{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34729", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T18:41:20.754Z", "datePublished": "2026-04-02T14:46:22.056Z", "dateUpdated": "2026-04-02T18:44:47.729Z"}, "containers": {"cna": {"title": "phpMyFAQ: Stored XSS via Regex Bypass in Filter::removeAttributes()", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-cv2g-8cj8-vgc7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-cv2g-8cj8-vgc7"}, {"name": "https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1"}], "affected": [{"vendor": "thorsten", "product": "phpMyFAQ", "versions": [{"version": "< 4.1.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T14:46:22.056Z"}, "descriptions": [{"lang": "en", "value": "phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, there is a stored XSS vulnerability via Regex Bypass in Filter::removeAttributes(). This issue has been patched in version 4.1.1."}], "source": {"advisory": "GHSA-cv2g-8cj8-vgc7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T18:44:33.329293Z", "id": "CVE-2026-34729", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T18:44:47.729Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:*", "matchCriteriaId": "407BB5BA-44EA-49EB-8072-4ACD67864598", "versionEndExcluding": "4.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, there is a stored XSS vulnerability via Regex Bypass in Filter::removeAttributes(). This issue has been patched in version 4.1.1."}], "id": "CVE-2026-34729", "lastModified": "2026-04-07T14:52:49.477", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-02T15:16:42.393", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-cv2g-8cj8-vgc7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.1.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "phpMyFAQ", "source": "cna", "vendor": "thorsten"}, "product": "phpmyfaq", "vendor": "thorsten"}], "analysis": {"en": {"generated_at": "2026-04-07T19:57:24.705294+00:00", "value": {"mitigation_remediation": ["Upgrade phpMyFAQ to version 4.1.1 or later"], "summary": {"action": "Patch Immediately", "impact": "Stored XSS"}, "threat_synthesis": {"affected_systems": "Open source FAQ web application phpMyFAQ, produced by thorsten, is affected for every release before version 4.1.1. The flaw is present wherever user supplied content is stored without proper attribute removal.", "description_and_impact": "The vulnerability arises from a regex bypass flaw in the Filter::removeAttributes() routine of phpMyFAQ, allowing attackers to embed malicious JavaScript into data that is stored in the database and later rendered in web pages. When an end user views affected content, the injected script executes in their browser, providing client\u2011side code execution that can harvest session cookies, deface the site, or launch phishing attacks.", "risk_and_exploitability": "The CVSS score of 6.1 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not documented in the CISA KEV catalog. Exploitation requires an attacker to inject malicious content into a stored field, such as an FAQ entry or comment, which then triggers when any user loads the page. Successful exploitation would grant only client\u2011side control, not system\u2011level access."}}}}, "created": "2026-04-02T20:11:39.255145+00:00", "updated": "2026-04-08T19:55:44.064732+00:00", "vendors": ["thorsten", "thorsten$PRODUCT$phpmyfaq"]}