phpMyFAQ Stored XSS: Authenticated Users Can Steal Admin Sessions

/HIGH /CVSS 7.6/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycross-site-scripting-xsscwe-79
phpMyFAQ Stored XSS: Authenticated Users Can Steal Admin Sessions

The National Vulnerability Database reports a critical stored cross-site scripting (XSS) vulnerability, CVE-2026-46367, in phpMyFAQ versions prior to 4.1.2. This flaw resides in the Utils::parseUrl() function, allowing authenticated users to inject malicious JavaScript through malformed URLs within comments. The attacker’s calculus here is straightforward: craft a URL with unescaped quotes, embed an event handler, and wait for an administrator to view an affected FAQ page.

Once triggered, this XSS attack facilitates the theft of admin session cookies, potentially leading to a full application takeover. The CVSS score of 7.6 (HIGH) reflects the significant impact, particularly the high confidentiality impact and the ability to compromise the system with only low privileges and user interaction. It’s a classic client-side attack with server-side persistence through stored XSS.

For defenders, this means a compromised user account can escalate privileges dramatically. Attackers aren’t just defacing pages; they’re aiming for persistent access and control. This isn’t theoretical; it’s a well-understood attack vector that has proven effective time and again for gaining persistence and lateral movement within web applications. Patching is paramount, but so is understanding the broader implications of user-generated content and inadequate input sanitization.

What This Means For You

  • If your organization uses phpMyFAQ, you need to immediately identify your current version. Prioritize upgrading to version 4.1.2 or later to mitigate CVE-2026-46367. Post-patch, audit comment sections for any suspicious or malformed URLs that could indicate prior exploitation attempts and force a re-login for all administrative users.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.007 JavaScript Execution T1185 Browser Session Hijacking Credential Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

phpMyFAQ Stored XSS - Malicious URL Comment Injection - CVE-2026-46367

Sigma YAML — free preview 
title: phpMyFAQ Stored XSS - Malicious URL Comment Injection - CVE-2026-46367
id: scw-2026-05-15-ai-1
status: experimental
level: high
description: |
  Detects attempts to exploit CVE-2026-46367 by injecting a stored XSS payload within a comment in phpMyFAQ. The payload aims to steal admin session cookies. This rule specifically looks for the comment submission endpoint and a common XSS payload pattern.
author: SCW Feed Engine (AI-generated)
date: 2026-05-15
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-46367/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/comment.php'
      cs-uri-query|contains:
          - 'comment=<script>alert(document.cookie)</script>'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-46367 XSS phpMyFAQ before 4.1.2
CVE-2026-46367 XSS Utils::parseUrl() function
CVE-2026-46367 XSS malformed URLs in comments

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 15, 2026 at 22:17 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-45675: Open WebUI Vulnerable to Admin Role Race Condition

CVE-2026-45675 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, he LDAP and OAuth authentication flows use...

vulnerabilityCVEhigh-severitycwe-269cwe-362
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 3 IOCs /⚙ 2 Sigma

CVE-2026-45671: Open WebUI File Deletion Flaw Impacts Self-Hosted AI

CVE-2026-45671 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files...

vulnerabilityCVEhigh-severitycwe-639
/SCW Vulnerability Desk /HIGH /8 /⚑ 4 IOCs /⚙ 3 Sigma

Open WebUI CVE-2026-45399: Low-Privilege Users Disrupt System-Wide AI Tasks

CVE-2026-45399 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user with low privileges can...

vulnerabilityCVEhigh-severitycwe-862
/SCW Vulnerability Desk /HIGH /7.1 /⚑ 4 IOCs /⚙ 2 Sigma