CVE-2026-34728 HIGH

CVE-2026-34728: phpMyFAQ: Path Traversal - Arbitrary File Deletion in MediaBrowserController

Vendor Thorsten

Product phpMyFAQ

Weakness CWE-22 · Path traversal

Published April 2, 2026

Last update April 2, 2026

View on NVD All CVEs

CVSS base score

8.7/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality None

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H

What the vulnerability does

Description

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the MediaBrowserController::index() method handles file deletion for the media browser. When the fileRemove action is triggered, the user-supplied name parameter is concatenated with the base upload directory path without any path traversal validation. The FILTER_SANITIZE_SPECIAL_CHARS filter only encodes HTML special characters (&, ', ", <, >) and characters with ASCII value < 32, and does not prevent directory traversal sequences like ../. Additionally, the endpoint does not validate CSRF tokens, making it exploitable via CSRF attacks. This issue has been patched in version 4.1.1.

Key dates

Disclosure timeline

April 2, 2026 CVE published

April 2, 2026 Record updated