed.
- Vendor
- thorsten
- Product
- phpmyfaq
- CVSS
- HIGH 7.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-15
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-15
- Advisory updated
- 2026-05-18
Who should care
Administrators and security teams running phpMyFAQ, especially deployments that allow authenticated users to submit comments or other content that is rendered back to visitors. Teams responsible for web application hardening, session protection, and content sanitization should prioritize review.
Technical summary
The supplied NVD data describes a stored XSS in phpMyFAQ, affecting versions before 4.1.2, with CVSS 3.1 vector AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N. The issue is attributed to Utils::parseUrl() in comment rendering. The attacker needs low-privilege authenticated access, then can place a maliciously formed URL containing unescaped quotes so that JavaScript is stored and executed in a viewer's browser. The impact is strongest where privileged users such as administrators view impacted FAQ pages. The source record is currently marked Deferred in NVD, but the referenced advisories identify the issue as phpMyFAQ and point to a fix boundary at 4.1.2.
Defensive priority
High. This is a network-reachable stored XSS that requires authentication and user interaction, but it can lead to cross-user compromise and administrative session abuse. Prioritize patching and validation of any instance that accepts user-generated content.
Recommended defensive actions
- Upgrade phpMyFAQ to 4.1.2 or later.
- Review comment and URL rendering paths that rely on Utils::parseUrl().
- Verify that output encoding and HTML attribute handling are applied consistently to user-controlled content.
- Limit who can submit comments or other user-generated content until patched.
- Check for unusual comment content containing malformed URLs, quotes, or injected event handlers.
- Protect administrator sessions with strong session controls and shortest-necessary privileges.
- Re-test affected pages after patching to confirm the stored payload is no longer rendered as active script.
Evidence notes
The description provided with the CVE says phpMyFAQ before 4.1.2 contains a stored XSS in Utils::parseUrl() that lets authenticated users inject JavaScript via malformed URLs in comments. The NVD metadata lists CVSS 3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N and CWE-79, and marks the record Deferred. The referenced advisory links point to a GitHub security advisory and a VulnCheck advisory for phpMyFAQ, which supports the product attribution despite the vendor metadata needing review.
Official resources
Publicly disclosed on 2026-05-15. The CVE record was last modified on 2026-05-18. NVD currently marks the entry Deferred, so product attribution and remediation should be confirmed against the referenced advisories and the upstream phpMyFAQ