Cyber Resilience

CVE-2026-34728

HighPublic PoC

Published: 02 April 2026

Published
02 April 2026
Modified
07 April 2026
KEV Added
Patch
CVSS Score v3.1 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H
EPSS Score 0.0069 48.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-34728 is a high-severity Path Traversal (CWE-22) vulnerability in Phpmyfaq Phpmyfaq. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-34728 is a path traversal vulnerability in phpMyFAQ, an open source FAQ web application, affecting versions prior to 4.1.1. The issue lies in the MediaBrowserController::index() method, which processes file deletion requests in the media browser. When the fileRemove action is triggered, it concatenates a user-supplied name parameter directly with the base upload directory path without validating for path traversal. The applied FILTER_SANITIZE_SPECIAL_CHARS filter only encodes HTML special characters and those with ASCII values below 32, failing to block sequences like ../. The endpoint also lacks CSRF token validation, enabling cross-site request forgery exploitation.

Attackers require low privileges, such as those of an authenticated user (PR:L), and can exploit this remotely over the network (AV:N) with low complexity (AC:L), though user interaction is needed (UI:R), typically via CSRF. By supplying a malicious name parameter with traversal payloads, they can delete arbitrary files beyond the upload directory, achieving high integrity and availability impacts (I:H/A:H) with a changed scope (S:C) but no confidentiality loss (C:N). The vulnerability carries a CVSS v3.1 base score of 8.7 and maps to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).

phpMyFAQ has patched this vulnerability in version 4.1.1. Administrators should upgrade to this release or later to mitigate the issue. Additional details are available in the GitHub security advisory GHSA-38m8-xrfj-v38x and the release notes for version 4.1.1.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the MediaBrowserController::index() method handles file deletion for the media browser. When the fileRemove action is triggered, the user-supplied name parameter is concatenated with the base upload directory path…

more

without any path traversal validation. The FILTER_SANITIZE_SPECIAL_CHARS filter only encodes HTML special characters (&, ', ", <, >) and characters with ASCII value < 32, and does not prevent directory traversal sequences like ../. Additionally, the endpoint does not validate CSRF tokens, making it exploitable via CSRF attacks. This issue has been patched in version 4.1.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
Why these techniques?

Path traversal vulnerability in public-facing web application (phpMyFAQ) enables remote exploitation for arbitrary file deletion, directly mapping to T1190 (Exploit Public-Facing Application) and T1070.004 (File Deletion).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24422Same product: Phpmyfaq Phpmyfaq
CVE-2026-27836Same product: Phpmyfaq Phpmyfaq
CVE-2024-56199Same product: Phpmyfaq Phpmyfaq
CVE-2026-4350Shared CWE-22
CVE-2025-7643Shared CWE-22
CVE-2025-14850Shared CWE-22
CVE-2025-8141Shared CWE-22
CVE-2025-2328Shared CWE-22
CVE-2025-7645Shared CWE-22
CVE-2026-41058Shared CWE-22

Affected Assets

phpmyfaq
phpmyfaq
≤ 4.1.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of the user-supplied name parameter to block path traversal sequences like ../ in the MediaBrowserController::index() file deletion endpoint.

prevent

Mandates session authenticity mechanisms such as CSRF tokens to prevent exploitation of the vulnerable endpoint via cross-site request forgery.

prevent

Directly addresses remediation of the path traversal and CSRF flaws by requiring patching to phpMyFAQ version 4.1.1 or later.

References