CVE-2026-57961
Received Received - Intake

Authenticated Path Traversal in phpMyFAQ Leading to Arbitrary File Read

Vulnerability report for CVE-2026-57961, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: VulnCheck

Description

phpMyFAQ before 4.1.5 contains a potential authenticated path traversal vulnerability in the concatenatePaths() function within src/phpMyFAQ/Export/Pdf/Wrapper.php. A user with FAQ editing privileges can store HTML containing crafted image paths that are processed during PDF generation. The path resolution logic locates the substring "content" within a user-controlled path using strpos(); when "content" is absent, strpos() returns false, which becomes 0 when cast to an integer, preserving the entire attacker-controlled path. This path is later passed to file_get_contents() without canonicalization or root-directory containment validation, which may allow reading of files outside the intended content directory.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
phpmyfaq phpmyfaq to 4.1.5 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

phpMyFAQ versions before 4.1.5 contain an authenticated path traversal vulnerability in the concatenatePaths() function within src/phpMyFAQ/Export/Pdf/Wrapper.php.

A user with FAQ editing privileges can store HTML containing crafted image paths that are processed during PDF generation.

The vulnerability arises because the path resolution logic uses strpos() to locate the substring "content" in user-controlled paths. When "content" is not found, strpos() returns false, which is cast to 0, causing the entire attacker-controlled path to be preserved.

This path is then passed to file_get_contents() without proper canonicalization or root-directory containment validation, potentially allowing reading of files outside the intended content directory.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability allows an authenticated user with FAQ editing privileges to read arbitrary files on the server outside the intended content directory.

Such unauthorized file access can lead to exposure of sensitive information stored on the server, potentially compromising system security or confidentiality.

Detection Guidance

This vulnerability requires a user with FAQ editing privileges to craft malicious HTML image paths that are processed during PDF generation. Detection involves identifying such crafted paths or monitoring PDF generation activities for unusual file access.

Since the issue is in the concatenatePaths() function in src/phpMyFAQ/Export/Pdf/Wrapper.php, you can audit the source code or logs for usage of file_get_contents() with user-controlled paths that lack proper canonicalization.

There are no specific commands provided in the available resources to detect exploitation attempts on the network or system.

Mitigation Strategies

The primary mitigation is to upgrade phpMyFAQ to version 4.1.5 or later, where the vulnerability has been patched.

If upgrading immediately is not possible, restrict FAQ editing privileges to trusted users only, as exploitation requires authenticated users with such privileges.

Implement or verify that path canonicalization and root-directory containment checks are in place for any user-controlled paths processed during PDF generation.

  • Replace substring-based path anchoring with proper canonicalization.
  • Enforce strict root-directory containment checks.
  • Use explicit allowlisting of permitted image locations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57961. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart