CWE-98— PHP Remote File Inclusion
The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.— MITRE CWE catalog
1,240 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-98page 25 of 25
- CVE-2026-39547HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Getaway < 1.8 versions.
- CVE-2026-39549HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Aperitif <= 1.5 versions.
- CVE-2026-39552HIGHCVSS 8.1EG 8.12026-06-02
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Code Supply Co. Blueprint allows PHP Local File Inclusion. This issue affects Blueprint: from n/a before 1.1.5.
- CVE-2026-39553HIGHCVSS 8.1EG 8.12026-06-02
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes WaveRide allows PHP Local File Inclusion. This issue affects WaveRide: from n/a through 1.4.
- CVE-2026-39558HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Malmö <= 2.2 versions.
- CVE-2026-39559HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Uppercase < 1.2.2 versions.
- CVE-2026-39568HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Mr. SEO <= 2.0 versions.
- CVE-2026-39582HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Hitek < 1.8.3 versions.
- CVE-2026-39590HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Atomlab <= 2.4.5 versions.
- CVE-2026-39611HIGHCVSS 7.5EG 7.52026-04-08
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in kutethemes KuteShop kuteshop allows PHP Local File Inclusion.This issue affects KuteShop: from n/a through <= 4.2.9.
- CVE-2026-39613HIGHCVSS 7.5EG 7.52026-04-08
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in kutethemes Boutique kute-boutique allows PHP Local File Inclusion.This issue affects Boutique: from n/a through <= 2.3…
- CVE-2026-39623HIGHCVSS 7.5EG 7.52026-04-08
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in kutethemes Biolife biolife allows PHP Local File Inclusion.This issue affects Biolife: from n/a through <= 3.2.3.
- CVE-2026-39661HIGHCVSS 7.5EG 7.52026-05-26
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Magentech SW Core allows PHP Local File Inclusion. This issue affects SW Core: from n/a through 1.7.18.
- CVE-2026-39677HIGHCVSS 7.5EG 7.52026-04-08
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Creatives_Planet Emphires emphires allows PHP Local File Inclusion.This issue affects Emphires: from n/a through <= 3.…
- CVE-2026-39679HIGHCVSS 7.5EG 7.52026-04-08
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Freeio freeio allows PHP Local File Inclusion.This issue affects Freeio: from n/a through <= 1.3.21.
- CVE-2026-39681HIGHCVSS 7.5EG 7.52026-04-08
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Homeo homeo allows PHP Local File Inclusion.This issue affects Homeo: from n/a through <= 1.2.59.
- CVE-2026-39684HIGHCVSS 7.5EG 7.52026-04-08
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in UnTheme OrganicFood organicfood allows PHP Local File Inclusion.This issue affects OrganicFood: from n/a through <= 3.…
- CVE-2026-39850HIGHCVSS 7.4EG 7.42026-05-20
Yii 2 is a PHP application framework. Versions 2.0.54 and prior contain flawed logic in the core view rendering method View::renderPhpFile() that leads to Local File Inclusion. The function calls extract($_params_, EXTR_OVERWRITE) before t…
- CVE-2026-40721HIGHCVSS 7.5EG 7.52026-06-17
Contributor Local File Inclusion in Element Pack Pro <= 9.0.6 versions.
- CVE-2026-40731HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in ChapterOne <= 1.7 versions.
- CVE-2026-41228CRITICALCVSS 9.9EG 9.92026-04-23
Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against the list of available language files. A…
- CVE-2026-42382HIGHCVSS 8.1EG 8.12026-07-02
Unauthenticated Local File Inclusion in Audrey <= 1.5 versions.
- CVE-2026-44239HIGHCVSS 7.6EG 7.62026-05-29
FreePBX is an open source IP PBX. Prior to 16.0.22 and 17.0.5, the Dashboard module's getcontent AJAX handler includes PHP files based on user-supplied input without path sanitization. The $_REQUEST['rawname'] parameter is concatenated int…
- CVE-2026-48133HIGHCVSS 7.5EG 7.52026-05-26
When the Identity Awareness blade is enabled with Browser-Based Authentication, an unauthenticated user may be able to read certain internal files on the Security Gateway.
- CVE-2026-48820MEDIUMCVSS 6.3EG 6.32026-06-17
CakePHP is a rapid development framework for PHP. In versions 4.5.11 and earlier, 4.6.0 through 4.6.3, 5.0.0 through 5.1.6, 5.2.0 through 5.2.12, and 5.3.0 through 5.3.5, View::_getElementFileName() does not check that the resolved element…
- CVE-2026-48972HIGHCVSS 7.5EG 7.52026-05-27
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SeedProd LLC SeedProd Pro allows PHP Local File Inclusion. This issue affects SeedProd Pro: from n/a before 6.19.5.
- CVE-2026-49954HIGHCVSS 7.2EG 7.22026-06-15
Discuz! X5.0 releases 20260320 through 20260610 contain a local file inclusion vulnerability that allows authenticated administrators to execute arbitrary code by importing a specially crafted plugin configuration containing path traversal…
- CVE-2026-5137MEDIUMCVSS 4.3EG 4.32026-07-03
The RTMKit (rometheme-for-elementor) plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.0.7 This is due to insufficient path validation on the 'template' parameter in the render_templates AJAX en…
- CVE-2026-54814HIGHCVSS 8.1EG 8.12026-06-17
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in StylemixThemes Motors allows PHP Local File Inclusion. This issue affects Motors: from n/a through 1.4.109.
- CVE-2026-54845HIGHCVSS 8.1EG 8.12026-06-25
Unauthenticated Local File Inclusion in MDTF <= 1.3.8 versions.
- CVE-2026-57647HIGHCVSS 7.5EG 7.52026-06-26
Contributor Local File Inclusion in Panorama Viewer – 360 Degree Image + Video Viewer <= 1.6.1 versions.
- CVE-2026-57748HIGHCVSS 7.5EG 7.52026-07-02
Contributor Local File Inclusion in Shopify <= 1.0.0 versions.
- CVE-2026-57749HIGHCVSS 7.5EG 7.52026-07-02
Contributor Local File Inclusion in SportsPress Pro <= 2.7.29 versions.
- CVE-2026-7515CRITICALCVSS 9.8EG 9.82026-06-19
The BetterDocs Pro plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 3.8.0 via the `doc_style` parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php…
- CVE-2026-7522HIGHCVSS 8.8EG 8.82026-05-20
The Advanced Database Cleaner – Premium plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 4.1.0 via the 'template' parameter. This makes it possible for authenticated attackers, with Subscriber-…
- CVE-2026-8134HIGHCVSS 7.2EG 7.22026-05-21
Concrete CMS 9.5.0 and below fails to sanitize path traversal sequences in the ptComposerFormLayoutSetControlCustomTemplate field when saving page type composer form layouts. An authenticated rogue administrator with composer form editing …
- CVE-2026-8208HIGHCVSS 8.9EG 8.92026-05-09
Gibbon versions before v30.0.01 are affected by a local file inclusion vulnerability resulting in RCE by changing the report archive directory and forcing interpretation of a user provided .zip as PHP. Successful exploitation requires Teac…
- CVE-2026-9200HIGHCVSS 7.5EG 7.52026-05-27
The Query Shortcode plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.2.1 via the shortcode function. This makes it possible for authenticated attackers, with contributor-level access and ab…
- CVE-2026-9559CRITICALCVSS 9.9EG 9.92026-05-29
A path traversal vulnerability exists in the campaign import feature of Mautic 7. When extracting uploaded ZIP files during campaign imports, a flaw in the validation logic allows file paths to escape the intended temporary directories. An…
- CVE-2026-9662HIGHCVSS 8.1EG 8.12026-06-09
The Recover Exit For WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to and including 1.0.3. This is due to insufficient validation and sanitization of the user-controlled `tpf` POST parameter befo…
Map vulnerabilities like CWE-98 to your infrastructure
EchelonGraph correlates every CVE — across CWE-98 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →