XSS in Thorsten Phpmyfaq

CVE-2026-32629

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, an unauthenticated attacker can submit a guest FAQ with an email address that is syntactically valid per RFC 5321 (quoted local part) yet contains raw HTML — for examp…

Vulnerability class: Drupalgeddon 2 (CVE-2018-7600)

EPSS: 0.002 (45.8th percentile) — read the EPSS interpretation.

Affected products

Thorsten Phpmyfaq — versions < 4.1.1

Weakness classification (CWE)

References

https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-98gw-w575-h2ph (x_refsource_CONFIRM)
https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1 (x_refsource_MISC)