Duplicate Advisory: phpMyFAQ: Stored XSS in FAQ Question/Answer via Encode-Decode Bypass of removeAttributes() Sanitization

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-f5p7-2c9q-8896. This link is maintained to preserve external references. Original Description phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in FAQ creation and update endpoints that...

CVE-2026-34729

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, there is a stored XSS vulnerability via Regex Bypass in Filter::removeAttributes. This issue has been patched in version 4.1.1...

CVE-2026-34729

CVE-2026-34729 — phpMyFAQ stored XSS via Regex bypass is confirmed across multiple sources. Affects phpMyFAQ prior to version 4.1.1, where Filter::removeAttributes() fails to strip unquoted or single-quoted event attributes, allowing an attacker with admin access to submit content that bypasses s...

phpMyFAQ 跨站脚本漏洞

phpMyFAQ is a multilingual FAQ system developed by Thorsten Rinne. It is entirely database-driven. Versions of phpMyFAQ prior to 4.1.1 contained a cross-site scripting vulnerability. This vulnerability stemmed from an issue with Filter::removeAttributes, where regular expressions were bypassed,...