Threat Intel

v0.1

← CVEs

CVE-2026-34974

MED 5.4
Published
2026-04-02
Last Modified
2026-04-06
Affected Apps
16
Affected Devices
29
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the regex-based SVG sanitizer in phpMyFAQ (SvgSanitizer.php) can be bypassed using HTML entity encoding in javascript: URLs within SVG <a href> attributes. Any user with edit_faq permission can upload a malicious SVG that executes arbitrary JavaScript when viewed, enabling privilege escalation from editor to full admin takeover. This issue has been patched in version 4.1.1.
Affected Applications in Environment 16
PHP v8.2.6
1 device
PHP v8.5.3
1 device
PHP v8.1.31
1 device
PHP v8.2.29
1 device
php v2:8.4+101~+ubuntu24.04.1+deb.sury.org+1
8 devices
php v2:8.4+100~+ubuntu24.04.1+deb.sury.org+1
1 device
php v5.4.16-48.el7
1 device
php v2:7.4+75
3 devices
php v2:8.4+101~+ubuntu22.04.1+deb.sury.org+1
1 device
php v2:8.2+93
1 device
php v1:7.0+35ubuntu6.1
1 device
php v2:8.4+96+ubuntu20.04.1+deb.sury.org+1
1 device
php v2:8.4+100~+ubuntu22.04.1+deb.sury.org+1
1 device
php v2:8.1+92ubuntu1
1 device
php v2:8.3+93ubuntu2
5 devices
php v1:7.2+60ubuntu1
1 device
Affected Devices 29
DPCPD-9XY54D4 Windows DPDNNR-L92359R7 Windows KRAID Windows LUTZLAB178544 Windows aggietower Linux ah-ots Linux cceredcapweb Linux guru.cluster Linux kena-utility Linux my1 Linux mysql02 Linux privatebin Linux rcbd Linux rcdb-dev Linux redcapweb Linux sys-serv-l-301-data Linux web04a Linux web06 Linux web08.usu.edu Linux web11.usu.edu Linux web13.usu.edu Linux web14.usu.edu Linux web20 Linux web22 Linux web28 Linux web29.usu.edu Linux web30.usu.edu Linux web37.usu.edu Linux webs.usu.edu Linux
References 3