PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45008 thorsten CVE debrief

CVE-2026-45008 affects phpMyFAQ before 4.1.2. A path traversal issue in Client::deleteClientFolder can let an authenticated admin with INSTANCE_DELETE delete directories outside the intended clientFolder scope. The impact is integrity and availability loss through unintended recursive directory deletion.

Vendor
thorsten
Product
phpmyfaq
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-15
Original CVE updated
2026-05-18
Advisory published
2026-05-15
Advisory updated
2026-05-18

Who should care

Organizations running phpMyFAQ, especially those exposing administrative functions to users with INSTANCE_DELETE permission. Security teams, application owners, and administrators responsible for backup and recovery should prioritize this issue because the affected action can remove filesystem content outside the expected application directory.

Technical summary

The vulnerability is a directory traversal flaw (CWE-73) in phpMyFAQ's client deletion logic. According to the supplied description and NVD metadata, an admin can influence the client URL parameter with traversal sequences so that Client::deleteClientFolder operates on paths outside the intended scope. The reported CVSS vector is CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H, reflecting network reachability, required high privileges, and high integrity/availability impact.

Defensive priority

Medium. This is not listed as KEV in the supplied data, but it can still cause destructive filesystem deletion for privileged users. Treat as a prompt patch-and-verify item for any phpMyFAQ deployment still below 4.1.2.

Recommended defensive actions

  • Upgrade phpMyFAQ to 4.1.2 or later.
  • Review who has INSTANCE_DELETE permission and reduce it to the smallest necessary set of administrators.
  • Audit affected systems for unexpected directory deletions and verify backups are current and restorable.
  • Check application and filesystem permissions so the phpMyFAQ process cannot delete beyond its intended data directory.
  • Monitor administrative actions around client deletion for unusual path values or deletion attempts.
  • Validate any custom integrations or deployment scripts that interact with client folder deletion after upgrading.

Evidence notes

The supplied NVD metadata lists the weakness as CWE-73 and the CVSS vector as CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H. The description states the issue exists in phpMyFAQ before 4.1.2 and that it allows admins with INSTANCE_DELETE to delete arbitrary directories via traversal sequences in the client URL parameter. NVD also marks the vulnerability status as Deferred in the provided source item.

Official resources

First published in the supplied record on 2026-05-15 and modified on 2026-05-18. The source references point to a GitHub security advisory and a VulnCheck advisory. NVD marks the vulnerability status as Deferred in the provided metadata.