VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-x8f6-wx6k-f3d5

Essentials
Severities (17)
References (7)
Severity details (15)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-x8f6-wx6k-f3d5
Aliases	CVE-2025-68951 GHSA-jv8r-hv7q-p6vc
Summary	phpMyFAQ is an open source FAQ web application. Versions 4.0.14 and 4.0.15 have a stored cross-site scripting (XSS) vulnerability that allows an attacker to execute arbitrary JavaScript in an administrator’s browser by registering a user whose display name contains HTML entities. When an administrator views the admin user list, the payload is decoded server-side and rendered without escaping, resulting in script execution in the admin context. Version 4.0.16 contains a patch for the issue.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00028	https://api.first.org/data/v1/epss?cve=CVE-2025-68951
epss	0.00028	https://api.first.org/data/v1/epss?cve=CVE-2025-68951
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-jv8r-hv7q-p6vc
cvssv3.1	5.4	https://github.com/thorsten/phpMyFAQ
generic_textual	MODERATE	https://github.com/thorsten/phpMyFAQ
cvssv3.1	5.4	https://github.com/thorsten/phpMyFAQ/commit/61829e83411f7b28bc6fd1052bfde54c32c6c370
generic_textual	MODERATE	https://github.com/thorsten/phpMyFAQ/commit/61829e83411f7b28bc6fd1052bfde54c32c6c370
ssvc	Track	https://github.com/thorsten/phpMyFAQ/commit/61829e83411f7b28bc6fd1052bfde54c32c6c370
cvssv3.1	5.4	https://github.com/thorsten/phpMyFAQ/commit/8211d1d25951b4c272443cfc3ef9c09b1363fd87
generic_textual	MODERATE	https://github.com/thorsten/phpMyFAQ/commit/8211d1d25951b4c272443cfc3ef9c09b1363fd87
ssvc	Track	https://github.com/thorsten/phpMyFAQ/commit/8211d1d25951b4c272443cfc3ef9c09b1363fd87
cvssv3.1	5.4	https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-jv8r-hv7q-p6vc
cvssv3.1_qr	MODERATE	https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-jv8r-hv7q-p6vc
generic_textual	MODERATE	https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-jv8r-hv7q-p6vc
ssvc	Track	https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-jv8r-hv7q-p6vc
cvssv3.1	5.4	https://nvd.nist.gov/vuln/detail/CVE-2025-68951
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2025-68951

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2025-68951
		https://github.com/thorsten/phpMyFAQ
61829e83411f7b28bc6fd1052bfde54c32c6c370		https://github.com/thorsten/phpMyFAQ/commit/61829e83411f7b28bc6fd1052bfde54c32c6c370
8211d1d25951b4c272443cfc3ef9c09b1363fd87		https://github.com/thorsten/phpMyFAQ/commit/8211d1d25951b4c272443cfc3ef9c09b1363fd87
CVE-2025-68951		https://nvd.nist.gov/vuln/detail/CVE-2025-68951
GHSA-jv8r-hv7q-p6vc		https://github.com/advisories/GHSA-jv8r-hv7q-p6vc
GHSA-jv8r-hv7q-p6vc		https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-jv8r-hv7q-p6vc

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Found at https://github.com/thorsten/phpMyFAQ

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Found at https://github.com/thorsten/phpMyFAQ/commit/61829e83411f7b28bc6fd1052bfde54c32c6c370

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-29T16:13:42Z/ Found at https://github.com/thorsten/phpMyFAQ/commit/61829e83411f7b28bc6fd1052bfde54c32c6c370

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Found at https://github.com/thorsten/phpMyFAQ/commit/8211d1d25951b4c272443cfc3ef9c09b1363fd87

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-29T16:13:42Z/ Found at https://github.com/thorsten/phpMyFAQ/commit/8211d1d25951b4c272443cfc3ef9c09b1363fd87

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Found at https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-jv8r-hv7q-p6vc

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-29T16:13:42Z/ Found at https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-jv8r-hv7q-p6vc

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-68951

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.08613
EPSS Score	0.00028
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T16:59:04.777204+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2025/68xxx/CVE-2025-68951.json	38.6.0