Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
10DescriptionCVE.org
phpMyFAQ before 4.1.2 contains a path traversal vulnerability in Client::deleteClientFolder that allows admins with INSTANCE_DELETE permission to delete arbitrary directories. Attackers can submit traversal sequences like https://../../../<path> in the client URL parameter to recursively delete directories outside the intended clientFolder scope.
AnalysisAI
Arbitrary directory deletion in phpMyFAQ before 4.1.2 allows authenticated admins with the INSTANCE_DELETE permission to recursively delete directories outside the multisite clientFolder by submitting path traversal sequences in the client URL parameter. The flaw stems from Client::deleteClientFolder() stripping only the https:// scheme without canonicalizing or validating ../ segments before passing the path to Filesystem::deleteDirectory(). Publicly available exploit code exists (VulnCheck advisory and GHSA write-up include a PoC), though EPSS remains low at 0.04% and the issue is not listed in CISA KEV.
Technical ContextAI
phpMyFAQ is a PHP-based open-source FAQ/knowledge-base application (cpe:2.3:a:thorsten:phpmyfaq) that supports a multisite deployment mode where each client instance has its own filesystem folder under clientFolder. The root cause is CWE-73 (External Control of File Name or Path): in phpmyfaq/src/phpMyFAQ/Instance/Client.php:583, deleteClientFolder() performs str_replace('https://', '', $sourceUrl) and then concatenates the result onto $this->clientFolder before invoking Filesystem::deleteDirectory(). Because str_replace removes only the literal scheme and no normalization or allow-listing is applied, ../ segments survive unmodified. The sink is reachable from three admin entry points - InstanceController.php:184 (delete API), InstanceController.php:144 (edit API) and the form-based Controller/Administration/InstanceController.php:151 - all gated by the granular INSTANCE_DELETE permission rather than SUPER_ADMIN. This is the same bug class as GHSA-38m8-xrfj-v38x (MediaBrowserController), which the project previously accepted at High severity.
RemediationAI
Upgrade to phpMyFAQ 4.1.2, the vendor-released patched version confirmed by the GHSA advisory (https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-gh9p-q46p-57g2) and the EUVD record at https://nvd.nist.gov/vuln/detail/CVE-2026-45008 . For operators who cannot upgrade immediately, restrict the INSTANCE_DELETE permission to fully trusted SUPER_ADMIN-equivalent accounts only - this directly removes the attacker class the bug requires, at the cost of reducing role granularity for multisite operators. As a defense-in-depth measure, disable the multisite feature (isMultiSiteWriteable returns false) where it is not used, which makes deleteClientFolder() return early before reaching the sink; the side effect is that legitimate per-client folder management via the API will stop functioning. Additionally, run the PHP/web user with least-privilege filesystem permissions so that even a successful traversal cannot reach sensitive directories such as the OS root, sibling vhosts, or backup mounts.
Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2. Rated critical severity (CVSS 9.8
Authentication Bypass by Capture-replay in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated critical severity
Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated critical severity (CVSS 9.8), t
Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.8. Rated critical severity (CVSS 9.8), th
Unauthenticated SQL injection in phpMyFAQ before 4.1.2 allows remote attackers to extract credentials, admin tokens, and
In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.ratings.php. Rated high severity (CVS
In phpMyFaq before 2.9.9, there is CSRF in admin/ajax.config.php. Rated high severity (CVSS 8.8), this vulnerability is
In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) for modifying a glossary. Rated high severity (CVSS
In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.main.php. Rated high severity (CVSS 8
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Rated high severi
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Rated high severi
Improper Privilege Management in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated high severity (CVSS 8.8), th
Same weakness CWE-73 – External Control of File Name or Path
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30593
GHSA-rmqr-h98c-qg2m