CVE-2026-34728
Published: 02 April 2026
Summary
CVE-2026-34728 is a high-severity Path Traversal (CWE-22) vulnerability in Phpmyfaq Phpmyfaq. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of the user-supplied name parameter to block path traversal sequences like ../ in the MediaBrowserController::index() file deletion endpoint.
Mandates session authenticity mechanisms such as CSRF tokens to prevent exploitation of the vulnerable endpoint via cross-site request forgery.
Directly addresses remediation of the path traversal and CSRF flaws by requiring patching to phpMyFAQ version 4.1.1 or later.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal vulnerability in public-facing web application (phpMyFAQ) enables remote exploitation for arbitrary file deletion, directly mapping to T1190 (Exploit Public-Facing Application) and T1070.004 (File Deletion).
NVD Description
phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the MediaBrowserController::index() method handles file deletion for the media browser. When the fileRemove action is triggered, the user-supplied name parameter is concatenated with the base upload directory path…
more
without any path traversal validation. The FILTER_SANITIZE_SPECIAL_CHARS filter only encodes HTML special characters (&, ', ", <, >) and characters with ASCII value < 32, and does not prevent directory traversal sequences like ../. Additionally, the endpoint does not validate CSRF tokens, making it exploitable via CSRF attacks. This issue has been patched in version 4.1.1.
Deeper analysisAI
CVE-2026-34728 is a path traversal vulnerability in phpMyFAQ, an open source FAQ web application, affecting versions prior to 4.1.1. The issue lies in the MediaBrowserController::index() method, which processes file deletion requests in the media browser. When the fileRemove action is triggered, it concatenates a user-supplied name parameter directly with the base upload directory path without validating for path traversal. The applied FILTER_SANITIZE_SPECIAL_CHARS filter only encodes HTML special characters and those with ASCII values below 32, failing to block sequences like ../. The endpoint also lacks CSRF token validation, enabling cross-site request forgery exploitation.
Attackers require low privileges, such as those of an authenticated user (PR:L), and can exploit this remotely over the network (AV:N) with low complexity (AC:L), though user interaction is needed (UI:R), typically via CSRF. By supplying a malicious name parameter with traversal payloads, they can delete arbitrary files beyond the upload directory, achieving high integrity and availability impacts (I:H/A:H) with a changed scope (S:C) but no confidentiality loss (C:N). The vulnerability carries a CVSS v3.1 base score of 8.7 and maps to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
phpMyFAQ has patched this vulnerability in version 4.1.1. Administrators should upgrade to this release or later to mitigate the issue. Additional details are available in the GitHub security advisory GHSA-38m8-xrfj-v38x and the release notes for version 4.1.1.
Details
- CWE(s)