phpMyFAQ Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2026-32629 - Vulnerability Database

phpMyFAQ

phpMyFAQ Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2026-32629

Medium

Reference: CVE-2026-32629

NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2026-32629

Title: phpMyFAQ Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability

Overview:

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1 an unauthenticated attacker can submit a guest FAQ with an email address that is syntactically valid per RFC 5321 (quoted local part) yet contains raw HTML for example quotltscriptgtalert(1)lt/scriptgtquotevil.com. PHP39s FILTER_VALIDATE_EMAIL accepts this email as valid. The email is stored in the database without HTML sanitization and later rendered in the admin FAQ editor template using Twig39s raw filter which bypasses auto-escaping entirely. This issue has been patched in version 4.1.1.