CVE-2026-34728 - Vulnerability Details

Description

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the MediaBrowserController::index() method handles file deletion for the media browser. When the fileRemove action is triggered, the user-supplied name parameter is concatenated with the base upload directory path without any path traversal validation. The FILTER_SANITIZE_SPECIAL_CHARS filter only encodes HTML special characters (&, ', ", <, >) and characters with ASCII value < 32, and does not prevent directory traversal sequences like ../. Additionally, the endpoint does not validate CSRF tokens, making it exploitable via CSRF attacks. This issue has been patched in version 4.1.1.

Published: 2026-04-02

Score: 8.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The MediaBrowserController component processes file deletion requests without validating the supplied filename. The filter applied only sanitizes HTML special characters and does not guard against path traversal characters such as '..'. As a result, an attacker can supply a filename that navigates outside the intended upload directory and cause deletion of arbitrary files stored on the web server. The deletion can be triggered through a CSRF request as no anti‑CSRF tokens are checked, allowing an attacker to trigger the action from a malicious website. The primary impact is loss of data and potential disruption of the FAQ application.

Affected Systems

Vendors: Thorsten under the phpMyFAQ project. Product: phpMyFAQ. All releases prior to version 4.1.1 are affected. The patch was released in 4.1.1 to address this flaw.

Risk and Exploitability

The CVSS base score is 8.7, indicating high severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The flaw is exploitable from the web interface using a crafted CSRF payload; an attacker only needs to coerce a valid user into visiting a malicious site. This makes the risk significant for systems where the phpMyFAQ application is publicly exposed and access to the file remove action is not restricted.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

thorsten

phpMyFAQ

affected

Version	Status	Constraints
`< 4.1.1`	affected	—

No data.

Vendor Product Confidence Versions

Thorsten

Phpmyfaq

100%

Version	Status	Scheme	Platform
`[0,4.1.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade phpMyFAQ to version 4.1.1 or later.
If an upgrade is not immediately possible, implement CSRF protection for the file deletion endpoint or temporarily block the endpoint.
Verify that the upload directory resides outside the web root or is otherwise protected so that only authorized users can access or delete files.

Generated by OpenCVE AI on April 2, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-38m8-xrfj-v38x	phpMyFAQ: Path Traversal - Arbitrary File Deletion in MediaBrowserController

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00191.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1
https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-38m8-xrfj-v38x

History

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Thorsten Thorsten phpmyfaq
Vendors & Products		Thorsten Thorsten phpmyfaq
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 02 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Description		phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the MediaBrowserController::index() method handles file deletion for the media browser. When the fileRemove action is triggered, the user-supplied name parameter is concatenated with the base upload directory path without any path traversal validation. The FILTER_SANITIZE_SPECIAL_CHARS filter only encodes HTML special characters (&, ', ", <, >) and characters with ASCII value < 32, and does not prevent directory traversal sequences like ../. Additionally, the endpoint does not validate CSRF tokens, making it exploitable via CSRF attacks. This issue has been patched in version 4.1.1.
Title		phpMyFAQ: Path Traversal - Arbitrary File Deletion in MediaBrowserController
Weaknesses		CWE-22
References		https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1 https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-38m8-xrfj-v38x
Metrics		cvssV3_1 `{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H'}`

Subscriptions

Thorsten Phpmyfaq

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-02T14:44:19.135Z

Updated: 2026-04-02T15:24:02.916Z

Reserved: 2026-03-30T18:41:20.754Z

Link: CVE-2026-34728

Vulnrichment

Updated: 2026-04-02T15:23:52.055Z

NVD

Status : Awaiting Analysis

Published: 2026-04-02T15:16:41.770

Modified: 2026-04-03T16:10:52.680

Link: CVE-2026-34728

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-02T20:20:55Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object