Is PHP affected by CVE-2026-24538?

A critical vulnerability in Omnipress versions 1.6.6 and earlier allows attackers to include and execute arbitrary local files through PHP, potentially leading to unauthorized data access, system compromise, or application takeover.

CVE-2026-24538

Q: How to fix CVE-2026-24538?

Within 24 hours: Audit all systems running Omnipress to identify affected versions and document exposure scope; isolate or disable Omnipress if business operations permit. Within 7 days: Implement WAF rules to block file inclusion attempts (monitor for ../ patterns and local file paths in parameters); consider removing Omnipress entirely if alternative solutions exist. Within 30 days: Establish vendor contact to track patch availability; if no patch is released, migrate to alternative maintained plugins and complete migration validation.

HIGH

2026-01-23 [email protected]

7.6

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Jan 23, 2026 - 15:16 nvd

HIGH 7.6

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in omnipressteam Omnipress omnipress allows PHP Local File Inclusion.This issue affects Omnipress: from n/a through <= 1.6.6.

Analysis

Omnipress through version 1.6.6 contains a local file inclusion vulnerability in its PHP program that allows authenticated attackers to read arbitrary files on the server. An attacker with valid credentials can manipulate filename parameters in include/require statements to access sensitive files outside the intended directory. …

Remediation

Within 24 hours: Audit all systems running Omnipress to identify affected versions and document exposure scope; isolate or disable Omnipress if business operations permit. Within 7 days: Implement WAF rules to block file inclusion attempts (monitor for ../ patterns and local file paths in parameters); consider removing Omnipress entirely if alternative solutions exist. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +38

POC: 0

CVE-2026-24538 vulnerability details – vuln.today

Back

CVE-2026-24538

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-24538

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code