CVE-2026-45008

MEDIUM 6.5

phpMyFAQ - Path Traversal in Client::deleteClientFolder via URL Parameter

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

phpMyFAQ before 4.1.2 contains a path traversal vulnerability in Client::deleteClientFolder that allows admins with INSTANCE_DELETE permission to delete arbitrary directories. Attackers can submit traversal sequences like https://../../../<path> in the client URL parameter to recursively delete directories outside the intended clientFolder scope.

CWE	CWE-73
Vendor	thorsten
Product	phpmyfaq
Published	May 15, 2026

Stay Ahead of the Next One

Get instant alerts for thorsten phpmyfaq

Be the first to know when new medium vulnerabilities affecting thorsten phpmyfaq are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Affected Versions

thorsten / phpmyfaq

0 < 4.1.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-gh9p-q46p-57g2 vulncheck.com: https://www.vulncheck.com/advisories/phpmyfaq-path-traversal-in-client-deleteclientfolder-via-url-parameter

Credits

🔍 adrgs aisafe-bot