{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-34974", "tracking": { "current_release_date": "2026-04-03T15:31:52.139638Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-34974", "initial_release_date": "2026-04-02T00:43:58.269545Z", "revision_history": [ { "date": "2026-04-02T00:43:58.269545Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-04-02T00:44:00.739907Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-04-02T15:30:30.379882Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-04-02T15:30:33.534628Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-04-02T15:35:18.243254Z", "number": "5", "summary": "NCSC Score updated." }, { "date": "2026-04-02T15:41:17.559612Z", "number": "6", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (2).| CWES updated (1)." }, { "date": "2026-04-02T15:41:21.170089Z", "number": "7", "summary": "NCSC Score updated." }, { "date": "2026-04-02T17:40:24.221172Z", "number": "8", "summary": "Unknown change." }, { "date": "2026-04-03T15:30:40.667932Z", "number": "9", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-04-03T15:30:59.742390Z", "number": "10", "summary": "NCSC Score updated." } ], "status": "interim", "version": "10" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<4.1.1", "product": { "name": "vers:unknown/<4.1.1", "product_id": "CSAFPID-5984994" } } ], "category": "product_name", "name": "phpMyFAQ" } ], "category": "vendor", "name": "thorsten" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-34974", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" }, "notes": [ { "category": "description", "text": "### Summary\nThe regex-based SVG sanitizer in phpMyFAQ (`SvgSanitizer.php`) can be bypassed using HTML entity encoding in `javascript:` URLs within SVG `` attributes. Any user with `edit_faq` permission can upload a malicious SVG that executes arbitrary JavaScript when viewed, enabling privilege escalation from editor to full admin takeover.\n\n### Details\nThe file `phpmyfaq/src/phpMyFAQ/Helper/SvgSanitizer.php` (introduced 2026-01-15) uses regex patterns to detect dangerous content in uploaded SVG files. The regex for `javascript:` URL detection is:\n\n`/href\\s*=\\s*[\"\\']javascript:[^\"\\']*[\"\\']/i`\n\nThis pattern matches the literal string `javascript:` but fails when the URL is HTML entity encoded. For example, `javascript:` decodes to `javascript:` in the browser, but does NOT match the regex. The `isSafe()` method returns `true`, so the SVG is accepted without sanitization.\n\nAdditionally, the `DANGEROUS_ELEMENTS` blocklist misses ``, ``, and `` elements which can also be used to execute JavaScript in SVG context.\n\nUploaded SVG files are served with `Content-Type: image/svg+xml` and no `Content-Disposition: attachment` header, so browsers render them inline and execute any JavaScript they contain.\n\nThe image upload endpoint (`/admin/api/content/images`) only requires the `edit_faq` permission — not full admin — so any editor-level user can upload malicious SVGs.\n\n### PoC\n### Basic XSS (confirmed working in Chrome 146 and Edge)\n\n1. Login to phpMyFAQ admin panel with any account that has `edit_faq` permission\n2. Navigate to Admin → Content → Add New FAQ\n3. In the TinyMCE editor, click the image upload button\n4. Upload this SVG file:\n\n```xml\n\n\n \n Click for XSS\n \n\n```\n\n5. The SVG is uploaded to `/content/user/images/_.svg`\n6. Open the SVG URL directly in a browser\n7. Click the red text → `alert(document.domain)` executes\n\n### Privilege Escalation (Editor → Admin Takeover)\n\n1. As editor, upload this SVG:\n\n```xml\n\n\n \n 📋 System Notice\n r.json()).then(d=>document.title='pwned')\">\n \n View Update →\n \n\n```\n\n2. Send the SVG URL to an admin\n3. Admin opens URL, clicks \"View Update →\"\n4. JavaScript creates backdoor admin user `backdoor:H4ck3d!`\n5. Attacker logs in as `backdoor` with full admin privileges\n\n\n### Impact\nThis is a Stored Cross-Site Scripting (XSS) vulnerability that enables privilege escalation. Any user with `edit_faq` permission (editor role) can upload a weaponized SVG file. When an admin views the SVG, arbitrary JavaScript executes in their browser on the phpMyFAQ origin, allowing the attacker to:\n- Create backdoor admin accounts via the admin API\n- Exfiltrate phpMyFAQ configuration (database credentials, API tokens)\n- Modify or delete FAQ content\n- Achieve full admin account takeover\nThe vulnerability affects all phpMyFAQ installations using the `SvgSanitizer` class (introduced 2026-01-15). Recommended fix: replace regex-based sanitization with a DOM-based allowlist approach, or serve SVG files with `Content-Disposition: attachment` to prevent inline rendering.", "title": "github - https://api.github.com/advisories/GHSA-5crx-pfhq-4hgg" }, { "category": "description", "text": "phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the regex-based SVG sanitizer in phpMyFAQ (SvgSanitizer.php) can be bypassed using HTML entity encoding in javascript: URLs within SVG attributes. Any user with edit_faq permission can upload a malicious SVG that executes arbitrary JavaScript when viewed, enabling privilege escalation from editor to full admin takeover. This issue has been patched in version 4.1.1.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-34974" }, { "category": "description", "text": "phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the regex-based SVG sanitizer in phpMyFAQ (SvgSanitizer.php) can be bypassed using HTML entity encoding in javascript: URLs within SVG attributes. Any user with edit_faq permission can upload a malicious SVG that executes arbitrary JavaScript when viewed, enabling privilege escalation from editor to full admin takeover. This issue has been patched in version 4.1.1.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/34xxx/CVE-2026-34974.json" }, { "category": "other", "text": "0.00029", "title": "EPSS" }, { "category": "other", "text": "3.9", "title": "NCSC Score" }, { "category": "other", "text": "There is cwe data available from source Nvd, The value of the most recent EPSS score, Is related to (a version of) an uncommon product, Is related to CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5984994" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-5crx-pfhq-4hgg" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-34974" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/34xxx/CVE-2026-34974.json" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-5crx-pfhq-4hgg" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-5crx-pfhq-4hgg" }, { "category": "external", "summary": "Reference - cveprojectv5; nvd", "url": "https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM" }, "products": [ "CSAFPID-5984994" ] } ], "title": "CVE-2026-34974" } ] }