Security: thorsten/phpMyFAQ
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
Stored XSS in FAQ Question/Answer via Encode-Decode Bypass of removeAttributes() SanitizationGHSA-f5p7-2c9q-8896 published
Apr 28, 2026 by thorstenModerate -
Missing Authorization on Tag Deletion Allows Any Authenticated User to Delete TagsGHSA-7cx3-2qx2-3g6w published
Apr 28, 2026 by thorstenModerate -
Authorization Bypass in All Admin Pages Due to Non-Terminating Permission Check in phpMyFAQGHSA-hpgw-ww76-c68r published
Apr 28, 2026 by thorstenModerate -
Stored XSS via Utils::parseUrl() in comment renderingGHSA-9525-27vj-c8r8 published
Apr 28, 2026 by thorstenHigh -
Stored XSS via Regex Bypass in Filter::removeAttributes()GHSA-cv2g-8cj8-vgc7 published
Mar 31, 2026 by thorstenModerate -
Path Traversal - Arbitrary File Deletion in MediaBrowserControllerGHSA-38m8-xrfj-v38x published
Mar 31, 2026 by thorstenHigh -
SVG Sanitizer Bypass via HTML Entity Encoding leads to Stored XSS and Privilege EscalationGHSA-5crx-pfhq-4hgg published
Mar 31, 2026 by thorstenModerate -
LIKE Wildcard Injection in Search.php — Unescaped % and _ Metacharacters Enable Broad Content DisclosureGHSA-gcp9-5jc8-976x published
Mar 31, 2026 by thorstenModerate -
Stored XSS via Unsanitized Email Field in Admin FAQ EditorGHSA-98gw-w575-h2ph published
Mar 31, 2026 by thorstenHigh -
Unauthenticated Account Creation via WebAuthn Prepare EndpointGHSA-w22q-m2fm-x9f4 published
Feb 27, 2026 by thorstenHigh