Plattform
php
Komponente
phpmyfaq/phpmyfaq
Behoben in
4.1.2
4.1.1
CVE-2026-34728 describes a Path Traversal vulnerability within the MediaBrowserController::index() method of phpmyfaq/phpmyfaq. This flaw allows attackers to delete files on the server by manipulating the fileRemove action's name parameter, bypassing inadequate sanitization and CSRF protection. The vulnerability affects versions of phpmyfaq/phpmyfaq up to and including 4.1.0-beta.2, with a fix available in version 4.1.1.
The impact of this vulnerability is significant. An attacker can leverage it to delete critical files on the server hosting phpmyfaq/phpmyfaq, potentially leading to denial of service or even complete system compromise. The lack of CSRF protection exacerbates the risk, as attackers can trigger file deletion without user interaction. Successful exploitation could result in the loss of configuration files, database connections, or even core application files, disrupting service and potentially exposing sensitive data. The absence of proper path validation means an attacker can traverse directories and delete files outside the intended upload directory.
This vulnerability was publicly disclosed on 2026-04-01. No known public proof-of-concept exploits are currently available, but the vulnerability's ease of exploitation suggests it could become a target for opportunistic attackers. The CVSS score of 8.7 (HIGH) reflects the potential for significant impact. It is not currently listed on the CISA KEV catalog.
Websites and applications utilizing phpmyfaq versions 4.1.0-beta.2 and earlier are at risk. Shared hosting environments where users have the ability to upload and manage media files are particularly vulnerable, as attackers could potentially leverage this vulnerability to compromise other users' accounts or the entire server.
• php: Examine web server access logs for requests to /phpmyfaq/media/browser/index.php?fileRemove=../… or similar patterns.
• php: Use grep to search for the vulnerable code within the MediaBrowserController::index() function in the phpmyfaq codebase.
• generic web: Monitor for unusual file deletion activity in the phpmyfaq media directory.
• linux / server: Use journalctl to filter for errors related to file access or deletion within the phpmyfaq directory.
disclosure
Exploit-Status
EPSS
0.17% (38% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to immediately upgrade phpmyfaq/phpmyfaq to version 4.1.1 or later. If upgrading is not immediately feasible, implement a temporary workaround by restricting file upload permissions to the phpmyfaq user and directory. Additionally, implement a Web Application Firewall (WAF) rule to block requests containing directory traversal sequences (e.g., ../) in the name parameter of the fileRemove action. Consider adding CSRF protection to the fileRemove endpoint as a further preventative measure. After upgrading, verify the fix by attempting a file deletion request with a malicious name parameter containing directory traversal sequences; the request should be rejected.
Actualice phpMyFAQ a la versión 4.1.1 o superior. Esta versión corrige la vulnerabilidad de path traversal que permite la eliminación arbitraria de archivos. La actualización también incluye correcciones para la falta de validación de tokens CSRF.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-34728 is a Path Traversal vulnerability in phpmyfaq versions up to 4.1.0-beta.2, allowing attackers to delete files on the server.
Yes, if you are using phpmyfaq versions 4.1.0-beta.2 or earlier, you are vulnerable to this Path Traversal flaw.
Upgrade phpmyfaq to version 4.1.1 or later to resolve the vulnerability. Consider WAF rules as a temporary workaround.
Currently, there are no confirmed active exploitation campaigns, but the vulnerability's ease of exploitation warrants immediate attention.
Refer to the phpmyfaq project's official website or security advisories for the latest information and updates regarding this vulnerability.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.