CVE-2026-32629: CWE-20: Improper Input Validation in thorsten phpMyFAQ
phpMyFAQ versions prior to 4. 1. 1 contain an input validation vulnerability where an unauthenticated attacker can submit a guest FAQ with an email address that includes raw HTML. The email passes PHP's FILTER_VALIDATE_EMAIL but is stored without HTML sanitization and rendered with Twig's |raw filter, bypassing auto-escaping. This can lead to cross-site scripting (XSS) in the admin FAQ editor. The issue is fixed in version 4. 1. 1.
AI Analysis
Technical Summary
CVE-2026-32629 describes an improper input validation vulnerability (CWE-20) in phpMyFAQ before version 4.1.1. The vulnerability arises because the application accepts email addresses that are syntactically valid per RFC 5321 but contain raw HTML code, such as a script tag. PHP's FILTER_VALIDATE_EMAIL function accepts these emails as valid, but the application stores them without sanitizing the HTML content. Later, the email is rendered in the admin FAQ editor template using Twig's |raw filter, which disables auto-escaping and allows the embedded HTML to execute. This results in a stored cross-site scripting (XSS) vulnerability (CWE-79). The vulnerability is patched in phpMyFAQ version 4.1.1.
Potential Impact
An unauthenticated attacker can submit a malicious email address containing raw HTML that is stored and later rendered in the admin interface without escaping. This can lead to stored cross-site scripting (XSS) attacks against administrators viewing the FAQ editor, potentially allowing execution of arbitrary scripts in the admin context. The CVSS 4.0 base score is 5.4 (medium severity), reflecting network attack vector, no privileges required, no user interaction, and high scope and impact on integrity and availability.
Mitigation Recommendations
Upgrade phpMyFAQ to version 4.1.1 or later, where this vulnerability has been patched. The vendor has fixed the issue by properly sanitizing email inputs and avoiding unsafe rendering with Twig's |raw filter. No additional mitigation is required if the system is updated.
CVE-2026-32629: CWE-20: Improper Input Validation in thorsten phpMyFAQ
Description
phpMyFAQ versions prior to 4. 1. 1 contain an input validation vulnerability where an unauthenticated attacker can submit a guest FAQ with an email address that includes raw HTML. The email passes PHP's FILTER_VALIDATE_EMAIL but is stored without HTML sanitization and rendered with Twig's |raw filter, bypassing auto-escaping. This can lead to cross-site scripting (XSS) in the admin FAQ editor. The issue is fixed in version 4. 1. 1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-32629 describes an improper input validation vulnerability (CWE-20) in phpMyFAQ before version 4.1.1. The vulnerability arises because the application accepts email addresses that are syntactically valid per RFC 5321 but contain raw HTML code, such as a script tag. PHP's FILTER_VALIDATE_EMAIL function accepts these emails as valid, but the application stores them without sanitizing the HTML content. Later, the email is rendered in the admin FAQ editor template using Twig's |raw filter, which disables auto-escaping and allows the embedded HTML to execute. This results in a stored cross-site scripting (XSS) vulnerability (CWE-79). The vulnerability is patched in phpMyFAQ version 4.1.1.
Potential Impact
An unauthenticated attacker can submit a malicious email address containing raw HTML that is stored and later rendered in the admin interface without escaping. This can lead to stored cross-site scripting (XSS) attacks against administrators viewing the FAQ editor, potentially allowing execution of arbitrary scripts in the admin context. The CVSS 4.0 base score is 5.4 (medium severity), reflecting network attack vector, no privileges required, no user interaction, and high scope and impact on integrity and availability.
Mitigation Recommendations
Upgrade phpMyFAQ to version 4.1.1 or later, where this vulnerability has been patched. The vendor has fixed the issue by properly sanitizing email inputs and avoiding unsafe rendering with Twig's |raw filter. No additional mitigation is required if the system is updated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-12T15:29:36.558Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69ce866ce6bfc5ba1de335f9
Added to database: 4/2/2026, 3:08:28 PM
Last enriched: 4/10/2026, 12:01:11 AM
Last updated: 5/20/2026, 8:51:26 PM
Views: 60
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.