Duplicate Advisory: phpMyFAQ: Stored XSS via Utils::parseUrl() in comment rendering
High severity
GitHub Reviewed
Published
May 15, 2026
to the GitHub Advisory Database
•
Updated Jun 8, 2026
Withdrawn
This advisory was withdrawn on Jun 8, 2026
Description
Published by the National Vulnerability Database
May 15, 2026
Published to the GitHub Advisory Database
May 15, 2026
Reviewed
May 21, 2026
Last updated
Jun 8, 2026
Withdrawn
Jun 8, 2026
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-9525-27vj-c8r8. This link is maintained to preserve external references.
Original Description
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl() that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craft URLs with unescaped quotes to inject event handlers, stealing admin session cookies and achieving full application takeover when visitors view affected FAQ pages.
References