phpMyFAQ is an open source FAQ web application. Versions 4.0.14 and 4.0.15 have a stored cross-site scripting (XSS) vulnerability that allows an attacker to execute arbitrary JavaScript in an administrator’s browser by registering a user whose display name contains HTML entities. When an administrator views the admin user list, the payload is decoded server-side and rendered without escaping, resulting in script execution in the admin context. Version 4.0.16 contains a patch for the issue.
References
Configurations
Configuration 1 (hide)
|
History
07 Jan 2026, 15:35
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Phpmyfaq phpmyfaq
Phpmyfaq |
|
| CPE | cpe:2.3:a:phpmyfaq:phpmyfaq:4.1.0:rc:*:*:*:*:*:* cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:* |
|
| References | () https://github.com/thorsten/phpMyFAQ/commit/61829e83411f7b28bc6fd1052bfde54c32c6c370 - Patch | |
| References | () https://github.com/thorsten/phpMyFAQ/commit/8211d1d25951b4c272443cfc3ef9c09b1363fd87 - Patch | |
| References | () https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-jv8r-hv7q-p6vc - Vendor Advisory |
29 Dec 2025, 16:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-12-29 16:15
Updated : 2026-01-07 15:35
NVD link : CVE-2025-68951
Mitre link : CVE-2025-68951
CVE.ORG link : CVE-2025-68951
JSON object : View
Products Affected
phpmyfaq
- phpmyfaq
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')