{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34728", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T18:41:20.754Z", "datePublished": "2026-04-02T14:44:19.135Z", "dateUpdated": "2026-04-02T15:24:02.916Z"}, "containers": {"cna": {"title": "phpMyFAQ: Path Traversal - Arbitrary File Deletion in MediaBrowserController", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-38m8-xrfj-v38x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-38m8-xrfj-v38x"}, {"name": "https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1"}], "affected": [{"vendor": "thorsten", "product": "phpMyFAQ", "versions": [{"version": "< 4.1.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T14:44:19.135Z"}, "descriptions": [{"lang": "en", "value": "phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the MediaBrowserController::index() method handles file deletion for the media browser. When the fileRemove action is triggered, the user-supplied name parameter is concatenated with the base upload directory path without any path traversal validation. The FILTER_SANITIZE_SPECIAL_CHARS filter only encodes HTML special characters (&, ', \", <, >) and characters with ASCII value < 32, and does not prevent directory traversal sequences like ../. Additionally, the endpoint does not validate CSRF tokens, making it exploitable via CSRF attacks. This issue has been patched in version 4.1.1."}], "source": {"advisory": "GHSA-38m8-xrfj-v38x", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-38m8-xrfj-v38x", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T15:23:57.595966Z", "id": "CVE-2026-34728", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T15:24:02.916Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34728", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-02T15:23:57.595966Z"}}}], "references": [{"url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-38m8-xrfj-v38x", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T15:23:52.055Z"}}], "cna": {"title": "phpMyFAQ: Path Traversal - Arbitrary File Deletion in MediaBrowserController", "source": {"advisory": "GHSA-38m8-xrfj-v38x", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "thorsten", "product": "phpMyFAQ", "versions": [{"status": "affected", "version": "< 4.1.1"}]}], "references": [{"url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-38m8-xrfj-v38x", "name": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-38m8-xrfj-v38x", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1", "name": "https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the MediaBrowserController::index() method handles file deletion for the media browser. When the fileRemove action is triggered, the user-supplied name parameter is concatenated with the base upload directory path without any path traversal validation. The FILTER_SANITIZE_SPECIAL_CHARS filter only encodes HTML special characters (&, ', \", <, >) and characters with ASCII value < 32, and does not prevent directory traversal sequences like ../. Additionally, the endpoint does not validate CSRF tokens, making it exploitable via CSRF attacks. This issue has been patched in version 4.1.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T14:44:19.135Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34728", "state": "PUBLISHED", "dateUpdated": "2026-04-02T15:24:02.916Z", "dateReserved": "2026-03-30T18:41:20.754Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T14:44:19.135Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the MediaBrowserController::index() method handles file deletion for the media browser. When the fileRemove action is triggered, the user-supplied name parameter is concatenated with the base upload directory path without any path traversal validation. The FILTER_SANITIZE_SPECIAL_CHARS filter only encodes HTML special characters (&, ', \", <, >) and characters with ASCII value < 32, and does not prevent directory traversal sequences like ../. Additionally, the endpoint does not validate CSRF tokens, making it exploitable via CSRF attacks. This issue has been patched in version 4.1.1."}], "id": "CVE-2026-34728", "lastModified": "2026-04-02T16:16:24.403", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T15:16:41.770", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-38m8-xrfj-v38x"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-38m8-xrfj-v38x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.1.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "phpMyFAQ", "source": "cna", "vendor": "thorsten"}, "product": "phpmyfaq", "vendor": "thorsten"}], "analysis": {"en": {"generated_at": "2026-04-02T16:26:34.388812+00:00", "value": {"mitigation_remediation": ["Upgrade phpMyFAQ to version 4.1.1 or later.", "If an upgrade is not immediately possible, implement CSRF protection for the file deletion endpoint or temporarily block the endpoint.", "Verify that the upload directory resides outside the web root or is otherwise protected so that only authorized users can access or delete files."], "summary": {"action": "Apply Patch", "impact": "Arbitrary File Deletion"}, "threat_synthesis": {"affected_systems": "Vendors: Thorsten under the phpMyFAQ project. Product: phpMyFAQ. All releases prior to version 4.1.1 are affected. The patch was released in 4.1.1 to address this flaw.", "description_and_impact": "The MediaBrowserController component processes file deletion requests without validating the supplied filename. The filter applied only sanitizes HTML special characters and does not guard against path traversal characters such as '..'. As a result, an attacker can supply a filename that navigates outside the intended upload directory and cause deletion of arbitrary files stored on the web server. The deletion can be triggered through a CSRF request as no anti\u2011CSRF tokens are checked, allowing an attacker to trigger the action from a malicious website. The primary impact is loss of data and potential disruption of the FAQ application.", "risk_and_exploitability": "The CVSS base score is 8.7, indicating high severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The flaw is exploitable from the web interface using a crafted CSRF payload; an attacker only needs to coerce a valid user into visiting a malicious site. This makes the risk significant for systems where the phpMyFAQ application is publicly exposed and access to the file remove action is not restricted."}}}}, "created": "2026-04-02T20:12:14.382565+00:00", "updated": "2026-04-02T20:20:55.176967+00:00", "vendors": ["thorsten", "thorsten$PRODUCT$phpmyfaq"]}