CVE-2026-34974
JavaScript Injection via SVG Sanitizer Bypass in phpMyFAQ
Publication date: 2026-04-02
Last updated on: 2026-04-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phpmyfaq | phpmyfaq | to 4.1.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34974 is a Stored Cross-Site Scripting (XSS) vulnerability in phpMyFAQ versions up to 4.1.0 caused by an inadequate SVG sanitizer (SvgSanitizer.php). The sanitizer uses a regex to block JavaScript URLs in SVG <a href> attributes, but this regex fails to detect JavaScript URLs encoded with HTML entities. This allows users with edit_faq permission to upload malicious SVG files containing encoded JavaScript URLs that bypass sanitization.
When an administrator views such a malicious SVG, the embedded JavaScript executes in the admin's browser under the phpMyFAQ origin, enabling privilege escalation from editor to full admin takeover.
The vulnerability also arises because the sanitizer's blocklist omits certain SVG elements like <animate>, <set>, and <use>, which can be exploited to execute JavaScript. Uploaded SVGs are served inline without forcing download, allowing script execution.
How can this vulnerability impact me? :
This vulnerability allows any user with edit_faq permission (an editor-level role) to upload malicious SVG files that execute arbitrary JavaScript when viewed by an administrator.
- Privilege escalation from editor to full admin.
- Creation of backdoor admin accounts.
- Exfiltration of sensitive configuration data such as database credentials and API tokens.
- Modification or deletion of FAQ content.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying malicious SVG files uploaded via the /admin/api/content/images endpoint that contain HTML entity-encoded javascript: URLs within <a href> attributes or use dangerous SVG elements like <animate>, <set>, and <use> which bypass the regex-based sanitizer.
To detect potentially malicious SVG files, you can search for SVG files containing encoded javascript URLs or suspicious SVG elements.
- Use grep or similar tools to find SVG files with encoded javascript: URLs, for example: grep -r --include='*.svg' 'javascript:' /path/to/uploaded/svg/files
- Search for SVG files containing potentially dangerous elements: grep -r --include='*.svg' -E '<(animate|set|use)' /path/to/uploaded/svg/files
Additionally, monitor HTTP requests to the /admin/api/content/images endpoint for uploads by users with edit_faq permission, and inspect uploaded SVG content for encoded javascript URLs.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Upgrade phpMyFAQ to version 4.1.1 or later, where the vulnerability has been patched.
- Replace the regex-based SVG sanitizer with a DOM-based allowlist sanitizer to properly neutralize malicious SVG content.
- Configure the server to serve uploaded SVG files with a Content-Disposition: attachment header to prevent inline rendering and execution in browsers.
- Restrict or review users with edit_faq permission to limit the risk of malicious SVG uploads.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in phpMyFAQ allows privilege escalation from an editor to full admin by uploading malicious SVG files that execute arbitrary JavaScript. This can lead to unauthorized access to sensitive configuration data such as database credentials and API tokens, as well as unauthorized modification or deletion of FAQ content.
Such unauthorized access and potential data exfiltration could impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive data and ensuring proper access controls. The ability to create backdoor admin accounts and exfiltrate sensitive information represents a risk to confidentiality and integrity of data, which are key compliance requirements.
Therefore, organizations using vulnerable versions of phpMyFAQ may face increased risk of non-compliance with these standards if the vulnerability is exploited.