Description
phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the searchCustomPages() method in phpmyfaq/src/phpMyFAQ/Search.php uses real_escape_string() (via escape()) to sanitize the search term before embedding it in LIKE clauses. However, real_escape_string() does not escape SQL LIKE metacharacters % (match any sequence) and _ (match any single character). An unauthenticated attacker can inject these wildcards into search queries, causing them to match unintended records — including content that was not meant to be surfaced — resulting in information disclosure. This issue has been patched in version 4.1.1.
Published: 2026-04-02
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Broad Information Disclosure
Action: Apply Patch
AI Analysis

Impact

An unauthenticated attacker can insert unescaped percent and underscore characters into the search term of phpMyFAQ’s searchCustomPages() function. Because the function only applies real_escape_string, which does not escape SQL LIKE metacharacters, the database expands the pattern. This results in a SQL wildcard injection that causes the search to match unintended records, exposing FAQ content that should not have been disclosed.

Affected Systems

Products affected are the open‑source FAQ application phpMyFAQ maintained by thorsten. All releases prior to version 4.1.1 are vulnerable, as the patch was applied in the 4.1.1 release.

Risk and Exploitability

Common Vulnerability Scoring System assigns a score of 6.9, indicating moderate severity. The EPSS metric is unavailable, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires only access to the public search interface; no authentication or additional privileges are needed. Because the wildcard characters are part of a normal user input field, attackers can mount automated requests to enumerate potentially sensitive records. The combination of unauthenticated access, easy injection, and lack of protection suggests a realistic threat profile.

Generated by OpenCVE AI on April 2, 2026 at 16:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply phpMyFAQ version 4.1.1 or later

Generated by OpenCVE AI on April 2, 2026 at 16:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gcp9-5jc8-976x phpMyFAQ has a LIKE Wildcard Injection in Search.php — Unescaped % and _ Metacharacters Enable Broad Content Disclosure
History

Fri, 03 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Thorsten
Thorsten phpmyfaq
Vendors & Products Thorsten
Thorsten phpmyfaq

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the searchCustomPages() method in phpmyfaq/src/phpMyFAQ/Search.php uses real_escape_string() (via escape()) to sanitize the search term before embedding it in LIKE clauses. However, real_escape_string() does not escape SQL LIKE metacharacters % (match any sequence) and _ (match any single character). An unauthenticated attacker can inject these wildcards into search queries, causing them to match unintended records — including content that was not meant to be surfaced — resulting in information disclosure. This issue has been patched in version 4.1.1.
Title phpMyFAQ has a LIKE Wildcard Injection in Search.php — Unescaped % and _ Metacharacters Enable Broad Content Disclosure
Weaknesses CWE-943
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Thorsten Phpmyfaq
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T18:24:15.944Z

Reserved: 2026-03-31T19:38:31.616Z

Link: CVE-2026-34973

cve-icon Vulnrichment

Updated: 2026-04-03T18:24:03.413Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-02T15:16:51.750

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-34973

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:20:19Z

Weaknesses