\"@evil.com. PHP's FILTER_VALIDATE_EMAIL accepts this email as valid. The email is stored in the database without HTML sanitization and later rendered in the admin FAQ editor template using Twig's |raw filter, which bypasses auto-escaping entirely. This issue has been patched in version 4.1.1.", "datePublished": "2026-04-02T14:43:14Z", "dateModified": "2026-04-02T16:23:06Z", "keywords": "CVE-2026-32629, vulnerability, CVE, security, phpMyFAQ, thorsten", "about": { "@type": "SoftwareApplication", "name": "phpMyFAQ", "applicationCategory": "SecurityApplication", "operatingSystem": "All" } }
CVE-2026-32629 MEDIUM

CVE-2026-32629: phpMyFAQ: Stored XSS via Unsanitized Email Field in Admin FAQ Editor

Vendor Thorsten
Product phpMyFAQ
Weakness CWE-20 · Input validation
Published April 2, 2026
Last update April 2, 2026
View on NVD All CVEs

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P

What the vulnerability does

Description

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, an unauthenticated attacker can submit a guest FAQ with an email address that is syntactically valid per RFC 5321 (quoted local part) yet contains raw HTML — for example "<script>alert(1)</script>"@evil.com. PHP's FILTER_VALIDATE_EMAIL accepts this email as valid. The email is stored in the database without HTML sanitization and later rendered in the admin FAQ editor template using Twig's |raw filter, which bypasses auto-escaping entirely. This issue has been patched in version 4.1.1.

Key dates

Disclosure timeline

April 2, 2026 CVE published
April 2, 2026 Record updated