phpMyFAQ Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) Vulnerability - CVE-2026-34728

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1 the MediaBrowserController::index() method handles file deletion for the media browser. When the fileRemove action is triggered the user-supplied name parameter is concatenated with the base upload directory path without any path traversal validation. The FILTER_SANITIZE_SPECIAL_CHARS filter only encodes HTML special characters (amp 39 quot lt gt) and characters with ASCII value lt 32 and does not prevent directory traversal sequences like ../. Additionally the endpoint does not validate CSRF tokens making it exploitable via CSRF attacks. This issue has been patched in version 4.1.1.