PT-2026-57179 · Phpmyfaq · Phpmyfaq

Domainxtech

·

Published

2026-07-10

·

Updated

2026-07-10

·

CVE-2026-57961

CVSS v3.1

2.7

Low

VectorAV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
phpMyFAQ before 4.1.5 contains a potential authenticated path traversal vulnerability in the concatenatePaths() function within src/phpMyFAQ/Export/Pdf/Wrapper.php. A user with FAQ editing privileges can store HTML containing crafted image paths that are processed during PDF generation. The path resolution logic locates the substring "content" within a user-controlled path using strpos(); when "content" is absent, strpos() returns false, which becomes 0 when cast to an integer, preserving the entire attacker-controlled path. This path is later passed to file get contents() without canonicalization or root-directory containment validation, which may allow reading of files outside the intended content directory.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-57961

Affected Products

Phpmyfaq