Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LoftOcean CozyStay allows PHP Local File Inclusion. This issue affects CozyStay: from n/a through n/a.
AnalysisAI
PHP Local/Remote File Inclusion (LFI/RFI) vulnerability in LoftOcean CozyStay that allows unauthenticated remote attackers to include and execute arbitrary files through improper control of filename parameters in PHP include/require statements. The vulnerability affects CozyStay with a CVSS score of 8.1 (High severity), enabling attackers to read sensitive files, execute arbitrary code, or compromise system integrity without requiring user interaction or authentication.
Technical ContextAI
This vulnerability stems from CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program), a classic PHP security flaw where user-supplied input is passed unsanitized to PHP's include(), require(), include_once(), or require_once() functions. CozyStay, a property management/booking system by LoftOcean, fails to properly validate or sanitize filename parameters before using them in file inclusion statements. While classified as 'PHP Remote File Inclusion' in the CVE title, the description indicates Local File Inclusion (LFI) is the primary concern, though RFI may be possible if PHP wrappers (stream:// protocols) are enabled. The vulnerability bypasses critical security controls that should restrict includes to whitelisted paths or implement strict input validation.
RemediationAI
Immediate actions: (1) Contact LoftOcean for official security advisories and patch availability at https://loftocean.com or support channels; (2) Implement network segmentation to restrict direct internet access to CozyStay instances; (3) Deploy Web Application Firewall (WAF) rules to block common LFI payloads (e.g., regex patterns for '../', 'php://', 'file://', 'expect://' in request parameters); (4) Review and audit all include/require statements in CozyStay codebase for unsanitized user input. Long-term: Apply official patches from LoftOcean when released, upgrade to patched versions immediately. Mitigation: If patching is delayed, implement strict input validation using whitelisting (only allow expected filenames/directories) and disable PHP wrappers via php.ini (allow_url_include=Off, allow_url_fopen=Off).
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-98 – PHP Remote File Inclusion
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-18523