phpMyFAQ: Stored XSS in FAQ Question/Answer via Encode-Decode Bypass of removeAttributes() Sanitization

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in FAQ creation and update endpoints that bypass sanitization through encode-decode cycles. The vulnerability allows authenticated attackers with FAQADD permission to inject malicious script tags via question or answer...

CVE-2026-34729

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, there is a stored XSS vulnerability via Regex Bypass in Filter::removeAttributes. This issue has been patched in version 4.1.1...

CVE-2026-34729

CVE-2026-34729 (reserved entry) corresponds to a vulnerability in phpMyFAQ identified in GHSA-CV2G-8CJ8-VGC7, where the FAQ sanitization regex in Filter::removeAttributes() fails to strip unquoted or single-quoted attributes. Attackers with admin access can inject XSS into FAQ content, which beco...

phpMyFAQ 跨站脚本漏洞

phpMyFAQ is a multilingual FAQ system developed by Thorsten Rinne. It is entirely database-driven. Versions of phpMyFAQ prior to 4.1.1 contained a cross-site scripting vulnerability. This vulnerability stemmed from an issue with Filter::removeAttributes, where regular expressions were bypassed,...