CVE-2026-34974: Stored Cross-Site Scripting via SVG Sanitizer Bypass in phpMyFAQ
Vulnerability ID: CVE-2026-34974
CVSS Score: 5.4
Published: 2026-04-01
phpMyFAQ versions prior to 4.1.1 contain a vulnerability in the SVG sanitizer component. The application relies on a blacklist regular expression that fails to properly process HTML entity-encoded attributes, allowing an attacker with Editor privileges to upload a malicious SVG. This flaw enables Stored Cross-Site Scripting (XSS), which can result in privilege escalation to Administrator.
TL;DR
A bypass in phpMyFAQ's SVG sanitizer allows authenticated users to inject malicious JavaScript via HTML entity-encoded attributes. This Stored XSS vulnerability can lead to privilege escalation when an administrator views the compromised FAQ. Fixed in version 4.1.1.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-79
- Attack Vector: Network
- CVSS Score: 5.4
- Impact: Stored XSS / Privilege Escalation
- Exploit Status: Proof of Concept (PoC) Available
- Authentication: Required (Editor Privileges)
Affected Systems
- phpMyFAQ Core Application
- Web Application Browsers (Client-side execution)
-
phpMyFAQ: < 4.1.1 (Fixed in:
4.1.1)
Mitigation Strategies
- Upgrade phpMyFAQ to version 4.1.1
- Disable SVG file uploads in the application configuration
- Audit existing SVG attachments for malicious encoded payloads
Remediation Steps:
- Download the phpMyFAQ 4.1.1 release from the official repository.
- Backup the existing application database and file structure.
- Apply the update according to the phpMyFAQ upgrade documentation.
- Verify the application version in the administrative dashboard.
- Review recently uploaded FAQ attachments for suspicious content.
References
- GHSA-5crx-pfhq-4hgg Security Advisory
- phpMyFAQ 4.1.1 Release Notes
- CVE-2026-34974 Record
- GitLab Security Advisory
Read the full report for CVE-2026-34974 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)