CVE-2026-32629
Stored XSS in phpMyFAQ Guest FAQ Email Field via Unsanitized Input
Publication date: 2026-04-02
Last updated on: 2026-04-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phpmyfaq | phpmyfaq | to 4.1.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32629 is a stored Cross-Site Scripting (XSS) vulnerability in phpMyFAQ versions prior to 4.1.1. It occurs because the application accepts email addresses from unauthenticated guest FAQ submissions that are syntactically valid per RFC 5321 but contain raw HTML or script tags, such as "<script>alert(1)</script>"@evil.com.
PHP's FILTER_VALIDATE_EMAIL incorrectly validates these malicious emails as valid. The email is then stored in the database without any HTML sanitization and later rendered in the admin FAQ editor template using Twig's |raw filter, which disables auto-escaping. This allows the embedded script to execute in the administrator's browser when they view the FAQ edit page.
The attack requires no authentication because guest FAQ submissions are allowed by default, and the admin manually reviews new FAQs. This vulnerability enables attackers to execute arbitrary JavaScript in the admin context.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including the execution of arbitrary JavaScript code in the administrator's browser when they view the malicious FAQ entry.
- Attackers can steal admin session cookies, leading to full admin account takeover.
- With admin access, attackers can create new users, modify content, change configurations, and potentially launch further attacks on the server.
- The vulnerability requires no authentication to exploit, making it easier for attackers to target the system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for guest FAQ submissions containing email addresses with quoted local parts that include raw HTML or script tags, such as "<script>alert(1)</script>"@evil.com.
Since the vulnerability involves stored XSS in the admin FAQ editor, detection involves inspecting the database entries for suspicious email fields and monitoring admin page accesses for unexpected script execution.
Specific commands are not provided in the resources, but you can query the database for email fields containing HTML or script tags, for example using SQL commands like:
- SELECT * FROM faq WHERE email LIKE '%<script>%';
- SELECT * FROM faq WHERE email REGEXP '"<.*>"@';
Additionally, monitoring HTTP requests to the guest FAQ submission endpoint for suspicious email inputs and reviewing admin FAQ editor page behavior for unexpected script alerts can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade phpMyFAQ to version 4.1.1 or later, where this vulnerability has been patched.
Until the upgrade can be applied, consider disabling guest FAQ submissions by setting `records.allowNewFaqsForGuests` to false to prevent unauthenticated users from submitting potentially malicious emails.
Also, ensure that administrators are cautious when reviewing guest FAQs and avoid opening suspicious entries in the admin FAQ editor.
Implement additional input validation or sanitization on email fields to reject or clean inputs containing HTML or script tags.
Enable CAPTCHA if not already enabled to reduce automated submissions, although this does not fully prevent targeted manual attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an unauthenticated attacker to inject malicious scripts into the admin interface via stored XSS, potentially leading to admin account takeover and unauthorized access to sensitive data.
Such unauthorized access and potential data compromise can violate common standards and regulations like GDPR and HIPAA, which require protection of personal data and secure administrative controls.
Failure to properly validate and sanitize user input, resulting in stored XSS, undermines data integrity and confidentiality obligations mandated by these regulations.