Vulnerability-Lookup

CVE-2026-34973 (GCVE-0-2026-34973)

Vulnerability from cvelistv5 – Published: 2026-04-02 14:47 – Updated: 2026-04-03 18:24

Title

phpMyFAQ has a LIKE Wildcard Injection in Search.php — Unescaped % and _ Metacharacters Enable Broad Content Disclosure

Summary

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the searchCustomPages() method in phpmyfaq/src/phpMyFAQ/Search.php uses real_escape_string() (via escape()) to sanitize the search term before embedding it in LIKE clauses. However, real_escape_string() does not escape SQL LIKE metacharacters % (match any sequence) and _ (match any single character). An unauthenticated attacker can inject these wildcards into search queries, causing them to match unintended records — including content that was not meant to be surfaced — resulting in information disclosure. This issue has been patched in version 4.1.1.

Severity ?

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

CWE

CWE-943 - Improper Neutralization of Special Elements in Data Query Logic

Assigner

GitHub_M

References

URL

Tags

	https://github.com/thorsten/phpMyFAQ/security/adv…	x_refsource_CONFIRM
	https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	thorsten	phpMyFAQ	Affected: < 4.1.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34973",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-03T18:23:50.930157Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-03T18:24:15.944Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "phpMyFAQ",
          "vendor": "thorsten",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.1.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the searchCustomPages() method in phpmyfaq/src/phpMyFAQ/Search.php uses real_escape_string() (via escape()) to sanitize the search term before embedding it in LIKE clauses. However, real_escape_string() does not escape SQL LIKE metacharacters % (match any sequence) and _ (match any single character). An unauthenticated attacker can inject these wildcards into search queries, causing them to match unintended records \u2014 including content that was not meant to be surfaced \u2014 resulting in information disclosure. This issue has been patched in version 4.1.1."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-943",
              "description": "CWE-943: Improper Neutralization of Special Elements in Data Query Logic",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-02T14:47:22.775Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-gcp9-5jc8-976x",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-gcp9-5jc8-976x"
        },
        {
          "name": "https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1"
        }
      ],
      "source": {
        "advisory": "GHSA-gcp9-5jc8-976x",
        "discovery": "UNKNOWN"
      },
      "title": "phpMyFAQ has a LIKE Wildcard Injection in Search.php \u2014 Unescaped % and _ Metacharacters Enable Broad Content Disclosure"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-34973",
    "datePublished": "2026-04-02T14:47:22.775Z",
    "dateReserved": "2026-03-31T19:38:31.616Z",
    "dateUpdated": "2026-04-03T18:24:15.944Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-34973",
      "date": "2026-04-16",
      "epss": "0.00073",
      "percentile": "0.22246"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-34973\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-02T15:16:51.750\",\"lastModified\":\"2026-04-06T16:11:33.393\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the searchCustomPages() method in phpmyfaq/src/phpMyFAQ/Search.php uses real_escape_string() (via escape()) to sanitize the search term before embedding it in LIKE clauses. However, real_escape_string() does not escape SQL LIKE metacharacters % (match any sequence) and _ (match any single character). An unauthenticated attacker can inject these wildcards into search queries, causing them to match unintended records \u2014 including content that was not meant to be surfaced \u2014 resulting in information disclosure. This issue has been patched in version 4.1.1.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-943\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:phpmyfaq:phpmyfaq:4.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BCE1B56B-7608-4651-A912-28CF11DAF1F5\"}]}]}],\"references\":[{\"url\":\"https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-gcp9-5jc8-976x\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\",\"Mitigation\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-34973\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-03T18:23:50.930157Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-03T18:24:03.413Z\"}}], \"cna\": {\"title\": \"phpMyFAQ has a LIKE Wildcard Injection in Search.php \\u2014 Unescaped % and _ Metacharacters Enable Broad Content Disclosure\", \"source\": {\"advisory\": \"GHSA-gcp9-5jc8-976x\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"thorsten\", \"product\": \"phpMyFAQ\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 4.1.1\"}]}], \"references\": [{\"url\": \"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-gcp9-5jc8-976x\", \"name\": \"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-gcp9-5jc8-976x\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1\", \"name\": \"https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the searchCustomPages() method in phpmyfaq/src/phpMyFAQ/Search.php uses real_escape_string() (via escape()) to sanitize the search term before embedding it in LIKE clauses. However, real_escape_string() does not escape SQL LIKE metacharacters % (match any sequence) and _ (match any single character). An unauthenticated attacker can inject these wildcards into search queries, causing them to match unintended records \\u2014 including content that was not meant to be surfaced \\u2014 resulting in information disclosure. This issue has been patched in version 4.1.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-943\", \"description\": \"CWE-943: Improper Neutralization of Special Elements in Data Query Logic\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-02T14:47:22.775Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-34973\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-03T18:24:15.944Z\", \"dateReserved\": \"2026-03-31T19:38:31.616Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-02T14:47:22.775Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-GCP9-5JC8-976X

Vulnerability from github – Published: 2026-04-01 23:41 – Updated: 2026-04-06 23:17

Summary

phpMyFAQ has a LIKE Wildcard Injection in Search.php — Unescaped % and _ Metacharacters Enable Broad Content Disclosure

Details

Summary

The searchCustomPages() method in phpmyfaq/src/phpMyFAQ/Search.php uses real_escape_string() (via escape()) to sanitize the search term before embedding it in LIKE clauses. However, real_escape_string() does not escape SQL LIKE metacharacters % (match any sequence) and _ (match any single character). An unauthenticated attacker can inject these wildcards into search queries, causing them to match unintended records — including content that was not meant to be surfaced — resulting in information disclosure.

Details

File: phpmyfaq/src/phpMyFAQ/Search.php, lines 226–240

Vulnerable code:

$escapedSearchTerm = $this->configuration->getDb()->escape($searchTerm);
$searchWords = explode(' ', $escapedSearchTerm);
$searchConditions = [];

foreach ($searchWords as $word) {
    if (strlen($word) <= 2) {
        continue;
    }
    $searchConditions[] = sprintf(
        "(page_title LIKE '%%%s%%' OR content LIKE '%%%s%%')",
        $word,
        $word
    );
}

escape() calls mysqli::real_escape_string(), which escapes characters like ', \, NULL, etc. — but explicitly does not escape % or _, as these are not SQL string delimiters. They are, however, LIKE pattern wildcards.

Attack vector:

A user submits a search term containing _ or % as part of a 3+ character word (to bypass the strlen <= 2 filter). Examples:

Search for a_b → LIKE becomes '%a_b%' → _ matches any single character, e.g. matches "aXb", "a1b", "azb" — broader than the literal string a_b
Search for te%t → LIKE becomes '%te%t%' → matches test, text, te12t, etc.
Search for _%_ → LIKE becomes '%_%_%' → matches any record with at least one character, effectively dumping all custom pages

This allows an attacker to retrieve custom page content that would not appear in normal exact searches, bypassing intended search scope restrictions.

PoC

Navigate to the phpMyFAQ search page (accessible to unauthenticated users by default).
Submit a search query: _%_ (underscore, percent, underscore — length 3, bypasses the <= 2 filter).
The backend executes: WHERE (page_title LIKE '%_%_%' OR content LIKE '%_%_%')
This matches all custom pages with at least one character in title or content — returning content that would not appear for a specific search term.

Impact

Authentication required: None — search is publicly accessible
Affected component: searchCustomPages() in Search.php; custom pages (faqcustompages table)
Impact: Unauthenticated users can enumerate/disclose all custom page content regardless of the intended search term filter
Fix: Escape % and _ in LIKE search terms before interpolation: php $word = str_replace(['\\', '%', '_'], ['\\\\', '\\%', '\\_'], $word); Or use parameterized queries with properly escaped LIKE values.

Severity ?

5.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

6.9 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "thorsten/phpmyfaq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34973"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-943"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T23:41:49Z",
    "nvd_published_at": "2026-04-02T15:16:51Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThe `searchCustomPages()` method in `phpmyfaq/src/phpMyFAQ/Search.php` uses `real_escape_string()` (via `escape()`) to sanitize the search term before embedding it in LIKE clauses. However, `real_escape_string()` does **not** escape SQL LIKE metacharacters `%` (match any sequence) and `_` (match any single character). An unauthenticated attacker can inject these wildcards into search queries, causing them to match unintended records \u2014 including content that was not meant to be surfaced \u2014 resulting in information disclosure.\n\n### Details\n\n**File:** `phpmyfaq/src/phpMyFAQ/Search.php`, lines 226\u2013240\n\n**Vulnerable code:**\n```php\n$escapedSearchTerm = $this-\u003econfiguration-\u003egetDb()-\u003eescape($searchTerm);\n$searchWords = explode(\u0027 \u0027, $escapedSearchTerm);\n$searchConditions = [];\n\nforeach ($searchWords as $word) {\n    if (strlen($word) \u003c= 2) {\n        continue;\n    }\n    $searchConditions[] = sprintf(\n        \"(page_title LIKE \u0027%%%s%%\u0027 OR content LIKE \u0027%%%s%%\u0027)\",\n        $word,\n        $word\n    );\n}\n```\n\n`escape()` calls `mysqli::real_escape_string()`, which escapes characters like `\u0027`, `\\`, `NULL`, etc. \u2014 but explicitly does **not** escape `%` or `_`, as these are not SQL string delimiters. They are, however, LIKE pattern wildcards.\n\n**Attack vector:**\n\nA user submits a search term containing `_` or `%` as part of a 3+ character word (to bypass the `strlen \u003c= 2` filter). Examples:\n\n- Search for `a_b` \u2192 LIKE becomes `\u0027%a_b%\u0027` \u2192 `_` matches any single character, e.g. matches `\"aXb\"`, `\"a1b\"`, `\"azb\"` \u2014 broader than the literal string `a_b`\n- Search for `te%t` \u2192 LIKE becomes `\u0027%te%t%\u0027` \u2192 matches `test`, `text`, `te12t`, etc.\n- Search for `_%_` \u2192 LIKE becomes `\u0027%_%_%\u0027` \u2192 matches any record with at least one character, effectively dumping all custom pages\n\nThis allows an attacker to retrieve custom page content that would not appear in normal exact searches, bypassing intended search scope restrictions.\n\n### PoC\n\n1. Navigate to the phpMyFAQ search page (accessible to unauthenticated users by default).\n2. Submit a search query: `_%_` (underscore, percent, underscore \u2014 length 3, bypasses the `\u003c= 2` filter).\n3. The backend executes: `WHERE (page_title LIKE \u0027%_%_%\u0027 OR content LIKE \u0027%_%_%\u0027)`\n4. This matches **all** custom pages with at least one character in title or content \u2014 returning content that would not appear for a specific search term.\n\n### Impact\n\n- **Authentication required:** None \u2014 search is publicly accessible\n- **Affected component:** `searchCustomPages()` in `Search.php`; custom pages (faqcustompages table)\n- **Impact:** Unauthenticated users can enumerate/disclose all custom page content regardless of the intended search term filter\n- **Fix:** Escape `%` and `_` in LIKE search terms before interpolation:\n  ```php\n  $word = str_replace([\u0027\\\\\u0027, \u0027%\u0027, \u0027_\u0027], [\u0027\\\\\\\\\u0027, \u0027\\\\%\u0027, \u0027\\\\_\u0027], $word);\n  ```\n  Or use parameterized queries with properly escaped LIKE values.",
  "id": "GHSA-gcp9-5jc8-976x",
  "modified": "2026-04-06T23:17:56Z",
  "published": "2026-04-01T23:41:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-gcp9-5jc8-976x"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34973"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/thorsten/phpMyFAQ"
    },
    {
      "type": "WEB",
      "url": "https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "phpMyFAQ has a LIKE Wildcard Injection in Search.php \u2014 Unescaped % and _ Metacharacters Enable Broad Content Disclosure"
}

FKIE_CVE-2026-34973

Vulnerability from fkie_nvd - Published: 2026-04-02 15:16 - Updated: 2026-04-06 16:11

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1	Product
	security-advisories@github.com	https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-gcp9-5jc8-976x	Exploit, Vendor Advisory, Mitigation

Impacted products

	Vendor	Product	Version
	phpmyfaq	phpmyfaq	4.1.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:phpmyfaq:phpmyfaq:4.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "BCE1B56B-7608-4651-A912-28CF11DAF1F5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the searchCustomPages() method in phpmyfaq/src/phpMyFAQ/Search.php uses real_escape_string() (via escape()) to sanitize the search term before embedding it in LIKE clauses. However, real_escape_string() does not escape SQL LIKE metacharacters % (match any sequence) and _ (match any single character). An unauthenticated attacker can inject these wildcards into search queries, causing them to match unintended records \u2014 including content that was not meant to be surfaced \u2014 resulting in information disclosure. This issue has been patched in version 4.1.1."
    }
  ],
  "id": "CVE-2026-34973",
  "lastModified": "2026-04-06T16:11:33.393",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.9,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "LOW",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-02T15:16:51.750",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory",
        "Mitigation"
      ],
      "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-gcp9-5jc8-976x"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-943"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-34973 (GCVE-0-2026-34973)

GHSA-GCP9-5JC8-976X

Summary

Details

PoC

Impact

FKIE_CVE-2026-34973

Tags

Sightings

Nomenclature