Executive Summary

CVE-2026-34974 is a Stored Cross-Site Scripting (XSS) vulnerability in phpMyFAQ versions up to 4.1.0 caused by an inadequate SVG sanitizer (SvgSanitizer.php). The sanitizer uses a regex to block JavaScript URLs in SVG <a href> attributes, but this regex fails to detect JavaScript URLs encoded with HTML entities. This allows users with edit_faq permission to upload malicious SVG files containing encoded JavaScript URLs that bypass sanitization.

When an administrator views such a malicious SVG, the embedded JavaScript executes in the admin's browser under the phpMyFAQ origin, enabling privilege escalation from editor to full admin takeover.

The vulnerability also arises because the sanitizer's blocklist omits certain SVG elements like <animate>, <set>, and <use>, which can be exploited to execute JavaScript. Uploaded SVGs are served inline without forcing download, allowing script execution.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows any user with edit_faq permission (an editor-level role) to upload malicious SVG files that execute arbitrary JavaScript when viewed by an administrator.

• Privilege escalation from editor to full admin.
• Creation of backdoor admin accounts.
• Exfiltration of sensitive configuration data such as database credentials and API tokens.
• Modification or deletion of FAQ content.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by identifying malicious SVG files uploaded via the /admin/api/content/images endpoint that contain HTML entity-encoded javascript: URLs within <a href> attributes or use dangerous SVG elements like <animate>, <set>, and <use> which bypass the regex-based sanitizer.

To detect potentially malicious SVG files, you can search for SVG files containing encoded javascript URLs or suspicious SVG elements.

• Use grep or similar tools to find SVG files with encoded javascript: URLs, for example: grep -r --include='*.svg' '&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;' /path/to/uploaded/svg/files
• Search for SVG files containing potentially dangerous elements: grep -r --include='*.svg' -E '<(animate|set|use)' /path/to/uploaded/svg/files

Additionally, monitor HTTP requests to the /admin/api/content/images endpoint for uploads by users with edit_faq permission, and inspect uploaded SVG content for encoded javascript URLs.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Upgrade phpMyFAQ to version 4.1.1 or later, where the vulnerability has been patched.
• Replace the regex-based SVG sanitizer with a DOM-based allowlist sanitizer to properly neutralize malicious SVG content.
• Configure the server to serve uploaded SVG files with a Content-Disposition: attachment header to prevent inline rendering and execution in browsers.
• Restrict or review users with edit_faq permission to limit the risk of malicious SVG uploads.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in phpMyFAQ allows privilege escalation from an editor to full admin by uploading malicious SVG files that execute arbitrary JavaScript. This can lead to unauthorized access to sensitive configuration data such as database credentials and API tokens, as well as unauthorized modification or deletion of FAQ content.

Such unauthorized access and potential data exfiltration could impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive data and ensuring proper access controls. The ability to create backdoor admin accounts and exfiltrate sensitive information represents a risk to confidentiality and integrity of data, which are key compliance requirements.

Therefore, organizations using vulnerable versions of phpMyFAQ may face increased risk of non-compliance with these standards if the vulnerability is exploited.

Useful 0 Not Useful 0