Platform
php
Component
phpmyfaq/phpmyfaq
Fixed in
4.1.2
4.1.1
CVE-2026-34728 describes a Path Traversal vulnerability within the MediaBrowserController::index() method of phpmyfaq, a popular FAQ system. This flaw allows attackers to delete files on the server by manipulating the fileRemove action’s name parameter. Versions of phpmyfaq prior to 4.1.1 are affected, and a fix has been released. Successful exploitation could lead to unauthorized access and modification of sensitive data.
The vulnerability lies in the lack of proper path validation when handling file deletion requests. An attacker can craft a malicious name parameter containing directory traversal sequences (e.g., ../) to bypass intended restrictions. This allows them to specify arbitrary file paths for deletion, potentially impacting critical system files or configuration data. The absence of CSRF protection further exacerbates the risk, as attackers can trigger file deletion without user interaction through Cross-Site Request Forgery attacks. The blast radius extends to any files accessible by the web server process, potentially compromising the entire system.
This vulnerability was publicly disclosed on 2026-04-01. There are currently no known public exploits or active campaigns targeting this vulnerability, but the ease of exploitation and the lack of CSRF protection make it a potential target. The vulnerability's severity is considered HIGH due to the potential for complete system compromise. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.17% (38% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade phpmyfaq to version 4.1.1 or later, which includes the necessary path validation and CSRF protection. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing directory traversal sequences in the fileRemove parameter. Additionally, restrict file upload permissions to the minimum necessary and implement strict access controls on the upload directory. Monitor web server access logs for suspicious file deletion attempts.
Update phpMyFAQ to version 4.1.1 or higher. This version fixes the path traversal vulnerability that allows arbitrary file deletion. The update also includes fixes for the lack of CSRF token validation.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34728 is a Path Traversal vulnerability in phpmyfaq versions up to 4.1.0-beta.2, allowing attackers to delete files on the server.
Yes, if you are using phpmyfaq versions 4.1.0-beta.2 or earlier, you are vulnerable to this Path Traversal flaw.
Upgrade phpmyfaq to version 4.1.1 or later to resolve the vulnerability. Consider WAF rules as a temporary workaround.
Currently, there are no confirmed active exploitation campaigns, but the vulnerability's ease of exploitation warrants immediate attention.
Refer to the phpmyfaq project's official website or security advisories for the latest information and updates regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.