CVE-2026-34973
Received Received - Intake
SQL LIKE Wildcard Injection in phpMyFAQ Search Causes Data Disclosure

Publication date: 2026-04-02

Last updated on: 2026-04-06

Assigner: GitHub, Inc.

Description
phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the searchCustomPages() method in phpmyfaq/src/phpMyFAQ/Search.php uses real_escape_string() (via escape()) to sanitize the search term before embedding it in LIKE clauses. However, real_escape_string() does not escape SQL LIKE metacharacters % (match any sequence) and _ (match any single character). An unauthenticated attacker can inject these wildcards into search queries, causing them to match unintended records β€” including content that was not meant to be surfaced β€” resulting in information disclosure. This issue has been patched in version 4.1.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-06
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34973
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
phpmyfaq phpmyfaq 4.1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-943 The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability CVE-2026-34973 affects phpMyFAQ versions prior to 4.1.1 in the searchCustomPages() method. This method sanitizes user search terms using real_escape_string(), but this function does not escape SQL LIKE metacharacters '%' and '_'.

Because these wildcard characters remain unescaped, an unauthenticated attacker can inject them into search queries. This causes the SQL LIKE clauses to match a broader set of records than intended, including content that should not be accessible.

For example, searching for '_%_' can cause the query to return all custom pages containing at least one character, bypassing intended search restrictions and leading to unauthorized information disclosure.

Impact Analysis

This vulnerability allows an unauthenticated attacker to inject wildcard characters into search queries, causing the application to return unintended records.

As a result, sensitive or restricted content from the custom pages can be disclosed to unauthorized users.

Since no authentication is required to exploit this issue, it poses a moderate risk of information disclosure, potentially exposing confidential or private data.

Detection Guidance

This vulnerability can be detected by testing the search functionality of phpMyFAQ versions prior to 4.1.1 for improper handling of SQL LIKE wildcard characters in search queries.

Specifically, you can attempt to submit search terms containing the SQL LIKE wildcards '%' and '_' to see if the search results include unintended or excessive content from the custom pages.

For example, submitting the search term '_%_' (underscore, percent, underscore) may cause the backend to execute a query that returns all custom pages containing at least one character, indicating the vulnerability.

There are no specific network commands provided, but you can manually test the web application's search interface or use tools like curl or wget to automate sending such search queries and observe the responses.

  • Use curl to send a search request with the payload '_%_' and check if the response contains all custom pages, e.g.: curl -G 'http://your-phpmyfaq-site/search.php' --data-urlencode 'search=_%_'
Mitigation Strategies

The immediate mitigation step is to upgrade phpMyFAQ to version 4.1.1 or later, where this vulnerability has been patched.

If upgrading is not immediately possible, you should ensure that the search terms are properly escaped before being used in SQL LIKE clauses.

Specifically, escape the '%' and '_' characters in search terms by replacing them with '\%' and '\_' respectively, for example using: $word = str_replace(['\', '%', '_'], ['\\', '\%', '\_'], $word);

Alternatively, use parameterized queries with correctly escaped LIKE values to prevent wildcard injection.

Compliance Impact

This vulnerability allows an unauthenticated attacker to perform a LIKE wildcard injection in the search functionality of phpMyFAQ, leading to unauthorized disclosure of content from the faqcustompages table. Such information disclosure could potentially expose sensitive or personal data that the application was intended to protect.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, unauthorized information disclosure can lead to violations of these regulations if personal or sensitive data is exposed. Therefore, this vulnerability could negatively impact compliance by enabling data exposure that should be restricted under such standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34973. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart