GHSA-whqh-9pq5-c7r3: phpMyFAQ has a SVG Sanitizer Entity Decoding Depth Limit Bypass Leading to Stored XSS

May 6, 2026

The SvgSanitizer::decodeAllEntities() method limits recursive entity decoding to 5 iterations. By wrapping each character of javascript in an href attribute value with 5 levels of & encoding around numeric HTML entities (e.g., &amp;amp;amp;amp;#106; for j), an attacker can bypass both isSafe() detection and sanitize() removal. The uploaded SVG is served from the application origin with image/svg+xml content type, and the browser’s XML parser fully decodes the remaining &#NNN; entities, resulting in a clickable javascript: link that executes arbitrary JavaScript.

References

github.com/advisories/GHSA-whqh-9pq5-c7r3
github.com/thorsten/phpMyFAQ
github.com/thorsten/phpMyFAQ/security/advisories/GHSA-whqh-9pq5-c7r3

Code Behaviors & Features

Detect and mitigate GHSA-whqh-9pq5-c7r3 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →