Description
phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the MediaBrowserController::index() method handles file deletion for the media browser. When the fileRemove action is triggered, the user-supplied name parameter is concatenated with the base upload directory path without any path traversal validation. The FILTER_SANITIZE_SPECIAL_CHARS filter only encodes HTML special characters (&, ', ", <, >) and characters with ASCII value < 32, and does not prevent directory traversal sequences like ../. Additionally, the endpoint does not validate CSRF tokens, making it exploitable via CSRF attacks. This issue has been patched in version 4.1.1.
Published: 2026-04-02
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Deletion
Action: Patch Now
AI Analysis

Impact

The MediaBrowserController in phpMyFAQ concatenates a user-supplied filename to the base upload directory without validating for directory traversal characters. Because the sanitization filter only escapes a few HTML characters, an attacker can craft a file name containing sequences such as '../' and prove that the endpoint will delete the referenced file. The endpoint also lacks CSRF protection, allowing the deletion to be triggered through a forged request from an authenticated user. This flaw gives an attacker the ability to remove any file within the upload directory, potentially disrupting FAQ content, wiping backups, or deleting malicious files. The weakness is classified as a Path Traversal (CWE‑22) and can severely compromise the integrity and availability of the application. The single primary impact is destructive file removal, which can lead to data loss and service disruption.

Affected Systems

The issue affects installations of phpMyFAQ running any version older than 4.1.1. All self-hosted deployments from Thorsten that have not applied the 4.1.1 update are vulnerable. Versions 4.1.1 and beyond have validated paths and added CSRF checks, eliminating this flaw.

Risk and Exploitability

The CVSS base score of 8.7 signals a high severity. Although the EPSS score is below 1 %, the lack of path validation and CSRF protection means the vulnerability can be exploited via a simple CSRF request from an authenticated user. The risk is significant for any site where file deletion is permitted. The flaw is not listed in the CISA KEV catalog, but its ease of exploitation warrants immediate attention.

Generated by OpenCVE AI on April 7, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade phpMyFAQ to version 4.1.1 or later.
  • Restrict the fileRemove action so that only administrators can trigger it.
  • Enable CSRF protection for the MediaBrowserController endpoints if it is not already active.
  • Temporarily disable the fileRemove action until the application is updated or the configuration changes have been applied.

Generated by OpenCVE AI on April 7, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-38m8-xrfj-v38x phpMyFAQ: Path Traversal - Arbitrary File Deletion in MediaBrowserController
History

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Phpmyfaq
Phpmyfaq phpmyfaq
CPEs cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:*
Vendors & Products Phpmyfaq
Phpmyfaq phpmyfaq

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Thorsten
Thorsten phpmyfaq
Vendors & Products Thorsten
Thorsten phpmyfaq
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the MediaBrowserController::index() method handles file deletion for the media browser. When the fileRemove action is triggered, the user-supplied name parameter is concatenated with the base upload directory path without any path traversal validation. The FILTER_SANITIZE_SPECIAL_CHARS filter only encodes HTML special characters (&, ', ", <, >) and characters with ASCII value < 32, and does not prevent directory traversal sequences like ../. Additionally, the endpoint does not validate CSRF tokens, making it exploitable via CSRF attacks. This issue has been patched in version 4.1.1.
Title phpMyFAQ: Path Traversal - Arbitrary File Deletion in MediaBrowserController
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H'}

Subscriptions

Phpmyfaq Phpmyfaq
Thorsten Phpmyfaq
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T15:24:02.916Z

Reserved: 2026-03-30T18:41:20.754Z

Link: CVE-2026-34728

cve-icon Vulnrichment

Updated: 2026-04-02T15:23:52.055Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T15:16:41.770

Modified: 2026-04-07T14:57:06.980

Link: CVE-2026-34728

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:56:17Z

Weaknesses