CVE-2026-45008 phpMyFAQ - Path Traversal in Client::deleteClientFolder via URL Parameter

🗓️ 15 May 2026 18:36:35Reported by VulnCheckType

CVE-2026-45008: Path traversal in phpMyFAQ before 4.1.2 lets admins with INSTANCE_DELETE delete arbitrary directories via URL.

Reporter	Title	Published	Views	Family All 14
ATTACKERKB	CVE-2026-45008	15 May 202618:36	–	attackerkb
CNNVD	phpMyFAQ 安全漏洞	15 May 202600:00	–	cnnvd
CVE	CVE-2026-45008	15 May 202618:36	–	cve
EUVD	EUVD-2026-30593	15 May 202618:36	–	euvd
Github Security Blog	phpMyFAQ: Path Traversal in Client::deleteClientFolder enables arbitrary directory deletion by non-super-admin admins	6 May 202620:47	–	github
Github Security Blog	Duplicate Advisory: phpMyFAQ: Path traversal in Client::deleteClientFolder enables arbitrary directory deletion by non-super-admin admins	15 May 202621:31	–	github
NVD	CVE-2026-45008	15 May 202619:17	–	nvd
OSV	GHSA-GH9P-Q46P-57G2 phpMyFAQ: Path Traversal in Client::deleteClientFolder enables arbitrary directory deletion by non-super-admin admins	6 May 202620:47	–	osv
OSV	GHSA-RMQR-H98C-QG2M Duplicate Advisory: phpMyFAQ: Path traversal in Client::deleteClientFolder enables arbitrary directory deletion by non-super-admin admins	15 May 202621:31	–	osv
Positive Technologies	PT-2026-41355	15 May 202600:00	–	ptsecurity

[
  {
    "vendor": "thorsten",
    "product": "phpmyfaq",
    "defaultStatus": "unaffected",
    "versions": [
      {
        "version": "0",
        "status": "affected",
        "versionType": "semver",
        "lessThan": "4.1.2"
      },
      {
        "version": "4.1.2",
        "status": "unaffected",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
github	www.github.com/thorsten/phpMyFAQ/security/advisories/GHSA-gh9p-q46p-57g2
vulncheck	www.vulncheck.com/advisories/phpmyfaq-path-traversal-in-client-deleteclientfolder-via-url-parameter

28 May 2026 14:15Current

CVSS 3.16.5

CVSS 47

EPSS0.00048

CWE-73