4.0.16 and 4.1.0-RC

Author: thorsten

content/news/2025.md

@@ -5,10 +5,21 @@ canonical: news/2025
 layout: news_md.hbs
 ---
 
+### 2025-12-29
+
+The phpMyFAQ Team would like to announce the availability of [phpMyFAQ 4.1.0-RC](/download),
+the "Chris Rea" release.
+This release fixes security vulnerabilities, improves the experimental plugin manager, fixes all reported bugs, and 
+updates our third party dependencies.
+We also updated various bundled translations.
+Additionally, we also released [phpMyFAQ 4.0.16](/download), the "Perry Bamonte" release, 
+which fixes the same security vulnerabilities.
+[Click here to find a detailed security advisory](/security/advisory-2025-12-29).
+
 ### 2025-12-22
 
 The phpMyFAQ Team is pleased to announce [phpMyFAQ 4.0.15](/download), the "Rosa von Praunheim" release.
-This release fixes all reported bugs and we updated our third party dependencies.
+This release fixes all reported bugs, and we updated our third party dependencies.
 
 ### 2025-12-16
 

content/security/advisory-2025-12-29.md

@@ -0,0 +1,39 @@
+---
+title: Security Advisory 2025-12-29
+description: Stored cross-site scripting (XSS) and unauthenticated config backup download vulnerability in phpMyFAQ
+canonical: security/advisory-2025-12-29
+---
+
+## Authenticated SQL Injection in Configuration Update Functionality in phpMyFAQ
+
+**Issued on::** 2025-12-29
+**Software::** phpMyFAQ <= 4.0.15
+**Risk::** High
+**Platforms::** all
+
+The phpMyFAQ Team has learned of security issues that'd been discovered in phpMyFAQ 4.0.15 and earlier.
+
+## Description
+
+A stored cross-site scripting (XSS) vulnerability allows an attacker to execute arbitrary JavaScript in an 
+administrator’s browser by registering a user whose display name contains HTML entities (e.g., &lt;img ...&gt;). When 
+an administrator views the admin user list, the payload is decoded server-side and rendered without escaping, resulting 
+in script execution in the admin context.
+
+An unauthenticated remote attacker can trigger generation of a configuration backup ZIP via POST /api/setup/backup and 
+then download the generated ZIP from a web-accessible location. The ZIP contains sensitive configuration files 
+(e.g., database.php with database credentials), leading to high-impact information disclosure and potential follow-on 
+compromise.
+
+## Solution
+
+The phpMyFAQ Team has released the new phpMyFAQ versions 4.0.16 and 4.1.0-RC, which fix the vulnerabilities. All
+users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.
+
+## Workaround
+
+There's no workaround except installing phpMyFAQ 4.0.15 or 4.1.0-RC.
+
+## Thanks
+
+The phpMyFAQ team would like to thank **eclipse07077** for the responsible disclosures of this vulnerability.

content/security/index.md

@@ -18,6 +18,7 @@ layout: none
 
         ## 2025
         <ul>
+          <li><a href="/security/advisory-2025-12-29">Security Advisory 2025-12-29</a></li>
           <li><a href="/security/advisory-2025-11-15">Security Advisory 2025-11-15</a></li>
           <li><a href="/security/advisory-2025-10-03">Security Advisory 2025-10-03</a></li>
           <li><a href="/security/advisory-2025-01-02">Security Advisory 2025-01-02</a></li>

data/development.json

@@ -1,11 +1,11 @@
 {
-  "version": "4.1.0-beta.2",
+  "version": "4.1.0-RC",
   "zip": {
-    "filesize": 18.31,
-    "md5": "899043e2170b3f5efc593a7a9f25ed7b"
+    "filesize": 18.51,
+    "md5": "586d4c353f0c98c31b814fd8511e8c4c"
   },
   "targz": {
-    "filesize": 14.09,
-    "md5": "06751cac1174a5c3e7f3aae3aaff86c8"
+    "filesize": 14.28,
+    "md5": "28c7cbe97026c0b26b18ff646bac2815"
   }
 }

data/stable.json

@@ -1,11 +1,11 @@
 {
-  "version": "4.0.15",
+  "version": "4.0.16",
   "zip": {
     "filesize": 18.29,
-    "md5": "f96fc92d15a90eb52e468617dd41b7af"
+    "md5": "4c159ac45aabf7bb24db197300db0e71"
   },
   "targz": {
     "filesize": 14.96,
-    "md5": "57d2753d84a648427358aff1ed35cfd3"
+    "md5": "bfefd82bdefc34c054367cfd260e3377"
   }
 }

data/versions.json

@@ -1,8 +1,8 @@
 {
-  "stable": "4.0.15",
-  "stable_released": "2025-12-22",
-  "development": "4.1.0-beta.2",
-  "development_released": "2025-12-16",
-  "nightly": "nightly-2025-12-21",
-  "nightly_released": "2025-12-21"
+  "stable": "4.0.16",
+  "stable_released": "2025-12-29",
+  "development": "4.1.0-RC",
+  "development_released": "2025-12-29",
+  "nightly": "nightly-2025-12-28",
+  "nightly_released": "2025-12-28"
 }

src/app/advisories/page.tsx

@@ -17,6 +17,9 @@ export default function AdvisoriesPage() {
 
           <h2>2025</h2>
           <ul>
+            <li>
+              <Link href="/security/advisory-2025-12-29">Security Advisory 2025-12-29</Link>
+            </li>
             <li>
               <Link href="/security/advisory-2025-11-15">Security Advisory 2025-11-15</Link>
             </li>

src/app/changelog/page.tsx

@@ -22,8 +22,8 @@ export default function ChangelogPage() {
 
 
     <h3 className="mt-4 mb-2">
-      <a id="4.1.0-beta"></a>
-      phpMyFAQ 4.1.0-beta - 2025-11-22
+      <a id="4.1.0-RC"></a>
+      phpMyFAQ 4.1.0-RC - 2025-12-29
     </h3>
     <ul className="list-unstyled ms-3">
       <li className="mb-1">changed PHP requirement to PHP 8.3 or later</li>
@@ -43,14 +43,30 @@ export default function ChangelogPage() {
       <li className="mb-1">added support for OpenSearch</li>
       <li className="mb-1">added support for .env files</li>
       <li className="mb-1">added support for Mago</li>
+      <li className="mb-1">added ESLint configuration</li>
       <li className="mb-1">added experimental support for FrankenPHP</li>
       <li className="mb-1">added experimental support for LDAP group support</li>
       <li className="mb-1">added experimental MCP Server</li>
       <li className="mb-1">added experimental update via command line</li>
       <li className="mb-1">added experimental support for PHP 8.6</li>
       <li className="mb-1">improved online update feature</li>
+      <li className="mb-1">improved experimental plugin manager</li>
       <li className="mb-1">updated Spanish translation</li>
       <li className="mb-1">updated Japanese translation</li>
+      <li className="mb-1">updated French translation</li>
+      <li className="mb-1">updated Portuguese and Brazilian Portuguese translation</li>
+      <li className="mb-1">updated Turkish translation</li>
+      <li className="mb-1">updated Dutch translation</li>
+      <li className="mb-1">updated Norwegian (Bokmål) translation</li>
+      <li className="mb-1">updated Italian translation</li>
+      <li className="mb-1">updated Finnish translation</li>
+      <li className="mb-1">updated Chinese (Simplified) and Chinese (Traditional) translations</li>
+      <li className="mb-1">updated Hungarian translation</li>
+      <li className="mb-1">updated Mongolian translation</li>
+      <li className="mb-1">updated Arabic translation</li>
+      <li className="mb-1">updated Basque translation</li>
+      <li className="mb-1">updated Bengali translation</li>
+      <li className="mb-1">updated Bosnian translation</li>
       <li className="mb-1">updated to PHPUnit v12</li>
       <li className="mb-1">migrated codebase to use PHP 8.3 language features</li>
       <li className="mb-1">migrated from WYSIWYG editor from TinyMCE to Jodit Editor</li>
@@ -63,6 +79,15 @@ export default function ChangelogPage() {
       phpMyFAQ 4.0.x
     </h2>
 
+    <h3 className="mt-4 mb-2">
+      <a id="4.0.16"></a>
+      phpMyFAQ 4.0.16 - 2025-12-29
+    </h3>
+    <ul className="list-unstyled ms-3">
+      <li className="mb-1">fixed security vulnerabilities</li>
+      <li className="mb-1">updated third party dependencies</li>
+    </ul>
+
     <h3 className="mt-4 mb-2">
       <a id="4.0.15"></a>
       phpMyFAQ 4.0.15 - 2025-12-22