HIGHCVE-2026-45008Published Modified CNA VulnCheck
CVE-2026-45008: phpMyFAQ - Path Traversal in Client::deleteClientFolder via URL Parameter
phpMyFAQ before 4.1.2 contains a path traversal vulnerability in Client::deleteClientFolder that allows admins with INSTANCE_DELETE permission to delete arbitrary directories. Attackers can submit traversal sequences like https://../../../<path> in the client URL parameter to recursively delete directories outside the intended clientFolder scope.
Metrics
- CVSS v4.0
- 7.0
- Severity
- HIGH
- Fixed in
- 4.1.2
- Affected Products
- 1
Fix available
4.1.2
Affected packages
- thorsten / phpmyfaq< 4.1.2 (from 0)Fixed in 4.1.2
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N