CVE-2026-34728

Name of the Vulnerable Software and Affected Versions phpMyFAQ versions prior to 4.1.1

Description phpMyFAQ is susceptible to arbitrary file deletion due to missing path traversal validation and CSRF token verification in the MediaBrowserController::index() method. Specifically, when the fileRemove action is triggered, the name parameter, received via a GET request, is concatenated with the base upload directory without proper sanitization. The FILTER SANITIZE SPECIAL CHARS filter is insufficient to prevent directory traversal sequences like ../. The absence of CSRF token validation further exacerbates the issue, allowing attackers to exploit it via Cross-Site Request Forgery attacks. The vulnerable file is phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/MediaBrowserController.php. The API endpoint ''/admin/api/media-browser'' is affected, and the vulnerable parameter is name. Exploitation can lead to server compromise, data loss, and security bypass by deleting critical files such as the database configuration file or .htaccess. The vulnerability can be exploited through direct requests with a valid admin session or via CSRF attacks.

Recommendations Update phpMyFAQ to version 4.1.1 or later. Implement path traversal validation using basename() and realpath() to ensure the target path remains within the intended directory. Add CSRF protection by verifying CSRF tokens before processing the fileRemove action.