CVE-2026-46360 Overview
CVE-2026-46360 is a stored cross-site scripting (XSS) vulnerability in phpMyFAQ versions before 4.1.2. The flaw resides in the SvgSanitizer::decodeAllEntities() function, which caps recursive HTML entity decoding at five iterations. Attackers with FAQ_EDIT permission can upload SVG files containing deeply nested ampersand-encoded payloads that survive sanitization. When other users view the uploaded SVG, the bypass reconstructs javascript: URLs and executes arbitrary JavaScript in their browser session. The vulnerability is classified under CWE-79: Improper Neutralization of Input During Web Page Generation.
Critical Impact
Authenticated attackers can execute arbitrary JavaScript in victim browsers, enabling session theft, account takeover, and unauthorized actions within the phpMyFAQ application.
Affected Products
- phpMyFAQ versions prior to 4.1.2
- The SvgSanitizer component responsible for entity decoding
- SVG upload functionality available to users with FAQ_EDIT permission
Discovery Timeline
- 2026-05-15 - CVE-2026-46360 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-46360
Vulnerability Analysis
The vulnerability stems from a depth-limited entity decoding loop inside the SVG sanitizer. phpMyFAQ accepts SVG uploads from authenticated contributors and attempts to strip dangerous content before rendering. The decodeAllEntities() function recursively resolves HTML entities such as j to detect and remove javascript: URI schemes. However, the function stops after five recursive passes, leaving deeper encodings intact in the final output. Attackers exploit this gap by wrapping numeric HTML entities in multiple layers of ampersand encoding that exceed the iteration cap.
Root Cause
The root cause is an insufficient sanitization loop that treats entity decoding depth as a fixed integer rather than a fully resolved string. When the input contains more nested entity layers than the loop iterations, the sanitizer evaluates the partially decoded string as safe. The remaining encoded payload is later decoded by the browser when rendering the SVG, reconstructing the malicious javascript: URL. This is a classic sanitization bypass driven by asymmetry between server-side validation and browser-side decoding.
Attack Vector
An authenticated user with FAQ_EDIT permission crafts an SVG file containing an anchor or event handler whose href attribute uses deeply nested ampersand-encoded characters spelling out javascript: followed by attacker JavaScript. The attacker uploads the file through the standard FAQ image attachment workflow. The sanitizer fails to fully decode the payload and stores the file. When another user opens the FAQ entry and clicks the embedded SVG element, the browser completes the decoding and executes the attacker's script under the victim's session context. Exploitation requires user interaction and a low-privileged authenticated account.
Detection Methods for CVE-2026-46360
Indicators of Compromise
- SVG files uploaded to phpMyFAQ containing multiple consecutive ampersand sequences such as j or similarly nested numeric entity patterns
- SVG attachments referencing <a> or event handler attributes with abnormally long encoded href values
- Web server logs showing uploads to FAQ attachment endpoints from accounts with FAQ_EDIT but no legitimate authoring history
- Browser console errors or unexpected outbound requests originating from FAQ pages
Detection Strategies
- Scan stored SVG attachments for nested ampersand encoding using regular expressions targeting four or more consecutive & sequences preceding numeric entities
- Inspect HTTP request bodies for SVG uploads containing the substring patterns associated with encoded javascript: reconstruction
- Correlate FAQ edit events with subsequent SVG views to identify suspicious upload-then-view chains involving different user accounts
Monitoring Recommendations
- Enable application-level logging for all SVG uploads, including uploader identity, file hash, and sanitization outcome
- Monitor authenticated session activity for anomalous JavaScript execution patterns on FAQ pages, such as unexpected fetch or XMLHttpRequest calls
- Audit accounts holding FAQ_EDIT permission and alert on newly granted editor privileges
How to Mitigate CVE-2026-46360
Immediate Actions Required
- Upgrade phpMyFAQ to version 4.1.2 or later, which removes the iteration cap and fully resolves entity decoding before sanitization
- Audit existing SVG attachments and remove or re-sanitize any files containing nested ampersand-encoded sequences
- Review and reduce the number of accounts holding FAQ_EDIT permission to the minimum required
Patch Information
The maintainers released a fix in phpMyFAQ 4.1.2. Details are published in the GitHub Security Advisory GHSA-whqh-9pq5-c7r3 and the VulnCheck Advisory on phpMyFAQ. Administrators should apply the upgrade through standard release channels and verify the deployed version after patching.
Workarounds
- Disable SVG uploads entirely by restricting the allowed MIME types for FAQ attachments to raster image formats such as PNG and JPEG
- Serve user-uploaded SVG content from a separate sandboxed domain to limit the impact of script execution on the primary application origin
- Apply a strict Content Security Policy (CSP) that disallows inline scripts and javascript: URIs on pages rendering FAQ content
# Example CSP header to block javascript: URIs and inline scripts
Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; navigate-to 'self'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
