What is CVE-2026-34973?

### Summary The `searchCustomPages()` method in `phpmyfaq/src/phpMyFAQ/Search.php` uses `real_escape_string()` (via `escape()`) to sanitize the search term before embedding it in LIKE clauses. However, `real_escape_string()` does **not** escape SQL LIKE metacharacters `%` (match any sequence) and `_` (match any single character). An unauthenticated attacker can inject these wildcards into search queries, causing them to match unintended records — including content that was not meant to be surfaced — resulting in information disclosure. ### Details **File:** `phpmyfaq/src/phpMyFAQ/Search.php`, lines 226–240 **Vulnerable code:** ```php $escapedSearchTerm = $this->configuration->getDb()->escape($searchTerm); $searchWords = explode(' ', $escapedSearchTerm); $searchConditions = []; foreach ($searchWords as $word) { if (strlen($word) <= 2) { continue; } $searchConditions[] = sprintf( "(page_title LIKE '%%%s%%' OR content LIKE '%%%s%%')", $word, $word ); } ``` `escape()` calls `mysqli::real_escape_string()`, which escapes characters like `'`, `\`, `NULL`, etc. — but explicitly does **not** escape `%` or `_`, as these are not SQL string delimiters. They are, however, LIKE pattern wildcards. **Attack vector:** A user submits a search term containing `_` or `%` as part of a 3+ character word (to bypass the `strlen <= 2` filter). Examples: - Search for `a_b` → LIKE becomes `'%a_b%'` → `_` matches any single character, e.g. matches `"aXb"`, `"a1b"`, `"azb"` — broader than the literal string `a_b` - Search for `te%t` → LIKE becomes `'%te%t%'` → matches `test`, `text`, `te12t`, etc. - Search for `_%_` → LIKE becomes `'%_%_%'` → matches any record with at least one character, effectively dumping all custom pages This allows an attacker to retrieve custom page content that would not appear in normal exact searches, bypassing intended search scope restrictions. ### PoC 1. Navigate to the phpMyFAQ search page (accessible to unauthenticated users by default). 2. Submit a search query: `_%_` (underscore, percent, underscore — length 3, bypasses the `<= 2` filter). 3. The backend executes: `WHERE (page_title LIKE '%_%_%' OR content LIKE '%_%_%')` 4. This matches **all** custom pages with at least one character in title or content — returning content that would not appear for a specific search term. ### Impact - **Authentication required:** None — search is publicly accessible - **Affected component:** `searchCustomPages()` in `Search.php`; custom pages (faqcustompages table) - **Impact:** Unauthenticated users can enumerate/disclose all custom page content regardless of the intended search term filter - **Fix:** Escape `%` and `_` in LIKE search terms before interpolation: ```php $word = str_replace(['\\', '%', '_'], ['\\\\', '\\%', '\\_'], $word); ``` Or use parameterized queries with properly escaped LIKE values.

What is the severity of CVE-2026-34973?

CVE-2026-34973 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2026-34973?

No known public exploits are currently available for CVE-2026-34973.

Is there a patch available for CVE-2026-34973?

No official patches have been released yet for CVE-2026-34973. Consider implementing workarounds or mitigations.

CVE-2026-34973 - CVE Details, Severity, and Analysis

Q: What is the severity of CVE-2026-34973?

CVE-2026-34973 has a CVSS v3 score of 0, which is classified as Low severity.

Q: Is there an exploit available for CVE-2026-34973?

No known public exploits are currently available for CVE-2026-34973.

Q: Is there a patch available for CVE-2026-34973?

No official patches have been released yet for CVE-2026-34973. Consider implementing workarounds or mitigations.

Published: April 2, 2026

Last updated:3 hours ago (April 2, 2026)

Updated April 2, 2026

Summary

The searchCustomPages() method in phpmyfaq/src/phpMyFAQ/Search.php uses real_escape_string() (via escape()) to sanitize the search term before embedding it in LIKE clauses. However, real_escape_string() does not escape SQL LIKE metacharacters % (match any sequence) and _ (match any single character). An unauthenticated attacker can inject these wildcards into search queries, causing them to match unintended records — including content that was not meant to be surfaced — resulting in information disclosure.

Details

File: phpmyfaq/src/phpMyFAQ/Search.php, lines 226–240

Vulnerable code:

$escapedSearchTerm = $this->configuration->getDb()->escape($searchTerm);
$searchWords = explode(' ', $escapedSearchTerm);
$searchConditions = [];

foreach ($searchWords as $word) {
    if (strlen($word) <= 2) {
        continue;
    }
    $searchConditions[] = sprintf(
        "(page_title LIKE '%%%s%%' OR content LIKE '%%%s%%')",
        $word,
        $word
    );
}

escape() calls mysqli::real_escape_string(), which escapes characters like ', \, NULL, etc. — but explicitly does not escape % or _, as these are not SQL string delimiters. They are, however, LIKE pattern wildcards.

Attack vector:

A user submits a search term containing _ or % as part of a 3+ character word (to bypass the strlen <= 2 filter). Examples:

Search for a_b → LIKE becomes '%a_b%' → _ matches any single character, e.g. matches "aXb", "a1b", "azb" — broader than the literal string a_b
Search for te%t → LIKE becomes '%te%t%' → matches test, text, te12t, etc.
Search for _%_ → LIKE becomes '%_%_%' → matches any record with at least one character, effectively dumping all custom pages

This allows an attacker to retrieve custom page content that would not appear in normal exact searches, bypassing intended search scope restrictions.

PoC

Navigate to the phpMyFAQ search page (accessible to unauthenticated users by default).
Submit a search query: _%_ (underscore, percent, underscore — length 3, bypasses the <= 2 filter).
The backend executes: WHERE (page_title LIKE '%_%_%' OR content LIKE '%_%_%')
This matches all custom pages with at least one character in title or content — returning content that would not appear for a specific search term.

Impact

Authentication required: None — search is publicly accessible
Affected component: searchCustomPages() in Search.php; custom pages (faqcustompages table)
Impact: Unauthenticated users can enumerate/disclose all custom page content regardless of the intended search term filter
Fix: Escape % and _ in LIKE search terms before interpolation:
```
$word = str_replace(['\\', '%', '_'], ['\\\\', '\\%', '\\_'], $word);
```
Or use parameterized queries with properly escaped LIKE values.

Strobes VI. (2026). CVE-2026-34973 - CVE Details and Analysis. Strobes VI. Retrieved April 2, 2026, from https://vi.strobes.co/cve/CVE-2026-34973

Published: April 2, 2026

Last updated:3 hours ago (April 2, 2026)

Updated April 2, 2026

Summary

Details

File: phpmyfaq/src/phpMyFAQ/Search.php, lines 226–240

Vulnerable code:

$escapedSearchTerm = $this->configuration->getDb()->escape($searchTerm);
$searchWords = explode(' ', $escapedSearchTerm);
$searchConditions = [];

foreach ($searchWords as $word) {
    if (strlen($word) <= 2) {
        continue;
    }
    $searchConditions[] = sprintf(
        "(page_title LIKE '%%%s%%' OR content LIKE '%%%s%%')",
        $word,
        $word
    );
}

Attack vector:

A user submits a search term containing _ or % as part of a 3+ character word (to bypass the strlen <= 2 filter). Examples:

Search for a_b → LIKE becomes '%a_b%' → _ matches any single character, e.g. matches "aXb", "a1b", "azb" — broader than the literal string a_b
Search for te%t → LIKE becomes '%te%t%' → matches test, text, te12t, etc.
Search for _%_ → LIKE becomes '%_%_%' → matches any record with at least one character, effectively dumping all custom pages

This allows an attacker to retrieve custom page content that would not appear in normal exact searches, bypassing intended search scope restrictions.

PoC

Navigate to the phpMyFAQ search page (accessible to unauthenticated users by default).
Submit a search query: _%_ (underscore, percent, underscore — length 3, bypasses the <= 2 filter).
The backend executes: WHERE (page_title LIKE '%_%_%' OR content LIKE '%_%_%')
This matches all custom pages with at least one character in title or content — returning content that would not appear for a specific search term.

Impact

Authentication required: None — search is publicly accessible
Affected component: searchCustomPages() in Search.php; custom pages (faqcustompages table)
Impact: Unauthenticated users can enumerate/disclose all custom page content regardless of the intended search term filter
Fix: Escape % and _ in LIKE search terms before interpolation:
```
$word = str_replace(['\\', '%', '_'], ['\\\\', '\\%', '\\_'], $word);
```
Or use parameterized queries with properly escaped LIKE values.

Strobes VI. (2026). CVE-2026-34973 - CVE Details and Analysis. Strobes VI. Retrieved April 2, 2026, from https://vi.strobes.co/cve/CVE-2026-34973

CVE-2026-34973

Summary

Details

PoC

Impact

Ready for Agentic Automated Testing?

CVE-2026-34973

Summary

Details

PoC

Impact