CVE-2026-34728

CVE-2026-34728 is a path traversal vulnerability in phpMyFAQ, an open source FAQ web application, affecting versions prior to 4.1.1. The issue lies in the MediaBrowserController::index() method, which processes file deletion requests in the media browser. When the fileRemove action is triggered, it concatenates a user-supplied name parameter directly with the base upload directory path without validating for path traversal. The applied FILTER_SANITIZE_SPECIAL_CHARS filter only encodes HTML special characters and those with ASCII values below 32, failing to block sequences like ../. The endpoint also lacks CSRF token validation, enabling cross-site request forgery exploitation.

Attackers require low privileges, such as those of an authenticated user (PR:L), and can exploit this remotely over the network (AV:N) with low complexity (AC:L), though user interaction is needed (UI:R), typically via CSRF. By supplying a malicious name parameter with traversal payloads, they can delete arbitrary files beyond the upload directory, achieving high integrity and availability impacts (I:H/A:H) with a changed scope (S:C) but no confidentiality loss (C:N). The vulnerability carries a CVSS v3.1 base score of 8.7 and maps to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).

phpMyFAQ has patched this vulnerability in version 4.1.1. Administrators should upgrade to this release or later to mitigate the issue. Additional details are available in the GitHub security advisory GHSA-38m8-xrfj-v38x and the release notes for version 4.1.1.