CVE-2026-34728: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in thorsten phpMyFAQ
A path traversal vulnerability (CWE-22) exists in phpMyFAQ versions prior to 4. 1. 1 in the MediaBrowserController::index() method. The vulnerability arises because the user-supplied filename parameter is concatenated with the base upload directory path without proper validation, allowing directory traversal sequences like .. / to bypass restrictions. The input sanitization only encodes HTML special characters and does not prevent traversal sequences. Additionally, the endpoint lacks CSRF token validation, making it susceptible to CSRF attacks. This vulnerability has been patched in version 4. 1. 1.
AI Analysis
Technical Summary
phpMyFAQ before version 4.1.1 contains a path traversal vulnerability in the MediaBrowserController::index() method used for file deletion. The user-controlled 'name' parameter is concatenated with the base upload directory path without sufficient validation to prevent directory traversal. The FILTER_SANITIZE_SPECIAL_CHARS filter applied does not block directory traversal sequences like '../'. Furthermore, the fileRemove action endpoint does not validate CSRF tokens, enabling exploitation via CSRF attacks. This combination allows an attacker with at least limited privileges and user interaction to delete arbitrary files on the server. The issue was fixed in phpMyFAQ version 4.1.1.
Potential Impact
Successful exploitation can lead to unauthorized deletion of arbitrary files on the server due to path traversal. The lack of CSRF protection increases the risk by allowing attackers to trigger the file deletion action via CSRF attacks. The CVSS score of 8.7 (high severity) reflects the network attack vector, low attack complexity, requirement for privileges and user interaction, and impact on integrity and availability. There is no indication of confidentiality impact. No known exploits in the wild have been reported.
Mitigation Recommendations
Upgrade phpMyFAQ to version 4.1.1 or later, where this vulnerability has been patched. The patch includes proper validation of the file path to prevent directory traversal and adds CSRF token validation to the fileRemove action endpoint. Until upgrading, restrict access to the affected functionality to trusted users only and consider additional protective controls to prevent CSRF attacks. Patch status is confirmed as fixed in version 4.1.1.
CVE-2026-34728: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in thorsten phpMyFAQ
Description
A path traversal vulnerability (CWE-22) exists in phpMyFAQ versions prior to 4. 1. 1 in the MediaBrowserController::index() method. The vulnerability arises because the user-supplied filename parameter is concatenated with the base upload directory path without proper validation, allowing directory traversal sequences like .. / to bypass restrictions. The input sanitization only encodes HTML special characters and does not prevent traversal sequences. Additionally, the endpoint lacks CSRF token validation, making it susceptible to CSRF attacks. This vulnerability has been patched in version 4. 1. 1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
phpMyFAQ before version 4.1.1 contains a path traversal vulnerability in the MediaBrowserController::index() method used for file deletion. The user-controlled 'name' parameter is concatenated with the base upload directory path without sufficient validation to prevent directory traversal. The FILTER_SANITIZE_SPECIAL_CHARS filter applied does not block directory traversal sequences like '../'. Furthermore, the fileRemove action endpoint does not validate CSRF tokens, enabling exploitation via CSRF attacks. This combination allows an attacker with at least limited privileges and user interaction to delete arbitrary files on the server. The issue was fixed in phpMyFAQ version 4.1.1.
Potential Impact
Successful exploitation can lead to unauthorized deletion of arbitrary files on the server due to path traversal. The lack of CSRF protection increases the risk by allowing attackers to trigger the file deletion action via CSRF attacks. The CVSS score of 8.7 (high severity) reflects the network attack vector, low attack complexity, requirement for privileges and user interaction, and impact on integrity and availability. There is no indication of confidentiality impact. No known exploits in the wild have been reported.
Mitigation Recommendations
Upgrade phpMyFAQ to version 4.1.1 or later, where this vulnerability has been patched. The patch includes proper validation of the file path to prevent directory traversal and adds CSRF token validation to the fileRemove action endpoint. Until upgrading, restrict access to the affected functionality to trusted users only and consider additional protective controls to prevent CSRF attacks. Patch status is confirmed as fixed in version 4.1.1.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-30T18:41:20.754Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69ce866ce6bfc5ba1de33612
Added to database: 4/2/2026, 3:08:28 PM
Last enriched: 4/10/2026, 12:06:15 AM
Last updated: 5/20/2026, 8:52:41 PM
Views: 36
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.