CVE-2026-34728
Directory Traversal and CSRF in phpMyFAQ MediaBrowserController
Publication date: 2026-04-02
Last updated on: 2026-04-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phpmyfaq | phpmyfaq | to 4.1.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated administrators to delete critical files such as database configuration and access control files, leading to potential server compromise, security bypass, and data loss.
Such impacts can undermine the integrity and availability of data, which are key requirements in compliance frameworks like GDPR and HIPAA.
Specifically, the arbitrary file deletion and lack of proper access controls could result in unauthorized data alteration or loss, violating data protection and security mandates.
Additionally, the absence of CSRF protection increases the risk of unauthorized actions, further weakening compliance with security best practices required by these standards.
Can you explain this vulnerability to me?
CVE-2026-34728 is a high-severity path traversal vulnerability in the phpMyFAQ application versions up to 4.1.0. It occurs in the MediaBrowserController::index() method, which handles file deletion requests triggered by the "fileRemove" action. The vulnerability arises because the user-supplied filename parameter is concatenated directly to the base upload directory path without proper validation to prevent directory traversal sequences like "../".
The input filtering uses PHP's FILTER_SANITIZE_SPECIAL_CHARS, which only encodes HTML special characters but does not block directory traversal patterns. Additionally, the endpoint does not verify CSRF tokens, making it vulnerable to Cross-Site Request Forgery attacks. The method uses the GET HTTP method but reads the request body, which bypasses typical CSRF protections.
As a result, an attacker with low privileges but authenticated access can delete arbitrary files outside the intended directory, including critical configuration files like database.php or .htaccess, potentially causing application failure or security bypass.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including:
- Deletion of critical configuration files, leading to application failure.
- Security bypass by removing access control files.
- Arbitrary file deletion causing data loss.
- Potential for chained attacks by deleting logs or security-related files.
- Server compromise due to loss of important files.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious file deletion requests targeting the MediaBrowserController::index() endpoint, especially those using the "fileRemove" action with path traversal sequences like "../" in the name parameter.
Since the vulnerability involves an authenticated admin triggering file deletions via GET requests with JSON bodies containing the "name" parameter, detection can include inspecting web server logs or application logs for such requests.
Suggested commands to detect potential exploitation attempts include searching web server access logs for GET requests to the vulnerable endpoint with suspicious parameters:
- grep -i 'fileRemove' /var/log/apache2/access.log
- grep -E '\.\./' /var/log/apache2/access.log
- grep -i 'MediaBrowserController' /var/log/phpmyfaq.log
Additionally, monitoring for unexpected deletions of critical files such as database.php or .htaccess in the upload directories can help detect exploitation.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading phpMyFAQ to version 4.1.1 or later, where this vulnerability has been patched.
If upgrading is not immediately possible, restrict access to the vulnerable MediaBrowserController::index() endpoint to trusted users only and monitor for suspicious activity.
Additional mitigation measures involve:
- Implementing path traversal validation by using functions like basename() and realpath() to ensure file paths remain within allowed directories.
- Adding CSRF token verification to prevent cross-site request forgery attacks.
- Changing the HTTP method from GET to POST or DELETE for file deletion actions to align with RESTful practices and improve CSRF defenses.