CVE-2026-34729: phpMyFAQ: Stored XSS via Regex Bypass in Filter::removeAttributes()
(updated )
The sanitization pipeline for FAQ content is:
Filter::filterVar($input, FILTER_SANITIZE_SPECIAL_CHARS)— encodes<,>,",',&to HTML entitieshtml_entity_decode($input, ENT_QUOTES | ENT_HTML5)— decodes entities back to charactersFilter::removeAttributes($input)— removes dangerous HTML attributes
The removeAttributes() regex at line 174 only matches attributes with double-quoted values:
preg_match_all(pattern: '/[a-z]+=".+"/iU', subject: $html, matches: $attributes);
This regex does NOT match:
- Attributes with single quotes:
onerror='alert(1)' - Attributes without quotes:
onerror=alert(1)
An attacker can bypass sanitization by submitting FAQ content with unquoted or single-quoted event handler attributes.
References
Code Behaviors & Features
Detect and mitigate CVE-2026-34729 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →