CWE-98— PHP Remote File Inclusion
The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.— MITRE CWE catalog
1,240 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-98page 1 of 25
- CVE-2012-10025CRITICALCVSS 10.0EG 10.02025-08-05
The WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below contains a remote file inclusion (RFI) vulnerability in core/actions/export.php. When the PHP configuration directive allow_url_include is enabled (default: Off), an…
- CVE-2014-9186CRITICALCVSS 9.8EG 9.82019-04-08
A file inclusion vulnerability exists in the confd.exe module in Honeywell Experion PKS R40x before R400.6, R41x before R410.6, and R43x before R430.2, which could lead to accepting an arbitrary file into the function, and potential inform…
- CVE-2015-10133HIGHCVSS 7.2EG 7.22025-07-19
The Subscribe to Comments for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.1.2 via the Path to header value. This allows authenticated attackers, with administrative privileges and above, to include a…
- CVE-2015-6461MEDIUMCVSS 5.4EG 5.42019-03-21
Remote file inclusion allows an attacker to craft a specific URL referencing the Schneider Electric Modicon BMXNOC0401, BMXNOE0100, BMXNOE0110, BMXNOE0110H, BMXNOR0200H, BMXP342020, BMXP342020H, BMXP342030, BMXP3420302, BMXP3420302H, or BM…
- CVE-2016-20064MEDIUMCVSS 6.2EG 6.22026-06-09
WP Vault 0.8.6.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting an unescaped parameter in the include functionality. Attackers can supply directory traversal sequen…
- CVE-2016-20077MEDIUMCVSS 6.2EG 6.22026-06-15
WordPress Plugin Photocart Link 1.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in decode.php. Attackers can supply base64-encoded …
- CVE-2016-20078MEDIUMCVSS 6.2EG 6.22026-06-15
WordPress IMDb Profile Widget 1.0.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the url parameter. Attackers can supply directory traversal sequences in GET re…
- CVE-2016-20079MEDIUMCVSS 6.2EG 6.22026-06-15
WordPress Dharma Booking 2.28.3 and earlier contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the gateway parameter. Attackers can supply file paths with director…
- CVE-2016-20080MEDIUMCVSS 6.2EG 6.22026-06-15
WordPress Brandfolder plugin version 3.0 and earlier contains a local file inclusion vulnerability in callback.php that allows unauthenticated attackers to include arbitrary files by manipulating the wp_abspath parameter. Attackers can sup…
- CVE-2016-20082MEDIUMCVSS 6.2EG 6.22026-06-15
WordPress Plugin Abtest contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the action parameter. Attackers can send GET requests to abtest_admin.php with malicious…
- CVE-2016-6565HIGHCVSS 7.5EG 7.52018-07-13
The Imagely NextGen Gallery plugin for Wordpress prior to version 2.1.57 does not properly validate user input in the cssfile parameter of a HTTP POST request, which may allow an authenticated user to read arbitrary files from the server, …
- CVE-2017-14095HIGHCVSS 8.1EG 8.12018-01-19
A vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.2 and below could allow an attacker to perform remote command execution via a local file inclusion on a vulnerable system.
- CVE-2018-25231MEDIUMCVSS 6.2EG 6.22026-03-30
HeidiSQL 9.5.0.5196 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long file path in the logging preferences. Attackers can input a buffer-overflow payload throug…
- CVE-2018-25324MEDIUMCVSS 6.2EG 6.22026-05-17
Simple Fields 0.2 through 0.3.5 WordPress Plugin contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by injecting null bytes into the wp_abspath parameter on PHP versions before 5.3.4…
- CVE-2018-25329HIGHCVSS 7.5EG 7.52026-05-17
WordPress Plugin WP with Spritz 1.0 contains a remote file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by injecting file paths into the url parameter. Attackers can send GET requests to wp.spritz.c…
- CVE-2019-25760MEDIUMCVSS 6.2EG 6.22026-06-19
Joomla! Component Easy Shop 1.2.3 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by supplying base64-encoded file paths. Attackers can send GET requests to index.php with the opt…
- CVE-2019-5479HIGHCVSS 7.5EG 7.52019-09-03
An unintended require vulnerability in <v0.5.5 larvitbase-api may allow an attacker to load arbitrary non-production code (JavaScript file).
- CVE-2020-13175HIGHCVSS 7.5EG 7.52020-08-11
The Management Interface of the Teradici Cloud Access Connector and Cloud Access Connector Legacy for releases prior to April 20, 2020 (v15 and earlier for Cloud Access Connector) contains a local file inclusion vulnerability which allows …
- CVE-2020-37169MEDIUMCVSS 5.5EG 5.52026-05-13
WordPress Plugin ultimate-member 2.1.3 contains a local file inclusion vulnerability that allows authenticated attackers to include arbitrary files by manipulating the pack parameter in class-admin-upgrade.php. Attackers can send POST requ…
- CVE-2020-37246MEDIUMCVSS 6.2EG 6.22026-05-16
Supsystic Backup 2.3.9 contains a local file inclusion vulnerability that allows unauthenticated attackers to read and delete arbitrary files by manipulating the download path parameter. Attackers can modify the download parameter in admin…
- CVE-2020-5295MEDIUMCVSS 4.8EG 4.82020-06-03
In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to read local files of an October CMS server. The vulnerability is only exploitable by an authenticated b…
- CVE-2021-21804CRITICALCVSS 9.8EG 9.82021-07-16
A local file inclusion (LFI) vulnerability exists in the options.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). A specially crafted HTTP request can lead to arbitrary PHP code execution. An attacker can send a crafte…
- CVE-2021-22968HIGHCVSS 7.2EG 7.22021-11-19
A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS (concrete5) versions 8.5.6 and below.The external file upload feature stages files in the public directory e…
- CVE-2021-29113MEDIUMCVSS 4.7EG 4.72021-12-07
A remote file inclusion vulnerability in the ArcGIS Server help documentation may allow a remote, unauthenticated attacker to inject attacker supplied html into a page.
- CVE-2021-47734HIGHCVSS 7.8EG 5.52025-12-23
CMSimple 5.4 contains an authenticated local file inclusion vulnerability that allows remote attackers to manipulate PHP session files and execute arbitrary code. Attackers can leverage the vulnerability by changing the functions file path…
- CVE-2021-47900CRITICALCVSS 9.8EG 9.82026-01-27
Gila CMS versions prior to 2.0.0 contain a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands through manipulated HTTP headers. Attackers can inject PHP code in the User-Agent hea…
- CVE-2021-47978MEDIUMCVSS 6.2EG 6.22026-05-16
ProcessMaker 3.5.4 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting improper path traversal validation. Attackers can send requests with directory traversal sequences…
- CVE-2022-40089CRITICALCVSS 9.8EG 9.82022-09-22
A remote file inclusion (RFI) vulnerability in Simple College Website v1.0 allows attackers to execute arbitrary code via a crafted PHP file. This vulnerability is exploitable when the directive allow_url_include is set to On.
- CVE-2022-41547HIGHCVSS 7.5EG 7.52022-10-18
Mobile Security Framework (MobSF) v0.9.2 and below was discovered to contain a local file inclusion (LFI) vulnerability in the StaticAnalyzer/views.py script. This vulnerability allows attackers to read arbitrary files via a crafted HTTP r…
- CVE-2022-4446CRITICALCVSS 9.8EG 9.82022-12-13
PHP Remote File Inclusion in GitHub repository tsolucio/corebos prior to 8.0.
- CVE-2022-44786HIGHCVSS 7.5EG 7.52022-11-21
An issue was discovered in Appalti & Contratti 9.12.2. The target web applications allow Local File Inclusion in any page relying on the href parameter to specify the JSP page to be rendered. This affects ApriPagina.do POST and GET request…
- CVE-2022-4606CRITICALCVSS 9.8EG 9.82022-12-18
PHP Remote File Inclusion in GitHub repository flatpressblog/flatpress prior to 1.3.
- CVE-2022-4982HIGHCVSS 8.7EG 8.72025-11-12
DBLTek GoIP-1 firmware versions up to and including GHSFVT-1.1-67-5 contain a local file inclusion vulnerability. The device's web server exposes handlers (`frame.html` and `frame.A100.html`) that accept a path parameter (`content` or `sid…
- CVE-2022-50897MEDIUMCVSS 5.5EG 6.22026-01-13
mPDF 7.0 contains a local file inclusion vulnerability that allows attackers to read arbitrary system files by manipulating annotation file parameters. Attackers can generate URL-encoded or base64 payloads to include local files through cr…
- CVE-2022-50954MEDIUMCVSS 6.2EG 6.22026-05-10
WordPress Plugin cab-fare-calculator 1.0.3 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the controller parameter in tblight.php. Attackers can supply path trave…
- CVE-2023-2249HIGHCVSS 8.8EG 8.82023-06-09
The wpForo Forum plugin for WordPress is vulnerable to Local File Include, Server-Side Request Forgery, and PHAR Deserialization in versions up to, and including, 2.1.7. This is due to the insecure use of file_get_contents without appropri…
- CVE-2023-23565MEDIUMCVSS 4.9EG 4.92023-08-22
An issue was discovered in Geomatika IsiGeo Web 6.0. It allows remote authenticated users to retrieve PHP files from the server via Local File Inclusion.
- CVE-2023-24217HIGHCVSS 8.8EG 8.82023-03-06
AgileBio Electronic Lab Notebook v4.234 was discovered to contain a local file inclusion vulnerability.
- CVE-2023-2551HIGHCVSS 8.8EG 7.22023-05-05
PHP Remote File Inclusion in GitHub repository unilogies/bumsys prior to 2.1.1.
- CVE-2023-25995HIGHCVSS 7.5EG 7.52025-06-06
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in choicehomemortgage AI Mortgage Calculator allows PHP Local File Inclusion. This issue affects AI Mortgage Calculator: …
- CVE-2023-25998HIGHCVSS 8.1EG 8.12025-06-27
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme Samex - Clean, Minimal Shop WooCommerce WordPress Theme allows PHP Local File Inclusion. This issue affects S…
- CVE-2023-25999HIGHCVSS 8.1EG 8.12025-06-09
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme BodyCenter - Gym, Fitness WooCommerce WordPress Theme allows PHP Local File Inclusion. This issue affects Bod…
- CVE-2023-26005HIGHCVSS 8.1EG 8.12025-06-09
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme Fitrush allows PHP Local File Inclusion. This issue affects Fitrush: from n/a through 1.3.4.
- CVE-2023-31716HIGHCVSS 7.5EG 7.52023-09-22
FUXA <= 1.1.12 has a Local File Inclusion vulnerability via file=fuxa.log
- CVE-2023-31718HIGHCVSS 7.5EG 7.52023-09-22
FUXA <= 1.1.12 is vulnerable to Local via Inclusion via /api/download.
- CVE-2023-3452CRITICALCVSS 9.8EG 9.82023-08-12
The Canto plugin for WordPress is vulnerable to Remote File Inclusion in versions up to, and including, 3.0.4 via the 'wp_abspath' parameter. This allows unauthenticated attackers to include and execute arbitrary remote code on the server,…
- CVE-2023-4195HIGHCVSS 8.8EG 8.82023-08-06
PHP Remote File Inclusion in GitHub repository cockpit-hq/cockpit prior to 2.6.3.
- CVE-2023-4488CRITICALCVSS 9.8EG 9.82023-10-20
The Dropbox Folder Share for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.9.7 via the editor-view.php file. This allows unauthenticated attackers to include and execute arbitrary files on the server, …
- CVE-2023-49031MEDIUMCVSS 5.1EG 5.12025-03-03
Directory Traversal (Local File Inclusion) vulnerability in Tikit (now Advanced) eMarketing platform 6.8.3.0 allows a remote attacker to read arbitrary files and obtain sensitive information via a crafted payload to the filename parameter …
- CVE-2023-49084HIGHCVSS 8.8EG 9.02023-12-21
Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). While using the detected SQL Injection and insufficient processing of the include file path, it is possible to execute …
Map vulnerabilities like CWE-98 to your infrastructure
EchelonGraph correlates every CVE — across CWE-98 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →