CVE-2026-32629: phpMyFAQ is Vulnerable to Stored XSS via Unsanitized Email Field in Admin FAQ Editor

March 31, 2026 (updated April 6, 2026)

An unauthenticated attacker can submit a guest FAQ with an email address that is syntactically valid per RFC 5321 (quoted local part) yet contains raw HTML — for example “alert(1)"@evil.com. PHP’s FILTER_VALIDATE_EMAIL accepts this email as valid. The email is stored in the database without HTML sanitization and later rendered in the admin FAQ editor template using Twig’s |raw filter, which bypasses auto-escaping entirely.

References

github.com/advisories/GHSA-98gw-w575-h2ph
github.com/thorsten/phpMyFAQ
github.com/thorsten/phpMyFAQ/releases/tag/4.1.1
github.com/thorsten/phpMyFAQ/security/advisories/GHSA-98gw-w575-h2ph
nvd.nist.gov/vuln/detail/CVE-2026-32629

Code Behaviors & Features

Detect and mitigate CVE-2026-32629 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →