Description
phpMyFAQ before 4.1.2 contains a path traversal vulnerability in Client::deleteClientFolder that allows admins with INSTANCE_DELETE permission to delete arbitrary directories. Attackers can submit traversal sequences like https://../../../<path> in the client URL parameter to recursively delete directories outside the intended clientFolder scope.
Published: 2026-05-15
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in phpMyFAQ’s Client::deleteClientFolder allows an administrator with INSTANCE_DELETE permission to supply a URL parameter that contains directory traversal sequences, such as ../../../<path>. The flaw permits the application to resolve the requested directory outside the intended clientFolder scope, leading to recursive deletion of directories anywhere within the web server’s file system. The impact is data loss and potential service disruption, as critical files or configuration directories can be removed. The weakness is a directory traversal flaw categorized as CWE‑73.

Affected Systems

The affected product is phpMyFAQ by thorsten. Versions prior to 4.1.2 are vulnerable. Users deploying these versions should verify their installations against the listed version range.

Risk and Exploitability

The CVSS score of 7 indicates moderate severity. The EPSS score is 0.048%, showing a low but non-zero probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to possess administrative privileges (INSTANCE_DELETE). If such privileges are obtained, the attacker can delete arbitrary directories via the web interface, causing data corruption or service interruption. Given the moderate CVSS score of 7 and the low EPSS probability, the overall risk is notable but not extreme; however, the destructive potential warrants swift action.

Generated by OpenCVE AI on May 28, 2026 at 17:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the phpMyFAQ 4.1.2 update or later to remove the path traversal flaw.
  • Limit the INSTANCE_DELETE permission to a minimal set of trusted administrators and audit permission assignments.
  • Implement filesystem permissions so that the web server’s user group does not own or have write access to critical directories outside the designated clientFolder area.

Generated by OpenCVE AI on May 28, 2026 at 17:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rmqr-h98c-qg2m phpMyFAQ: Path traversal in Client::deleteClientFolder enables arbitrary directory deletion by non-super-admin admins
History

Thu, 28 May 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Phpmyfaq
Phpmyfaq phpmyfaq
CPEs cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:*
Vendors & Products Phpmyfaq
Phpmyfaq phpmyfaq
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Mon, 18 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Thorsten
Thorsten phpmyfaq
Vendors & Products Thorsten
Thorsten phpmyfaq

Fri, 15 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description phpMyFAQ before 4.1.2 contains a path traversal vulnerability in Client::deleteClientFolder that allows admins with INSTANCE_DELETE permission to delete arbitrary directories. Attackers can submit traversal sequences like https://../../../<path> in the client URL parameter to recursively delete directories outside the intended clientFolder scope.
Title phpMyFAQ - Path Traversal in Client::deleteClientFolder via URL Parameter
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Phpmyfaq Phpmyfaq
Thorsten Phpmyfaq
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-28T14:15:21.300Z

Reserved: 2026-05-08T16:43:53.068Z

Link: CVE-2026-45008

cve-icon Vulnrichment

Updated: 2026-05-18T16:05:27.476Z

cve-icon NVD

Status : Deferred

Published: 2026-05-15T19:17:01.210

Modified: 2026-05-28T16:16:25.533

Link: CVE-2026-45008

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T17:15:21Z

Weaknesses