Security Advisory 2026-03-31
Multiple vulnerabilities in phpMyFAQ
- Issued on:
- 2026-03-31
- Software:
- phpMyFAQ <= 4.1.0
- Risk:
- High
- Platforms:
- all
The phpMyFAQ Team has learned of security issues that'd been discovered in phpMyFAQ 4.1.0 and earlier.
Description
An unauthenticated attacker can submit a guest FAQ with an email address that is syntactically valid per RFC 5321
(quoted local part) yet contains raw HTML.
An unauthenticated attacker can inject these wildcards into search queries, causing them to match unintended records.
The regex-based SVG sanitizer in phpMyFAQ can be bypassed using HTML entity encoding in JavaScript URLs within SVG
attributes.
The MediaBrowserController::index() method handles file deletion for the media browser. When the fileRemove action is
triggered, the user-supplied name parameter is concatenated with the base upload directory path without any path
traversal validation.
An attacker can bypass sanitization by submitting FAQ content with unquoted or single-quoted event handler attributes.
Solution
The phpMyFAQ Team has released the new phpMyFAQ version 4.1.1, which fix the vulnerability. All
users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.
Workaround
There's no workaround except installing phpMyFAQ 4.1.1.
Thanks
The phpMyFAQ team would like to thank **wooseokdotkim**, **Athul Jayaram**, **Mạnh NV**, and **Khaled M. Alshammri**
for the responsible disclosures of these vulnerabilities.