GHSA-9525-27vj-c8r8: phpMyFAQ has stored XSS via Utils::parseUrl() in comment rendering

May 6, 2026

A stored XSS vulnerability in the comment rendering pipeline allows an authenticated user to inject JavaScript that executes for every visitor of an affected FAQ or News page. An attacker with a registered account can steal admin session cookies and take over the application.

References

github.com/advisories/GHSA-9525-27vj-c8r8
github.com/thorsten/phpMyFAQ
github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9525-27vj-c8r8

Code Behaviors & Features

Detect and mitigate GHSA-9525-27vj-c8r8 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →