Description
phpMyFAQ before 4.1.2 contains a path traversal vulnerability in Client::deleteClientFolder that allows admins with INSTANCE_DELETE permission to delete arbitrary directories. Attackers can submit traversal sequences like https://../../../<path> in the client URL parameter to recursively delete directories outside the intended clientFolder scope.
Published: 2026-05-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in phpMyFAQ’s Client::deleteClientFolder allows an administrator with INSTANCE_DELETE permission to supply a URL parameter that contains directory traversal sequences, such as ../../../<path>. The flaw permits the application to resolve the requested directory outside the intended clientFolder scope, leading to recursive deletion of directories anywhere within the web server’s file system. The impact is data loss and potential service disruption, as critical files or configuration directories can be removed. The weakness is a directory traversal flaw categorized as CWE‑73.

Affected Systems

The affected product is phpMyFAQ by thorsten. Versions prior to 4.1.2 are vulnerable. Users deploying these versions should verify their installations against the listed version range.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to possess administrative privileges (INSTANCE_DELETE). If such privileges are obtained, the attacker can delete arbitrary directories via the web interface, causing data corruption or service interruption. Given the moderate CVSS and lack of public exploitation, the overall risk is notable but not extreme; however, the destructive potential warrants swift action.

Generated by OpenCVE AI on May 15, 2026 at 20:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the phpMyFAQ 4.1.2 update or later to remove the path traversal flaw.
  • Limit the INSTANCE_DELETE permission to a minimal set of trusted administrators and audit permission assignments.
  • Implement filesystem permissions so that the web server’s user group does not own or have write access to critical directories outside the designated clientFolder area.

Generated by OpenCVE AI on May 15, 2026 at 20:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Thorsten
Thorsten phpmyfaq
Vendors & Products Thorsten
Thorsten phpmyfaq

Fri, 15 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description phpMyFAQ before 4.1.2 contains a path traversal vulnerability in Client::deleteClientFolder that allows admins with INSTANCE_DELETE permission to delete arbitrary directories. Attackers can submit traversal sequences like https://../../../<path> in the client URL parameter to recursively delete directories outside the intended clientFolder scope.
Title phpMyFAQ - Path Traversal in Client::deleteClientFolder via URL Parameter
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Thorsten Phpmyfaq
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-15T18:36:35.777Z

Reserved: 2026-05-08T16:43:53.068Z

Link: CVE-2026-45008

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-15T19:17:01.210

Modified: 2026-05-15T19:17:01.210

Link: CVE-2026-45008

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T21:00:09Z

Weaknesses