CVE-2026-46360

phpMyFAQ - Stored XSS via Entity Decoding Depth Limit Bypass in SVG Sanitizer

CVSS 5.1 MEDIUMEPSS 0.2%CWE-79

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 5.1EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Lifecycle

15 May 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in SvgSanitizer::decodeAllEntities() that limits recursive entity decoding to 5 iterations, allowing attackers to bypass sanitization. Authenticated users with FAQ_EDIT permission can upload malicious SVG files with deeply nested ampersand encoding around numeric HTML entities to reconstruct javascript: URLs, which execute arbitrary JavaScript when clicked by other users viewing the uploaded SVG.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Affected products

thorsten · phpmyfaq

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-whqh-9pq5-c7r3 https://www.vulncheck.com/advisories/phpmyfaq-stored-xss-via-entity-decoding-depth-limit-bypass-in-svg-sanitizer