Skip to main content

phpMyFAQ EUVDEUVD-2026-30593

| CVE-2026-45008 HIGH
External Control of File Name or Path (CWE-73)
2026-05-15 VulnCheck GHSA-rmqr-h98c-qg2m
7.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.0 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

10
Analysis Updated
May 28, 2026 - 16:44 vuln.today
v5 (cvss_changed)
Analysis Updated
May 28, 2026 - 16:43 vuln.today
v4 (cvss_changed)
Analysis Updated
May 28, 2026 - 16:43 vuln.today
v3 (cvss_changed)
Analysis Updated
May 28, 2026 - 16:42 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 28, 2026 - 16:22 vuln.today
cvss_changed
Severity Changed
May 28, 2026 - 16:22 NVD
MEDIUM HIGH
CVSS changed
May 28, 2026 - 16:22 NVD
6.5 (MEDIUM) 7.0 (HIGH)
Patch available
May 15, 2026 - 20:02 EUVD
Source Code Evidence Fetched
May 15, 2026 - 19:36 vuln.today
Analysis Generated
May 15, 2026 - 19:36 vuln.today

DescriptionCVE.org

phpMyFAQ before 4.1.2 contains a path traversal vulnerability in Client::deleteClientFolder that allows admins with INSTANCE_DELETE permission to delete arbitrary directories. Attackers can submit traversal sequences like https://../../../<path> in the client URL parameter to recursively delete directories outside the intended clientFolder scope.

AnalysisAI

Arbitrary directory deletion in phpMyFAQ before 4.1.2 allows authenticated admins with the INSTANCE_DELETE permission to recursively delete directories outside the multisite clientFolder by submitting path traversal sequences in the client URL parameter. The flaw stems from Client::deleteClientFolder() stripping only the https:// scheme without canonicalizing or validating ../ segments before passing the path to Filesystem::deleteDirectory(). Publicly available exploit code exists (VulnCheck advisory and GHSA write-up include a PoC), though EPSS remains low at 0.04% and the issue is not listed in CISA KEV.

Technical ContextAI

phpMyFAQ is a PHP-based open-source FAQ/knowledge-base application (cpe:2.3:a:thorsten:phpmyfaq) that supports a multisite deployment mode where each client instance has its own filesystem folder under clientFolder. The root cause is CWE-73 (External Control of File Name or Path): in phpmyfaq/src/phpMyFAQ/Instance/Client.php:583, deleteClientFolder() performs str_replace('https://', '', $sourceUrl) and then concatenates the result onto $this->clientFolder before invoking Filesystem::deleteDirectory(). Because str_replace removes only the literal scheme and no normalization or allow-listing is applied, ../ segments survive unmodified. The sink is reachable from three admin entry points - InstanceController.php:184 (delete API), InstanceController.php:144 (edit API) and the form-based Controller/Administration/InstanceController.php:151 - all gated by the granular INSTANCE_DELETE permission rather than SUPER_ADMIN. This is the same bug class as GHSA-38m8-xrfj-v38x (MediaBrowserController), which the project previously accepted at High severity.

RemediationAI

Upgrade to phpMyFAQ 4.1.2, the vendor-released patched version confirmed by the GHSA advisory (https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-gh9p-q46p-57g2) and the EUVD record at https://nvd.nist.gov/vuln/detail/CVE-2026-45008 . For operators who cannot upgrade immediately, restrict the INSTANCE_DELETE permission to fully trusted SUPER_ADMIN-equivalent accounts only - this directly removes the attacker class the bug requires, at the cost of reducing role granularity for multisite operators. As a defense-in-depth measure, disable the multisite feature (isMultiSiteWriteable returns false) where it is not used, which makes deleteClientFolder() return early before reaching the sink; the side effect is that legitimate per-client folder management via the API will stop functioning. Additionally, run the PHP/web user with least-privilege filesystem permissions so that even a successful traversal cannot reach sensitive directories such as the OS root, sibling vhosts, or backup mounts.

CVE-2023-5865 CRITICAL POC
9.8 Oct 31

Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2. Rated critical severity (CVSS 9.8

CVE-2023-1886 CRITICAL POC
9.8 Apr 05

Authentication Bypass by Capture-replay in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated critical severity

CVE-2023-1753 CRITICAL POC
9.8 Mar 31

Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated critical severity (CVSS 9.8), t

CVE-2022-3754 CRITICAL POC
9.8 Oct 29

Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.8. Rated critical severity (CVSS 9.8), th

CVE-2026-46364 CRITICAL POC
9.3 May 15

Unauthenticated SQL injection in phpMyFAQ before 4.1.2 allows remote attackers to extract credentials, admin tokens, and

CVE-2017-15730 HIGH POC
8.8 Oct 22

In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.ratings.php. Rated high severity (CVS

CVE-2017-15808 HIGH POC
8.8 Oct 23

In phpMyFaq before 2.9.9, there is CSRF in admin/ajax.config.php. Rated high severity (CVSS 8.8), this vulnerability is

CVE-2017-15735 HIGH POC
8.8 Oct 22

In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) for modifying a glossary. Rated high severity (CVSS

CVE-2017-15734 HIGH POC
8.8 Oct 22

In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.main.php. Rated high severity (CVSS 8

CVE-2024-28107 HIGH POC
8.8 Mar 25

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Rated high severi

CVE-2024-27299 HIGH POC
8.8 Mar 25

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Rated high severi

CVE-2023-1762 HIGH POC
8.8 Mar 31

Improper Privilege Management in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated high severity (CVSS 8.8), th

Share

EUVD-2026-30593 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy