Executive Summary

CVE-2026-32629 is a stored Cross-Site Scripting (XSS) vulnerability in phpMyFAQ versions prior to 4.1.1. It occurs because the application accepts email addresses from unauthenticated guest FAQ submissions that are syntactically valid per RFC 5321 but contain raw HTML or script tags, such as "<script>alert(1)</script>"@evil.com.

PHP's FILTER_VALIDATE_EMAIL incorrectly validates these malicious emails as valid. The email is then stored in the database without any HTML sanitization and later rendered in the admin FAQ editor template using Twig's |raw filter, which disables auto-escaping. This allows the embedded script to execute in the administrator's browser when they view the FAQ edit page.

The attack requires no authentication because guest FAQ submissions are allowed by default, and the admin manually reviews new FAQs. This vulnerability enables attackers to execute arbitrary JavaScript in the admin context.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including the execution of arbitrary JavaScript code in the administrator's browser when they view the malicious FAQ entry.

• Attackers can steal admin session cookies, leading to full admin account takeover.
• With admin access, attackers can create new users, modify content, change configurations, and potentially launch further attacks on the server.
• The vulnerability requires no authentication to exploit, making it easier for attackers to target the system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for guest FAQ submissions containing email addresses with quoted local parts that include raw HTML or script tags, such as "<script>alert(1)</script>"@evil.com.

Since the vulnerability involves stored XSS in the admin FAQ editor, detection involves inspecting the database entries for suspicious email fields and monitoring admin page accesses for unexpected script execution.

Specific commands are not provided in the resources, but you can query the database for email fields containing HTML or script tags, for example using SQL commands like:

• SELECT * FROM faq WHERE email LIKE '%<script>%';
• SELECT * FROM faq WHERE email REGEXP '"<.*>"@';

Additionally, monitoring HTTP requests to the guest FAQ submission endpoint for suspicious email inputs and reviewing admin FAQ editor page behavior for unexpected script alerts can help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade phpMyFAQ to version 4.1.1 or later, where this vulnerability has been patched.

Until the upgrade can be applied, consider disabling guest FAQ submissions by setting `records.allowNewFaqsForGuests` to false to prevent unauthenticated users from submitting potentially malicious emails.

Also, ensure that administrators are cautious when reviewing guest FAQs and avoid opening suspicious entries in the admin FAQ editor.

Implement additional input validation or sanitization on email fields to reject or clean inputs containing HTML or script tags.

Enable CAPTCHA if not already enabled to reduce automated submissions, although this does not fully prevent targeted manual attacks.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an unauthenticated attacker to inject malicious scripts into the admin interface via stored XSS, potentially leading to admin account takeover and unauthorized access to sensitive data.

Such unauthorized access and potential data compromise can violate common standards and regulations like GDPR and HIPAA, which require protection of personal data and secure administrative controls.

Failure to properly validate and sanitize user input, resulting in stored XSS, undermines data integrity and confidentiality obligations mandated by these regulations.

Useful 0 Not Useful 0