\"@evil.com. PHP's FILTER_VALIDATE_EMAIL accepts this email as valid. The email is stored in the database without HTML sanitization and later rendered in the admin FAQ editor template using Twig's |raw filter, which bypasses auto-escaping entirely.\n\n### Details\n1. PHP FILTER_VALIDATE_EMAIL accepts RFC-valid quoted local parts with dangerous characters\n\nphpmyfaq/src/phpMyFAQ/Controller/Frontend/Api/FaqController.php:99\n$email = trim((string) Filter::filterVar($data->email, FILTER_VALIDATE_EMAIL));\nPHP accepts \"\"@evil.com as a valid email (RFC 5321 allows <, > inside quoted local parts). Confirmed:\n\"\"@evil.com => string (valid, not false)\n\n2. Email stored raw without HTML sanitization\n\nphpmyfaq/src/phpMyFAQ/Faq.php — email retrieved directly as $row->email from the database.\n\n3. Admin Twig template renders email with |raw\n\nphpmyfaq/assets/templates/admin/content/faq.editor.twig:296\n\n\nAffected version: 4.2.0-alpha, commit f0dc86c8f\n\n\n### PoC\n**The reproduction of the vulnerability was implemented with the help of AI while reviewing the source code to generate the proof-of-concept. Please kindly note this for reference. Since the vulnerability has already been confirmed directly in the source code, the proof-of-concept code may be considered as a reference only.**\n\nPlease extract the attached compressed file and proceed.\n[poc.zip](https://github.com/user-attachments/files/25938058/poc.zip)\n\n\n0. (docker compose -f docker-compose.yml down -v)\n1. docker compose -f docker-compose.yml up -d mariadb php-fpm nginx\n2. bash exploit.sh\n-----\n1. Access http://localhost:8888/admin/\n2. Log in with admin / Admin1234!\n3. After logging in, check whether the URL remains http://localhost:8888/admin/\n4. Go to Content → FAQ Administration → edit \"poc\" → alert popup should appear\nIf it does not appear, you can also access it directly via:\nhttp://localhost:8888/admin/faq/edit/1/en\n\n\n\n\n\n\n### Impact\nWhen an administrator opens /admin/faq/edit/{id}/{lang} to review the pending FAQ, the injected script executes in the admin's browser context. This allows an attacker to:\n\n- Steal the administrator's session cookie → full admin account takeover\n- Perform arbitrary admin actions (create users, modify content, change configuration)\n- Pivot to further attacks on the server\n\nThe attack chain requires no authentication. By default, records.allowNewFaqsForGuests=true allows unauthenticated FAQ submission, and records.defaultActivation=false guarantees the administrator must visit the edit page to review it.\n\nNote on captcha: The built-in captcha is enabled by default when the PHP gd extension is present (spam.enableCaptchaCode=true). This prevents fully automated exploitation but does not prevent a targeted manual attack — an attacker can solve the captcha once and submit the payload. \n\n### Credits\nwooseokdotkim","datePublished":"2026-04-02T16:20:32.435000","dateModified":"2026-04-02T17:43:40.467000","author":{"@type":"Organization","name":"Strobes Security","url":"https://strobes.co"},"publisher":{"@type":"Organization","name":"Strobes VI","url":"https://vi.strobes.co"},"mainEntityOfPage":{"@type":"WebPage","@id":"https://vi.strobes.co/cve/CVE-2026-32629"},"about":{"@type":"Thing","name":"CVE-2026-32629","description":"Security vulnerability CVE-2026-32629 with CVSS score 0"},"keywords":["CVE-2026-32629","CVE","vulnerability","security","low","patch available"]}\"@evil.com. PHP's FILTER_VALIDATE_EMAIL accepts this email as valid. The email is stored in the database without HTML sanitization and later rendered in the admin FAQ editor template using Twig's |raw filter, which bypasses auto-escaping entirely.\n\n### Details\n1. PHP FILTER_VALIDATE_EMAIL accepts RFC-valid quoted local parts with dangerous characters\n\nphpmyfaq/src/phpMyFAQ/Controller/Frontend/Api/FaqController.php:99\n$email = trim((string) Filter::filterVar($data->email, FILTER_VALIDATE_EMAIL));\nPHP accepts \"\"@evil.com as a valid email (RFC 5321 allows <, > inside quoted local parts). Confirmed:\n\"\"@evil.com => string (valid, not false)\n\n2. Email stored raw without HTML sanitization\n\nphpmyfaq/src/phpMyFAQ/Faq.php — email retrieved directly as $row->email from the database.\n\n3. Admin Twig template renders email with |raw\n\nphpmyfaq/assets/templates/admin/content/faq.editor.twig:296\n\n\nAffected version: 4.2.0-alpha, commit f0dc86c8f\n\n\n### PoC\n**The reproduction of the vulnerability was implemented with the help of AI while reviewing the source code to generate the proof-of-concept. Please kindly note this for reference. Since the vulnerability has already been confirmed directly in the source code, the proof-of-concept code may be considered as a reference only.**\n\nPlease extract the attached compressed file and proceed.\n[poc.zip](https://github.com/user-attachments/files/25938058/poc.zip)\n\n\n0. (docker compose -f docker-compose.yml down -v)\n1. docker compose -f docker-compose.yml up -d mariadb php-fpm nginx\n2. bash exploit.sh\n-----\n1. Access http://localhost:8888/admin/\n2. Log in with admin / Admin1234!\n3. After logging in, check whether the URL remains http://localhost:8888/admin/\n4. Go to Content → FAQ Administration → edit \"poc\" → alert popup should appear\nIf it does not appear, you can also access it directly via:\nhttp://localhost:8888/admin/faq/edit/1/en\n\n\n\n\n\n\n### Impact\nWhen an administrator opens /admin/faq/edit/{id}/{lang} to review the pending FAQ, the injected script executes in the admin's browser context. This allows an attacker to:\n\n- Steal the administrator's session cookie → full admin account takeover\n- Perform arbitrary admin actions (create users, modify content, change configuration)\n- Pivot to further attacks on the server\n\nThe attack chain requires no authentication. By default, records.allowNewFaqsForGuests=true allows unauthenticated FAQ submission, and records.defaultActivation=false guarantees the administrator must visit the edit page to review it.\n\nNote on captcha: The built-in captcha is enabled by default when the PHP gd extension is present (spam.enableCaptchaCode=true). This prevents fully automated exploitation but does not prevent a targeted manual attack — an attacker can solve the captcha once and submit the payload. \n\n### Credits\nwooseokdotkim"}},{"@type":"Question","name":"What is the severity of CVE-2026-32629?","acceptedAnswer":{"@type":"Answer","text":"CVE-2026-32629 has a CVSS v3 score of 0, which is classified as Low severity."}},{"@type":"Question","name":"Is there an exploit available for CVE-2026-32629?","acceptedAnswer":{"@type":"Answer","text":"No known public exploits are currently available for CVE-2026-32629."}},{"@type":"Question","name":"Is there a patch available for CVE-2026-32629?","acceptedAnswer":{"@type":"Answer","text":"Yes, patches are available for CVE-2026-32629. Check the vendor advisories for update instructions."}}]}