84 matches found
CVE-2026-46361
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in search.twig where result.question and result.answerPreview are rendered with the raw filter, disabling autoescape protection. Attackers with FAQ editor privileges can inject HTML-entity-encoded payloads that bypass...
Weak Password Recovery Mechanism for Forgotten Password
Overview phpmyfaq/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Weak Password Recovery Mechanism for Forgotten Password via the updatePassword process. An attacker can gain unauthorized access to any user account,...
EUVD-2026-30578
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craft URLs with unescaped quotes to inject event handlers, stealing admin session cookies and achieving...
phpMyFAQ 跨站脚本漏洞
phpMyFAQ is a multilingual, database-driven FAQ system developed by Thorsten Rinne. Versions of phpMyFAQ prior to 4.1.2 had a cross-site scripting vulnerability. This vulnerability stemmed from a recursive entity decoding limit of 5 times in SvgSanitizer::decodeAllEntities, allowing users with...
phpMyFAQ 安全漏洞
phpMyFAQ is a multilingual, fully database-driven FAQ system developed by Thorsten Rinne. Versions of phpMyFAQ prior to 4.1.2 contained a security vulnerability. This vulnerability stemmed from the lack of authorization for the DELETE /admin/api/content/tags/tagId endpoint. As a result, any...
Cross-site Scripting (XSS)
Overview thorsten/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Cross-site Scripting XSS via the decodeAllEntities function. An attacker can execute arbitrary JavaScript in the context of the application origin by...
Improper Encoding or Escaping of Output
Overview phpmyfaq/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the Utils::parseUrl function during comment rendering. An attacker can execute arbitrary JavaScript in the...
CVE-2026-32629
phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, an unauthenticated attacker can submit a guest FAQ with an email address that is syntactically valid per RFC 5321 quoted local part yet contains raw HTML — for example ""@evil.com. PHP's FILTERVALIDATEEMAIL accepts this email...
CVE-2009-4040
Cross-site scripting XSS vulnerability in phpMyFAQ before 2.0.17 and 2.5.x before 2.5.2, when used with Internet Explorer 6 or 7, allows remote attackers to inject arbitrary web script or HTML via unspecified parameters to the search page...
CVE-2023-4006
Improper Neutralization of Formula Elements in a CSV File in GitHub repository thorsten/phpmyfaq prior to 3.1.16...
PT-2025-51967
Name of the Vulnerable Software and Affected Versions phpMyFAQ version 3.1.12 Description The software contains a CSV injection flaw that permits authenticated users to inject malicious formulas into their profile names. An attacker can modify their user profile name with a payload such as...
EUVD-2006-6896
Malware in sbrugna...
EUVD-2010-4524
Malware in sbrugna...
EUVD-2017-7155
Malware in sbrugna...
EUVD-2017-6120
Malware in sbrugna...
EUVD-2004-2247
Malware in sbrugna...
EUVD-2017-2821
Malware in sbrugna...
EUVD-2014-5935
Malware in sbrugna...
EUVD-2007-1029
Malware in sbrugna...
EUVD-2014-5933
Malware in sbrugna...