These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-46367 is a HIGH-severity stored cross-site scripting issue in phpMyFAQ before 4.1.2. The flaw is in Utils::parseUrl() and affects comment rendering, where malformed URLs can be turned into stored script content. Because the attacker must be authenticated but the payload is stored and later rendered to other users, the risk includes session theft and application takeover when affected FAQ pages are viewed.
CVE-2026-46366 describes an information disclosure issue in phpMyFAQ before 4.1.2. According to the supplied record, the getIdFromSolutionId() method does not apply permission filtering, which can let unauthenticated attackers enumerate solution IDs and reveal restricted FAQ entry titles through the /solution_id_{id}.html endpoint. The issue is confidentiality-focused, can affect restricted content, and i [truncated]
CVE-2026-46365 affects phpMyFAQ before 4.1.2 and is a missing-authorization issue in the DELETE /admin/api/content/tags/{tagId} endpoint. Any logged-in user, including non-admin frontend users, can delete tags with a valid session cookie, which can permanently disrupt FAQ organization and cause data loss.
CVE-2026-46363 is a medium-severity stored cross-site scripting issue in phpMyFAQ before 4.1.2. Authenticated users with FAQ_ADD permission can inject malicious content through FAQ create/update paths, and the payload can persist until it is rendered to other users.
CVE-2026-46362 is a medium-severity authorization bypass affecting phpMyFAQ before 4.1.2. The issue is described as a failure in AbstractAdministrationController::userHasPermission() to stop execution after sending a forbidden response, which can let authenticated users reach permission-protected admin pages. The exposed data can include admin logs, user records, system information, and application config [truncated]
CVE-2026-46361 is a stored cross-site scripting vulnerability in phpMyFAQ before 4.1.2. The issue is described as unsafe rendering in search.twig, where result.question and result.answerPreview are output with the raw filter, bypassing Twig autoescape protections. An attacker with FAQ editor privileges can store HTML-entity-encoded payloads that survive the SearchController.php processing path and execute [truncated]
CVE-2026-46360 describes a stored cross-site scripting issue in phpMyFAQ’s SVG sanitization path. The sanitizer’s recursive entity decoding stops after 5 iterations, which can let deeply nested entity encodings survive filtering and reconstruct a dangerous javascript: URL. In the affected workflow, an authenticated user with FAQ_EDIT permission can upload a crafted SVG that later executes arbitrary JavaSc [truncated]
CVE-2026-46359 is an authenticated SQL injection issue affecting phpMyFAQ before 4.1.2. According to the published description, malicious OAuth token claims can reach CurrentUser::setTokenData unsafely, allowing attackers to break out of string literals and execute arbitrary SQL.
CVE-2026-45010 is a critical authentication-bypass issue in phpMyFAQ before 4.1.2. The /admin/check endpoint accepts arbitrary user-id parameters without tying the check to an existing session or enforcing meaningful rate limits, allowing an unauthenticated attacker to brute-force a six-digit TOTP and reach administrative access. Because the flaw defeats the intended second factor, the impact is severe ev [truncated]
CVE-2026-45009 is a medium-severity authorization weakness in phpMyFAQ before 4.1.2. The issue lets a logged-in frontend user reach admin-api routes that should be restricted to privileged administrators. As disclosed, the exposed backend data can include dashboard version details, LDAP configuration, Elasticsearch statistics, and health-check information. This is primarily an access-control failure rathe [truncated]
CVE-2026-45008 affects phpMyFAQ before 4.1.2. A path traversal issue in Client::deleteClientFolder can let an authenticated admin with INSTANCE_DELETE delete directories outside the intended clientFolder scope. The impact is integrity and availability loss through unintended recursive directory deletion.
CVE-2026-45007 is an access-control flaw in phpMyFAQ before 4.1.2. In ConfigurationTabController.php, 12 /admin/api/configuration endpoints used userIsAuthenticated() instead of userHasPermission(CONFIGURATION_EDIT), so any authenticated user could query configuration metadata such as the permission model, cache backend, mail provider, and translation provider. The issue is confidentiality-only, but it we [truncated]