CVE-2026-46363: phpMyFAQ has Stored XSS in FAQ Question/Answer via Encode-Decode Bypass of removeAttributes() Sanitization

May 6, 2026 (updated June 9, 2026)

The FAQ creation and update endpoints in phpMyFAQ apply FILTER_SANITIZE_SPECIAL_CHARS (which HTML-encodes input), then immediately call html_entity_decode() which reverses the encoding, followed by Filter::removeAttributes() which only strips HTML attributes — not tags. This allows <script>, <iframe>, <object>, and <embed> tags to be stored in the database and rendered unescaped via {{ answer|raw }} and {{ question|raw }} in the Twig template, causing JavaScript execution in every visitor’s browser.

References

github.com/advisories/GHSA-f5p7-2c9q-8896
github.com/thorsten/phpMyFAQ/security/advisories/GHSA-f5p7-2c9q-8896
nvd.nist.gov/vuln/detail/CVE-2026-46363
www.vulncheck.com/advisories/phpmyfaq-stored-xss-in-faq-question-answer-via-encode-decode-bypass

Code Behaviors & Features

Detect and mitigate CVE-2026-46363 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →