PT-2026-57179 · Phpmyfaq · Phpmyfaq
Domainxtech
·
Published
2026-07-10
·
Updated
2026-07-10
·
CVE-2026-57961
CVSS v3.1
2.7
Low
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N |
phpMyFAQ before 4.1.5 contains a potential authenticated path traversal vulnerability in the concatenatePaths() function within src/phpMyFAQ/Export/Pdf/Wrapper.php. A user with FAQ editing privileges can store HTML containing crafted image paths that are processed during PDF generation. The path resolution logic locates the substring "content" within a user-controlled path using strpos(); when "content" is absent, strpos() returns false, which becomes 0 when cast to an integer, preserving the entire attacker-controlled path. This path is later passed to file get contents() without canonicalization or root-directory containment validation, which may allow reading of files outside the intended content directory.
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Phpmyfaq