CVE-2026-34973

MEDIUM

phpMyFAQ has a LIKE Wildcard Injection in Search.php — Unescaped % and _ Metacharacters Enable Broad Content Disclosure

Title source: cna

Description

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the searchCustomPages() method in phpmyfaq/src/phpMyFAQ/Search.php uses real_escape_string() (via escape()) to sanitize the search term before embedding it in LIKE clauses. However, real_escape_string() does not escape SQL LIKE metacharacters % (match any sequence) and _ (match any single character). An unauthenticated attacker can inject these wildcards into search queries, causing them to match unintended records — including content that was not meant to be surfaced — resulting in information disclosure. This issue has been patched in version 4.1.1.

References (2)

[X_Refsource_Confirm] https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-gcp9-5jc8-976x

[X_Refsource_Misc] https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1

Scores

CVSS v3 5.3

EPSS 0.0007

EPSS Percentile 22.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-943

Status published

Products (3)

phpmyfaq/phpmyfaq 4.1.0

thorsten/phpmyfaq 0 - 4.1.1Packagist

thorsten/phpMyFAQ < 4.1.1

Published Apr 02, 2026

Tracked Since Apr 02, 2026