CVE-2025-68951: phpMyFAQ has Stored XSS in user list via admin-managed display_name
(updated )
A stored cross-site scripting (XSS) vulnerability allows an attacker to execute arbitrary JavaScript in an administrator’s browser by registering a user whose display name contains HTML entities (e.g., <img ...>). When an administrator views the admin user list, the payload is decoded server-side and rendered without escaping, resulting in script execution in the admin context.
References
- github.com/advisories/GHSA-jv8r-hv7q-p6vc
- github.com/thorsten/phpMyFAQ
- github.com/thorsten/phpMyFAQ/commit/61829e83411f7b28bc6fd1052bfde54c32c6c370
- github.com/thorsten/phpMyFAQ/commit/8211d1d25951b4c272443cfc3ef9c09b1363fd87
- github.com/thorsten/phpMyFAQ/security/advisories/GHSA-jv8r-hv7q-p6vc
- nvd.nist.gov/vuln/detail/CVE-2025-68951
Code Behaviors & Features
Detect and mitigate CVE-2025-68951 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →