Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
phpMyFAQ Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2026-34974 - Vulnerability Database
phpMyFAQ

phpMyFAQ Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2026-34974

Medium
Reference: CVE-2026-34974
NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2026-34974
Title: phpMyFAQ Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability
Overview:

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1 the regex-based SVG sanitizer in phpMyFAQ (SvgSanitizer.php) can be bypassed using HTML entity encoding in javascript: URLs within SVG lta hrefgt attributes. Any user with edit_faq permission can upload a malicious SVG that executes arbitrary JavaScript when viewed enabling privilege escalation from editor to full admin takeover. This issue has been patched in version 4.1.1.