{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32629", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-12T15:29:36.558Z", "datePublished": "2026-04-02T14:43:14.799Z", "dateUpdated": "2026-04-02T16:23:06.203Z"}, "containers": {"cna": {"title": "phpMyFAQ: Stored XSS via Unsanitized Email Field in Admin FAQ Editor", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-98gw-w575-h2ph", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-98gw-w575-h2ph"}, {"name": "https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1"}], "affected": [{"vendor": "thorsten", "product": "phpMyFAQ", "versions": [{"version": "< 4.1.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T14:43:14.799Z"}, "descriptions": [{"lang": "en", "value": "phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, an unauthenticated attacker can submit a guest FAQ with an email address that is syntactically valid per RFC 5321 (quoted local part) yet contains raw HTML \u2014 for example \"<script>alert(1)</script>\"@evil.com. PHP's FILTER_VALIDATE_EMAIL accepts this email as valid. The email is stored in the database without HTML sanitization and later rendered in the admin FAQ editor template using Twig's |raw filter, which bypasses auto-escaping entirely. This issue has been patched in version 4.1.1."}], "source": {"advisory": "GHSA-98gw-w575-h2ph", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-98gw-w575-h2ph", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T16:18:14.966191Z", "id": "CVE-2026-32629", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T16:23:06.203Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:*", "matchCriteriaId": "407BB5BA-44EA-49EB-8072-4ACD67864598", "versionEndExcluding": "4.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, an unauthenticated attacker can submit a guest FAQ with an email address that is syntactically valid per RFC 5321 (quoted local part) yet contains raw HTML \u2014 for example \"<script>alert(1)</script>\"@evil.com. PHP's FILTER_VALIDATE_EMAIL accepts this email as valid. The email is stored in the database without HTML sanitization and later rendered in the admin FAQ editor template using Twig's |raw filter, which bypasses auto-escaping entirely. This issue has been patched in version 4.1.1."}], "id": "CVE-2026-32629", "lastModified": "2026-04-07T16:10:02.627", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T15:16:38.017", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-98gw-w575-h2ph"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-98gw-w575-h2ph"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.1.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "phpMyFAQ", "source": "cna", "vendor": "thorsten"}, "product": "phpmyfaq", "vendor": "thorsten"}], "analysis": {"en": {"generated_at": "2026-04-07T23:33:52.975256+00:00", "value": {"mitigation_remediation": ["Upgrade phpMyFAQ to version\u202f4.1.1 or newer", "Disable or restrict guest FAQ submissions until an update is applied", "Implement server\u2011side filtering to reject or strip HTML tags from e\u2011mail addresses and avoid using Twig\u2019s raw filter when rendering user data"], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting in Admin Editor"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in all phpMyFAQ releases prior to version 4.1.1. Administrators running older versions should verify whether the guest FAQ submission feature is enabled, as it is the entry point for the malicious e\u2011mail address.", "description_and_impact": "A malformed e\u2011mail address containing raw HTML, such as \"<script>alert(1)</script>\"@evil.com, is accepted by the PHP FILTER_VALIDATE_EMAIL function in phpMyFAQ versions older than 4.1.1. The email is persisted without sanitization and later rendered in the administrative FAQ editor template using Twig\u2019s |raw filter, which bypasses the framework\u2019s auto\u2011escaping. When an administrator opens the editor, the e\u2011mail address is injected into the page\u2019s HTML, allowing arbitrary JavaScript to execute in the context of any admin user who views the page. This can lead to session hijacking, theft of administrative credentials, or defacement of the internal interface.", "risk_and_exploitability": "The CVSS base score of 5.4 indicates moderate severity, while the EPSS score of less than 1\u202f% suggests a low probability of exploitation in the wild. The issue is not listed in CISA's KEV catalog. The likely attack vector is a web submission of a malicious e\u2011mail address by an unauthenticated attacker\u2014this inference is based on the description of how the email is accepted and stored."}}}}, "created": "2026-04-02T20:12:15.297336+00:00", "updated": "2026-04-08T19:56:18.780400+00:00", "vendors": ["thorsten", "thorsten$PRODUCT$phpmyfaq"]}