phpMyFAQ is an open-source FAQ web application that, prior to version 4.1.1, contained a vulnerability (CVE-2026-32629) due to improper input validation (CWE-20) and stored cross-site scripting (CWE-79). The issue arises because the application accepts email addresses that are syntactically valid per RFC 5321 but contain embedded raw HTML, such as "<script>alert(1)</script>"@evil.com. This acceptance is due to PHP's FILTER_VALIDATE_EMAIL function, which permits quoted local parts including HTML tags. When such an email is submitted by an unauthenticated attacker as part of a guest FAQ entry, it is stored in the database without any HTML sanitization. Later, when an administrator accesses the FAQ editor interface, the stored email is rendered using Twig's |raw filter, which disables auto-escaping and allows the embedded HTML/JavaScript to execute in the admin's browser context. This results in a stored XSS vulnerability that can lead to session hijacking, credential theft, or other malicious actions within the admin session. The vulnerability requires no authentication to submit the malicious input but does require an admin to view the affected page, implying some user interaction. The vulnerability was publicly disclosed and patched in phpMyFAQ version 4.1.1. The CVSS 4.0 base score is 5.4 (medium severity), reflecting network attack vector, low complexity, no privileges or user interaction required for submission, but user interaction needed for exploitation, and high scope impact due to affecting the admin interface. No known exploits have been reported in the wild to date.

This vulnerability allows unauthenticated attackers to inject malicious scripts into the phpMyFAQ database via crafted email addresses in guest FAQ submissions. When an administrator views the FAQ editor, the malicious script executes in their browser context, potentially compromising the admin session. This can lead to theft of admin credentials, session hijacking, unauthorized administrative actions, or deployment of further attacks within the organization's network. Since phpMyFAQ is often used to manage public-facing FAQ content, compromise of the admin interface could also lead to defacement or misinformation. The impact is significant for organizations relying on phpMyFAQ for knowledge management, especially those with high-value or sensitive information. However, the requirement for an admin to view the malicious entry limits the attack scope somewhat. The vulnerability could be leveraged as a foothold for further internal network compromise or data exfiltration. Organizations with multiple admins or frequent FAQ updates are at higher risk. The lack of known exploits in the wild suggests limited active exploitation currently, but the vulnerability is straightforward to exploit once discovered.

Organizations using phpMyFAQ should immediately upgrade to version 4.1.1 or later, where this vulnerability is patched. Until upgrade, administrators should be cautious when reviewing guest-submitted FAQs and avoid opening suspicious entries. Implement additional input validation and sanitization on email fields, rejecting or escaping any input containing HTML or script tags beyond RFC 5321 compliance. Disable or avoid using Twig's |raw filter when rendering user-submitted content, or apply strict output encoding to prevent XSS. Employ web application firewalls (WAFs) with rules to detect and block suspicious payloads containing script tags in email fields. Regularly audit FAQ entries for malicious content. Limit admin interface access to trusted networks and users, and enforce multi-factor authentication to reduce impact if credentials are compromised. Monitor logs for unusual admin activity or repeated guest submissions with suspicious emails. Consider deploying Content Security Policy (CSP) headers to restrict script execution in the admin interface. These steps collectively reduce the risk of exploitation and limit potential damage.