{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34973", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-31T19:38:31.616Z", "datePublished": "2026-04-02T14:47:22.775Z", "dateUpdated": "2026-04-02T14:47:22.775Z"}, "containers": {"cna": {"title": "phpMyFAQ has a LIKE Wildcard Injection in Search.php \u2014 Unescaped % and _ Metacharacters Enable Broad Content Disclosure", "problemTypes": [{"descriptions": [{"cweId": "CWE-943", "lang": "en", "description": "CWE-943: Improper Neutralization of Special Elements in Data Query Logic", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-gcp9-5jc8-976x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-gcp9-5jc8-976x"}, {"name": "https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1"}], "affected": [{"vendor": "thorsten", "product": "phpMyFAQ", "versions": [{"version": "< 4.1.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T14:47:22.775Z"}, "descriptions": [{"lang": "en", "value": "phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the searchCustomPages() method in phpmyfaq/src/phpMyFAQ/Search.php uses real_escape_string() (via escape()) to sanitize the search term before embedding it in LIKE clauses. However, real_escape_string() does not escape SQL LIKE metacharacters % (match any sequence) and _ (match any single character). An unauthenticated attacker can inject these wildcards into search queries, causing them to match unintended records \u2014 including content that was not meant to be surfaced \u2014 resulting in information disclosure. This issue has been patched in version 4.1.1."}], "source": {"advisory": "GHSA-gcp9-5jc8-976x", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the searchCustomPages() method in phpmyfaq/src/phpMyFAQ/Search.php uses real_escape_string() (via escape()) to sanitize the search term before embedding it in LIKE clauses. However, real_escape_string() does not escape SQL LIKE metacharacters % (match any sequence) and _ (match any single character). An unauthenticated attacker can inject these wildcards into search queries, causing them to match unintended records \u2014 including content that was not meant to be surfaced \u2014 resulting in information disclosure. This issue has been patched in version 4.1.1."}], "id": "CVE-2026-34973", "lastModified": "2026-04-02T15:16:51.750", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T15:16:51.750", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-gcp9-5jc8-976x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-943"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.1.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "phpMyFAQ", "source": "cna", "vendor": "thorsten"}, "product": "phpmyfaq", "vendor": "thorsten"}], "analysis": {"en": {"generated_at": "2026-04-02T16:35:59.154763+00:00", "value": {"mitigation_remediation": ["Apply phpMyFAQ version\u00a04.1.1 or later"], "summary": {"action": "Apply Patch", "impact": "Broad Information Disclosure"}, "threat_synthesis": {"affected_systems": "Products affected are the open\u2011source FAQ application phpMyFAQ maintained by thorsten. All releases prior to version\u00a04.1.1 are vulnerable, as the patch was applied in the 4.1.1 release.", "description_and_impact": "An unauthenticated attacker can insert unescaped percent and underscore characters into the search term of phpMyFAQ\u2019s searchCustomPages() function. Because the function only applies real_escape_string, which does not escape SQL LIKE metacharacters, the database expands the pattern. This results in a SQL wildcard injection that causes the search to match unintended records, exposing FAQ content that should not have been disclosed.", "risk_and_exploitability": "Common Vulnerability Scoring System assigns a score of\u00a06.9, indicating moderate severity. The EPSS metric is unavailable, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires only access to the public search interface; no authentication or additional privileges are needed. Because the wildcard characters are part of a normal user input field, attackers can mount automated requests to enumerate potentially sensitive records. The combination of unauthenticated access, easy injection, and lack of protection suggests a realistic threat profile."}}}}, "created": "2026-04-02T20:11:38.275808+00:00", "updated": "2026-04-02T20:20:19.676590+00:00", "vendors": ["thorsten", "thorsten$PRODUCT$phpmyfaq"]}