What is GHSA-rmqr-h98c-qg2m?

GHSA-rmqr-h98c-qg2m is a security advisory published by GitHub Security Advisories with Medium severity. phpMyFAQ: Path traversal in Client::deleteClientFolder enables arbitrary directory deletion by non-super-admin admins

Which CVE IDs does GHSA-rmqr-h98c-qg2m cover?

GHSA-rmqr-h98c-qg2m covers the following CVE IDs: CVE-2026-45008. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-rmqr-h98c-qg2m?

GHSA-rmqr-h98c-qg2m has a CVSS v3 base score of 6.5, published by GitHub Security Advisories.

Which products are affected by GHSA-rmqr-h98c-qg2m?

GHSA-rmqr-h98c-qg2m affects 1 product, including: composer/phpMyFAQ/phpMyFAQ:\u003c 4.1.2.

GHSA-rmqr-h98c-qg2mMediumCVSS 6.5

phpMyFAQ: Path traversal in Client::deleteClientFolder enables arbitrary directory deletion by non-super-admin admins

Vendor

GitHub Security Advisories

Published

May 15, 2026

Last Modified

May 21, 2026

🔗 CVE IDs covered (1)

CVE-2026-45008 →

📋 Description

phpMyFAQ before 4.1.2 contains a path traversal vulnerability in Client::deleteClientFolder that allows admins with INSTANCE_DELETE permission to delete arbitrary directories. Attackers can submit traversal sequences like https://../../../<path> in the client URL parameter to recursively delete directories outside the intended clientFolder scope.

🎯 Affected products1

composer/phpMyFAQ/phpMyFAQ:< 4.1.2

🔗 References (4)

https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-gh9p-q46p-57g2
https://nvd.nist.gov/vuln/detail/CVE-2026-45008
https://www.vulncheck.com/advisories/phpmyfaq-path-traversal-in-client-deleteclientfolder-via-url-parameter
https://github.com/advisories/GHSA-rmqr-h98c-qg2m