CVE-2026-46360: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in thorsten phpmyfaq
phpMyFAQ versions before 4. 1. 2 have a stored cross-site scripting (XSS) vulnerability in the SvgSanitizer::decodeAllEntities() function. This vulnerability arises because the recursive entity decoding is limited to 5 iterations, which allows authenticated users with FAQ_EDIT permission to upload malicious SVG files. These SVG files contain deeply nested ampersand encoding around numeric HTML entities that can reconstruct javascript: URLs. When other users view and click on these SVG files, arbitrary JavaScript code executes in their browsers. The vulnerability has a CVSS score of 5. 4, indicating medium severity.
AI Analysis
Technical Summary
The vulnerability in phpMyFAQ before version 4.1.2 is a stored cross-site scripting issue located in the SvgSanitizer::decodeAllEntities() function. The sanitization process limits recursive decoding to five iterations, which is insufficient to prevent attackers from bypassing it. Authenticated users with FAQ_EDIT permissions can exploit this by uploading SVG files with deeply nested ampersand-encoded numeric HTML entities that reconstruct javascript: URLs. These URLs execute arbitrary JavaScript when clicked by other users viewing the SVG content, potentially leading to script execution in the context of the victim's browser session.
Potential Impact
An attacker with authenticated FAQ_EDIT permissions can upload malicious SVG files that execute arbitrary JavaScript in the browsers of other users who view and interact with the SVG content. This can lead to client-side script execution, potentially compromising user sessions or performing actions on behalf of the victim. The vulnerability does not affect system availability and has limited confidentiality and integrity impact as per the CVSS vector.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch links are provided and the remediation level is not specified, users should monitor the vendor's announcements for updates. In the meantime, restrict FAQ_EDIT permissions to trusted users only and consider disabling SVG uploads or sanitizing SVG content with more robust tools to prevent exploitation.
CVE-2026-46360: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in thorsten phpmyfaq
Description
phpMyFAQ versions before 4. 1. 2 have a stored cross-site scripting (XSS) vulnerability in the SvgSanitizer::decodeAllEntities() function. This vulnerability arises because the recursive entity decoding is limited to 5 iterations, which allows authenticated users with FAQ_EDIT permission to upload malicious SVG files. These SVG files contain deeply nested ampersand encoding around numeric HTML entities that can reconstruct javascript: URLs. When other users view and click on these SVG files, arbitrary JavaScript code executes in their browsers. The vulnerability has a CVSS score of 5. 4, indicating medium severity.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in phpMyFAQ before version 4.1.2 is a stored cross-site scripting issue located in the SvgSanitizer::decodeAllEntities() function. The sanitization process limits recursive decoding to five iterations, which is insufficient to prevent attackers from bypassing it. Authenticated users with FAQ_EDIT permissions can exploit this by uploading SVG files with deeply nested ampersand-encoded numeric HTML entities that reconstruct javascript: URLs. These URLs execute arbitrary JavaScript when clicked by other users viewing the SVG content, potentially leading to script execution in the context of the victim's browser session.
Potential Impact
An attacker with authenticated FAQ_EDIT permissions can upload malicious SVG files that execute arbitrary JavaScript in the browsers of other users who view and interact with the SVG content. This can lead to client-side script execution, potentially compromising user sessions or performing actions on behalf of the victim. The vulnerability does not affect system availability and has limited confidentiality and integrity impact as per the CVSS vector.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch links are provided and the remediation level is not specified, users should monitor the vendor's announcements for updates. In the meantime, restrict FAQ_EDIT permissions to trusted users only and consider disabling SVG uploads or sanitizing SVG content with more robust tools to prevent exploitation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-05-13T19:40:27.808Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a076ec4ec166c07b0830aa5
Added to database: 5/15/2026, 7:06:44 PM
Last enriched: 5/15/2026, 7:22:59 PM
Last updated: 5/15/2026, 8:30:30 PM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.