CVE-2026-34728

HIGH 8.7

phpMyFAQ: Path Traversal - Arbitrary File Deletion in MediaBrowserController

CVSS Score

8.7

EPSS Score

0.0%

EPSS Percentile

0th

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the MediaBrowserController::index() method handles file deletion for the media browser. When the fileRemove action is triggered, the user-supplied name parameter is concatenated with the base upload directory path without any path traversal validation. The FILTER_SANITIZE_SPECIAL_CHARS filter only encodes HTML special characters (&, ', ", <, >) and characters with ASCII value < 32, and does not prevent directory traversal sequences like ../. Additionally, the endpoint does not validate CSRF tokens, making it exploitable via CSRF attacks. This issue has been patched in version 4.1.1.

CWE	CWE-22
Vendor	thorsten
Product	phpmyfaq
Published	Apr 2, 2026
Last Updated	Apr 2, 2026

Stay Ahead of the Next One

Get instant alerts for thorsten phpmyfaq

Be the first to know when new high vulnerabilities affecting thorsten phpmyfaq are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

None

Integrity

High

Availability

High

Affected Versions

thorsten / phpMyFAQ

< 4.1.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-38m8-xrfj-v38x github.com: https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1