phpMyFAQ is an open-source FAQ web application that prior to version 4.1.1 contained a critical path traversal vulnerability (CVE-2026-34728) in its MediaBrowserController::index() method. This method manages file deletion requests via the 'fileRemove' action, which takes a user-supplied 'name' parameter representing the filename to delete. The vulnerability stems from the concatenation of this parameter with the base upload directory path without proper validation to restrict directory traversal sequences such as '../'. The application applies FILTER_SANITIZE_SPECIAL_CHARS to the input, which only encodes HTML special characters and ASCII control characters but does not sanitize or block directory traversal patterns. Consequently, an attacker can craft a malicious filename containing '../' sequences to traverse outside the intended directory and delete arbitrary files on the server. Compounding this issue, the endpoint does not implement CSRF token validation, allowing attackers to exploit the vulnerability via Cross-Site Request Forgery attacks by tricking authenticated users into triggering file deletions. The vulnerability affects all phpMyFAQ versions before 4.1.1 and has a CVSS 3.1 score of 8.7, indicating high severity. The scope is significant as it impacts confidentiality indirectly (through potential deletion of sensitive files), integrity (unauthorized file deletion), and availability (disruption of service). The vulnerability requires low privileges (authenticated user) and user interaction (triggering the malicious request), but no complex conditions. The issue was publicly disclosed in April 2026 and has been patched in version 4.1.1. No known exploits in the wild have been reported yet.

This vulnerability allows attackers with authenticated access to delete arbitrary files on the server hosting phpMyFAQ, potentially including critical application files, configuration files, or other sensitive data. The unauthorized file deletion can disrupt the availability of the FAQ service and compromise data integrity. If attackers delete configuration or authentication files, they may cause denial of service or facilitate further exploitation. The lack of CSRF protection increases the risk by enabling attackers to exploit authenticated users via social engineering or malicious websites, broadening the attack surface. Organizations relying on phpMyFAQ for knowledge management or customer support may face operational disruptions, data loss, and reputational damage. Since phpMyFAQ is often deployed in web-facing environments, the risk of exploitation is significant, especially in environments where user authentication is weak or where users can be socially engineered. The impact extends to any organization using vulnerable versions, including enterprises, educational institutions, and government agencies.

1. Upgrade phpMyFAQ to version 4.1.1 or later, where this vulnerability is patched. 2. Implement strict server-side validation to sanitize and validate file path inputs, explicitly disallowing directory traversal sequences such as '../'. 3. Use secure coding practices to avoid concatenating user input directly into file system paths without validation. 4. Enforce CSRF protection on all state-changing endpoints by implementing anti-CSRF tokens and validating them on the server side. 5. Restrict file deletion permissions to the minimum necessary users and roles to reduce the attack surface. 6. Employ web application firewalls (WAFs) with rules to detect and block directory traversal patterns and CSRF attack attempts. 7. Monitor logs for suspicious file deletion requests or unusual user activity. 8. Conduct regular security audits and penetration testing focusing on input validation and CSRF vulnerabilities. 9. Educate users about phishing and social engineering risks to mitigate CSRF exploitation vectors.