3 matches found
CVE-2026-32629
Summary: CVE-2026-32629 affects phpMyFAQ prior to 4.1.1, where an unauthenticated attacker can submit a guest FAQ with a syntactically valid but HTML-containing email address. PHP’s FILTER_VALIDATE_EMAIL accepts the quoted-local-part email, stores it without HTML sanitization, and later renders i...
GHSA-98GW-W575-H2PH phpMyFAQ is Vulnerable to Stored XSS via Unsanitized Email Field in Admin FAQ Editor
Summary An unauthenticated attacker can submit a guest FAQ with an email address that is syntactically valid per RFC 5321 quoted local part yet contains raw HTML — for example "alert1"@evil.com. PHP's FILTERVALIDATEEMAIL accepts this email as valid. The email is stored in the database without HTM...
phpMyFAQ is Vulnerable to Stored XSS via Unsanitized Email Field in Admin FAQ Editor
Summary An unauthenticated attacker can submit a guest FAQ with an email address that is syntactically valid per RFC 5321 quoted local part yet contains raw HTML — for example "alert1"@evil.com. PHP's FILTERVALIDATEEMAIL accepts this email as valid. The email is stored in the database without HTM...