Skip to main content

PHP

24729 CVEs product

Monthly

CVE-2026-27987 HIGH This Week

ThemeREX The Qlean WordPress theme through version 2.12 contains a local file inclusion vulnerability in its PHP file handling that enables attackers to read arbitrary files from the server. The vulnerability requires no authentication and can be exploited remotely to access sensitive configuration files and source code. While no patch is currently available, the relatively low EPSS score suggests limited real-world exploitation at this time.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27986 HIGH This Week

ThemeREX OsTende versions up to 1.4.3 contain a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files on the server. The vulnerability stems from improper validation of filename parameters in include/require statements, enabling attackers to access sensitive configuration files and application data. No patch is currently available for this issue.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27985 HIGH This Week

Local file inclusion in ThemeREX Humanum through version 1.1.4 enables attackers to read arbitrary files on the server by exploiting improper input validation in file inclusion mechanisms. The vulnerability requires network access but no authentication or user interaction, allowing complete compromise of confidentiality and integrity with high impact. No patch is currently available.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27383 HIGH This Week

RadiusTheme Metro versions 2.13 and earlier are susceptible to local file inclusion through improper input validation in PHP include/require statements, enabling attackers to read arbitrary files on the server. An unauthenticated remote attacker can exploit this vulnerability over the network to access sensitive information or potentially execute arbitrary code. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27381 HIGH This Week

PHP Local File Inclusion in Aora through version 1.3.15 enables unauthenticated remote attackers to read arbitrary files on affected systems through improper validation of file inclusion parameters. The vulnerability carries a CVSS score of 8.1 with high impact across confidentiality, integrity, and availability, though no patch is currently available.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27342 HIGH This Week

Mikado-Themes TopFit - Fitness and Gym WordPress Theme topfit is affected by php remote file inclusion (CVSS 8.1).

WordPress PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27341 HIGH This Week

Mikado-Themes TopScorer - Sports WordPress Theme topscorer is affected by php remote file inclusion (CVSS 8.1).

WordPress PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27340 HIGH This Week

The AncoraThemes Apollo | Night Club, DJ Event WordPress Theme through version 1.3.1 contains a PHP local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files on the server. This CWE-98 weakness in improper filename control could enable attackers to access sensitive configuration files or other protected data. No patch is currently available for affected installations.

WordPress PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27339 HIGH This Week

The Buzz Stone WordPress theme through version 1.0.2 contains a local file inclusion vulnerability in its PHP code that allows unauthenticated attackers to read arbitrary files on the affected server. With network access and no user interaction required, an attacker can leverage improper input validation in file inclusion functions to access sensitive data or potentially execute code. No patch is currently available for this vulnerability affecting WordPress installations using the vulnerable theme versions.

WordPress PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27337 HIGH This Week

The Chronicle WordPress theme version 1.0 and earlier contains a local file inclusion vulnerability in its PHP code that allows unauthenticated attackers to read arbitrary files from the affected server. An attacker can exploit this weakness to access sensitive configuration files, database credentials, or other confidential data stored on the web server. Currently, no patch is available and the vulnerability has a 0.2% probability of exploitation according to EPSS scoring.

WordPress PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27336 HIGH This Week

The Consultor WordPress theme through version 1.2.4 contains a local file inclusion vulnerability in its PHP include/require handling that allows unauthenticated remote attackers to read arbitrary files on the server. An attacker can exploit this weakness to access sensitive configuration files, database credentials, and other confidential data. Currently no patch is available, leaving all affected installations vulnerable.

WordPress PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27335 HIGH This Week

The Ekoterra WordPress theme through version 1.0.0 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. This high-severity flaw (CVSS 8.1) stems from improper validation of file paths in include/require statements, enabling attackers to access sensitive configuration files and other protected data. No patch is currently available for affected installations.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27334 HIGH This Week

PHP Local File Inclusion in dan_fisher Alchemists versions through 4.6.0 allows unauthenticated remote attackers to read arbitrary files on affected servers through improper handling of file inclusion statements. The vulnerability requires specific network conditions to exploit but carries high impact potential across confidentiality, integrity, and availability. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27326 HIGH This Week

The AC Services WordPress theme through version 1.2.5 contains a local file inclusion vulnerability in PHP that enables unauthenticated remote attackers to read arbitrary files on affected servers. This high-severity flaw allows attackers to access sensitive configuration files and potentially extract credentials or other confidential data. WordPress installations using this theme should upgrade immediately as no patch is currently available.

WordPress PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27097 HIGH This Week

The CasaMia WordPress theme through version 1.1.2 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. This high-severity flaw (CVSS 8.1) could expose sensitive configuration files, database credentials, and other confidential data stored on affected WordPress installations. No patch is currently available for this vulnerability.

WordPress PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-23801 HIGH This Week

Improper file inclusion handling in PHP-based The Issue theme versions 1.6.11 and earlier enables attackers to include and execute arbitrary local files, potentially leading to remote code execution. An unauthenticated attacker can exploit this vulnerability over the network to read sensitive files or execute malicious PHP code. No patch is currently available.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22478 HIGH This Week

The FindAll plugin for PHP through version 1.4 contains a local file inclusion vulnerability that enables attackers to read arbitrary files from the affected system through improper input validation on file inclusion statements. An unauthenticated remote attacker can exploit this vulnerability to access sensitive files and potentially execute arbitrary code with the privileges of the web server process. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22477 HIGH This Week

Local file inclusion in AncoraThemes Felizia through version 1.3.4 enables unauthenticated attackers to read arbitrary files from the affected server through improper input validation on file inclusion parameters. The vulnerability carries high severity with a CVSS score of 8.1 and impacts confidentiality, integrity, and availability of affected systems. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22476 HIGH This Week

Elated-Themes Etchy through version 1.0 contains a local file inclusion vulnerability in its PHP file handling that enables attackers to read arbitrary files from the affected server without authentication. The vulnerability stems from improper validation of filename parameters in include/require statements, allowing directory traversal attacks to access sensitive system files. While a patch is not currently available, the low EPSS score suggests limited real-world exploitation likelihood at this time.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22457 HIGH This Week

Mikado-Themes Wanderland versions 1.5 and earlier contain a local file inclusion vulnerability in PHP that enables attackers to read arbitrary files from the affected server without authentication. The vulnerability stems from improper validation of file paths in include/require statements, allowing an unauthenticated remote attacker to access sensitive system files. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22456 HIGH This Week

Local file inclusion in Elated-Themes Askka version 1.0 and earlier allows unauthenticated remote attackers to read arbitrary files from the affected server through improper validation of include/require statements. The vulnerability carries high severity with potential for information disclosure and system compromise. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22452 HIGH This Week

ThemeREX Hoverex versions up to 1.5.10 contain a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files from the server through improper handling of include/require statements. An attacker with network access can exploit this to disclose sensitive configuration files, source code, or other critical data without authentication. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22449 HIGH This Week

Don Peppe WordPress theme version 1.3 and earlier contains a local file inclusion vulnerability in its file handling mechanism that could allow an attacker to read arbitrary files from the affected server. The vulnerability stems from improper input validation on filename parameters used in PHP include/require statements, enabling attackers to traverse the filesystem and access sensitive data. Currently, no patch is available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22446 HIGH This Week

Select-Themes Prowess version 1.8.1 and earlier contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the affected system. The vulnerability stems from improper validation of filenames in include/require statements, enabling attackers to traverse directories and access sensitive data. No patch is currently available for this high-severity vulnerability (CVSS 8.1).

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22443 HIGH This Week

ThemeREX Alliance versions up to 3.1.1 contain a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files from the server through improper handling of filename parameters in include/require statements. With a CVSS score of 8.1, this vulnerability enables attackers to access sensitive system files and potentially execute code depending on server configuration. No patch is currently available for affected versions.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22442 HIGH This Week

LaunchandSell Tribe plugin for PHP versions through 1.7.3 contains a local file inclusion vulnerability that allows unauthenticated remote attackers to read arbitrary files on the server. The flaw stems from improper validation of filenames in include/require statements, enabling attackers to access sensitive data without authentication. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22441 HIGH This Week

Elated-Themes Zentrum version 1.0 and earlier contains a local file inclusion vulnerability in its PHP file handling that enables attackers to read arbitrary files from the server without authentication. The high CVSS score of 8.1 reflects the potential for complete compromise of confidentiality and integrity, though exploitation requires specific conditions. No patch is currently available for affected installations.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22439 HIGH This Week

Local file inclusion in AncoraThemes Green Planet through version 1.1.14 allows unauthenticated attackers to read arbitrary files on affected servers by manipulating include/require statements in PHP. This CWE-98 vulnerability carries a CVSS score of 8.1 with high impact on confidentiality and integrity, though no patch is currently available.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22437 HIGH This Week

AncoraThemes Playa versions up to 1.3.9 contain a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files from the affected server. The flaw stems from improper validation of file paths in include/require statements, enabling attackers to traverse directories and access sensitive system files. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22436 HIGH This Week

Local file inclusion in Elated-Themes Helvig through version 1.0 enables unauthenticated remote attackers to read arbitrary files from affected systems. The vulnerability stems from improper control of filename parameters in PHP include/require statements, allowing attackers to traverse the filesystem and access sensitive data. No patch is currently available.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22435 HIGH This Week

ElectroServ through version 1.3.2 contains a local file inclusion vulnerability in its PHP-based file handling that enables unauthenticated attackers to read arbitrary files from the server. An attacker can exploit this weakness over the network without user interaction to access sensitive data or potentially execute code through log poisoning techniques. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22434 HIGH This Week

Local file inclusion in AncoraThemes Crown Art through version 1.2.11 enables unauthenticated remote attackers to read arbitrary files from the affected server through improper handling of include/require statements. This vulnerability carries a high CVSS score of 8.1 and allows potential access to sensitive configuration files and application data. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22433 HIGH This Week

PHP Local File Inclusion in AncoraThemes CloudMe through version 1.2.2 enables unauthenticated attackers to read arbitrary files on affected systems through improper filename validation in include/require statements. The high CVSS score of 8.1 reflects the potential for confidentiality and integrity compromise, though no patch is currently available.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22432 HIGH This Week

Woopy through version 1.2 by AncoraThemes contains a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files from the affected system. The vulnerability stems from improper validation of filename parameters in include/require statements, enabling attackers to traverse the file system and access sensitive data. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22431 HIGH This Week

AncoraThemes Wabi-Sabi theme version 1.2 and earlier contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files on the server through improper handling of file inclusion parameters. An attacker can exploit this to access sensitive configuration files, database credentials, and other confidential data stored on the affected WordPress installation. No patch is currently available.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22429 HIGH This Week

Mikado-Themes Verdure WordPress theme version 1.6 and earlier contains an improper file inclusion vulnerability that enables attackers to read arbitrary files from the affected server without authentication. The flaw in the theme's include/require statement handling allows local and remote file inclusion attacks, potentially exposing sensitive configuration files and other critical data. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22428 HIGH This Week

The Tooth Fairy WordPress theme through version 1.16 contains a local file inclusion vulnerability in its PHP file handling that allows attackers to read arbitrary files from the server. An unauthenticated remote attacker can exploit this by manipulating file inclusion parameters to access sensitive data or potentially execute code. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22427 HIGH This Week

Mikado-Themes GoTravel versions 2.1 and earlier contain a local file inclusion vulnerability in PHP file handling that allows unauthenticated attackers to read arbitrary files from the affected server. The vulnerability stems from improper input validation on filename parameters used in PHP include/require statements, enabling attackers to traverse the filesystem and access sensitive data without authentication.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22425 HIGH This Week

Elated-Themes Sweet Jane theme through version 1.2 contains a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files on the server. The vulnerability stems from improper validation of file paths in include/require statements, enabling attackers to traverse directories and access sensitive information. No patch is currently available for affected installations.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22424 HIGH This Week

Local file inclusion in AncoraThemes Shaha versions up to 1.1.2 enables attackers to read arbitrary files through improper input validation in PHP include/require statements. An unauthenticated remote attacker can exploit this vulnerability to access sensitive server files and potentially execute arbitrary code, with no patch currently available.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22423 HIGH This Week

SetSail theme versions 1.8 and earlier for PHP are vulnerable to local file inclusion attacks due to improper input validation on file inclusion statements, potentially allowing attackers to read arbitrary files on the server. The vulnerability carries a high CVSS score of 8.1 and affects confidentiality, integrity, and availability, though no patch is currently available. Remote exploitation is possible under specific conditions, and affected users should implement access controls or upgrade once patches become available.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22421 HIGH This Week

AncoraThemes Quantum theme versions up to 1.0 contain a local file inclusion vulnerability that enables attackers to read arbitrary files from the server through improper input validation in file inclusion functions. An unauthenticated remote attacker can exploit this to access sensitive configuration files and potentially execute arbitrary code on affected WordPress installations. No patch is currently available, though the vulnerability has a low exploit probability (0.2% EPSS).

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22420 HIGH This Week

Local file inclusion in AncoraThemes Horizon through version 1.1 enables unauthenticated attackers to read arbitrary files on affected servers through improper filename validation in PHP include/require statements. With a CVSS score of 8.1, this vulnerability allows complete compromise of confidentiality, integrity, and availability, though exploitation requires specific conditions. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22419 HIGH This Week

AncoraThemes Honor version 2.3 and earlier contains a PHP local file inclusion vulnerability that allows unauthenticated remote attackers to read arbitrary files from the server through improper input validation on file inclusion parameters. An attacker can exploit this to access sensitive configuration files, source code, or other confidential data stored on the affected web server. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22418 HIGH This Week

Local file inclusion in AncoraThemes Great Lotus through version 1.3.1 allows unauthenticated attackers to read arbitrary files on affected servers by exploiting improper input validation in file inclusion functions. The vulnerability carries a CVSS score of 8.1 and enables attackers to access sensitive data including configuration files and source code, though no patch is currently available.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22416 HIGH This Week

PHP Local File Inclusion in AncoraThemes FixTeam through version 1.4 enables unauthenticated remote attackers to read arbitrary files on affected systems through improper handling of file include/require statements. The vulnerability carries a high CVSS score of 8.1 with potential for information disclosure and system compromise, though no patch is currently available.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22415 HIGH This Week

The Mounty WordPress theme through version 1.1 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The vulnerability stems from improper validation of file paths in include/require statements, enabling attackers to access sensitive configuration files and potentially source code. With a CVSS score of 8.1 and no patch currently available, affected sites running vulnerable versions face significant risk of information disclosure.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22414 HIGH This Week

Mikado-Themes Marra version 1.2 and earlier contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files on the server. The vulnerability stems from improper validation of filenames used in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. No patch is currently available for this issue.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22413 HIGH This Week

Local file inclusion in Mikado-Themes Malgré versions up to 1.0.3 allows unauthenticated attackers to read arbitrary files from the affected server through improper handling of file inclusion parameters. An attacker can exploit this vulnerability over the network without user interaction to access sensitive information, potentially leading to credential disclosure or further system compromise. No patch is currently available.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22412 HIGH This Week

Mikado-Themes Eona versions 1.3 and earlier contain a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files from the affected server. The vulnerability stems from improper validation of filename parameters in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22410 HIGH This Week

Local file inclusion in Mikado-Themes Dolcino through version 1.6 allows unauthenticated remote attackers to read arbitrary files on affected systems by manipulating include/require parameters. The vulnerability stems from improper validation of filenames in PHP file inclusion statements, enabling attackers to traverse the filesystem without authentication. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22408 HIGH This Week

Local and remote file inclusion in Mikado-Themes Justicia through version 1.2 enables attackers to read arbitrary files or execute malicious PHP code on affected systems. The vulnerability stems from improper validation of file paths in include/require statements, allowing unauthenticated remote exploitation. No patch is currently available; affected users should upgrade to a patched version when released or implement web application firewall rules to restrict suspicious file inclusion attempts.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22405 HIGH This Week

Local file inclusion in Mikado-Themes Overton version 1.3 and earlier allows unauthenticated remote attackers to read arbitrary files on the server through improper handling of PHP include/require statements. The vulnerability requires specific conditions to exploit (high complexity) but could lead to complete compromise of confidentiality and integrity. No patch is currently available for affected installations.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22403 HIGH This Week

Mikado-Themes Innovio through version 1.7 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The vulnerability stems from improper validation of filenames used in PHP include/require statements, enabling attackers to access sensitive data without authentication. No patch is currently available for this high-severity issue affecting all versions through 1.7.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22399 HIGH This Week

Local file inclusion in Mikado-Themes Holmes version 1.7 and earlier allows unauthenticated remote attackers to read arbitrary files on affected servers through improper input validation in PHP include/require statements. The vulnerability has a CVSS score of 8.1 and enables attackers to potentially access sensitive configuration files and database credentials. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22397 HIGH This Week

Mikado-Themes Fleur version 2.0 and earlier contains a local file inclusion vulnerability in PHP that permits attackers to read arbitrary files on affected systems through improper input validation in file inclusion functions. The vulnerability requires specific conditions to exploit but grants high-impact access to sensitive data and potential system compromise. No patch is currently available.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22395 HIGH This Week

Mikado-Themes Fiorello through version 1.0 contains a local file inclusion vulnerability in its PHP code that fails to properly validate filenames used in include/require statements, enabling attackers to read arbitrary files on the affected server. The vulnerability requires specific conditions to exploit but carries high impact, allowing unauthorized access to sensitive data and potential code execution. No security patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22394 HIGH This Week

Mikado-Themes Evently plugin version 1.7 and earlier contains a local file inclusion vulnerability in its PHP include/require handling that enables attackers to read arbitrary files from the server without authentication. The flaw stems from improper filename validation, allowing unauthenticated remote attackers to disclose sensitive information such as configuration files and source code. No patch is currently available for affected installations.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22392 HIGH This Week

Mikado-Themes Cortex version 1.5 and earlier contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated remote attackers to read arbitrary files on the server. The vulnerability stems from improper validation of filenames in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22389 HIGH This Week

Mikado-Themes Cocco versions up to 1.5.1 contain a local file inclusion vulnerability in PHP file handling that enables attackers to read arbitrary files on affected systems. An unauthenticated remote attacker can exploit improper input validation in include/require statements to access sensitive data without authentication. No patch is currently available for this high-severity vulnerability (CVSS 8.1).

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22387 HIGH This Week

Mikado-Themes Aviana through version 2.1 contains a local file inclusion vulnerability in PHP that enables attackers to read arbitrary files on the server through improper handling of include/require statements. An unauthenticated remote attacker can exploit this weakness to access sensitive files and potentially execute arbitrary code, though no patch is currently available. The vulnerability carries a CVSS score of 8.1 and affects all versions up to and including Aviana 2.1.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22385 HIGH This Week

PHP Local File Inclusion in Wolmart through version 1.9.6 enables unauthenticated attackers over the network to read arbitrary files on affected systems due to improper input validation in file inclusion functions. The vulnerability carries high impact potential for confidentiality and integrity, though no patch is currently available. An attacker with network access can leverage this flaw to access sensitive configuration files, source code, or other protected resources without authentication.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69339 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in don-themes Molla molla allows PHP Local File Inclusion.This issue affects Molla: from n/a through <= 1.5.16. [CVSS 8.1 HIGH]

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69090 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Remons remons allows PHP Local File Inclusion.This issue affects Remons: from n/a through <= 1.3.4. [CVSS 8.1 HIGH]

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-53335 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Berger berger allows PHP Local File Inclusion.This issue affects Berger: from n/a through <= 1.1.1. [CVSS 8.1 HIGH]

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-3523 MEDIUM This Month

SQL injection in the Apocalypse Meow WordPress plugin up to version 22.1.0 allows authenticated administrators to execute arbitrary SQL queries due to a flawed validation check combined with improper quote escaping. An authenticated attacker with administrator privileges can exploit this via the 'type' parameter to extract sensitive database information. No patch is currently available.

WordPress PHP SQLi
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2019-25507 HIGH POC This Week

Ashop Shopping Cart Software contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'shop' parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25506 HIGH POC This Week

FreeSMS 2.1.2 contains a boolean-based blind SQL injection vulnerability in the password parameter that allows unauthenticated attackers to bypass authentication by injecting SQL code through the login endpoint. [CVSS 8.2 HIGH]

PHP SQLi Authentication Bypass Freesms
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.3%
CVE-2019-25503 HIGH POC This Week

PHPads 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the bannerID parameter in click.php3. [CVSS 7.1 HIGH]

PHP SQLi Phpads
NVD Exploit-DB
CVSS 3.1
7.1
EPSS
0.1%
CVE-2019-25501 HIGH POC This Week

Simple Job Script contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting malicious SQL code through the app_id parameter. [CVSS 8.2 HIGH]

PHP SQLi Authentication Bypass Simplejobscript
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25499 HIGH POC This Week

Simple Job Script contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the job_id parameter. [CVSS 8.2 HIGH]

PHP SQLi Authentication Bypass Simplejobscript
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.3%
CVE-2026-28783 PHP CRITICAL PATCH Act Now

Code injection bypass in Craft CMS before 5.9.0-beta.1/4.17.0-beta.1 via blocklist evasion. Patch available.

PHP SSRF Craft Cms
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-28697 PHP CRITICAL POC PATCH Act Now

RCE in Craft CMS before 4.17.0-beta.1/5.9.0-beta.1 via template injection for authenticated admins. PoC and patch available.

PHP RCE Craft Cms
NVD GitHub
CVSS 3.1
9.1
EPSS
0.5%
CVE-2026-28695 PHP HIGH POC PATCH This Week

Remote code execution in Craft CMS 5.8.21 allows authenticated administrators to execute arbitrary PHP code through Server-Side Template Injection in the create() Twig function combined with Symfony Process gadget chains. Public exploit code exists for this vulnerability, which bypasses the previous patch for CVE-2025-57811. Updates are available in Craft CMS 5.9.0-beta.1 and 4.17.0-beta.1.

PHP RCE Craft Cms
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-3452 PHP HIGH PATCH This Week

Remote code execution in Concrete CMS prior to version 9.4.8 stems from unsafe deserialization of PHP objects in the Express Entry List block configuration. An authenticated administrator can inject malicious serialized data through the columns parameter that executes arbitrary code when unserialized without validation. This allows attackers with admin privileges to achieve complete system compromise through stored object injection attacks.

PHP RCE Deserialization Concrete Cms
NVD GitHub
CVSS 3.1
7.2
EPSS
0.5%
CVE-2026-28289 CRITICAL POC PATCH Act Now

File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.

PHP Laravel RCE Race Condition Freescout
NVD GitHub
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-3487 LOW POC Monitor

SQL injection in itsourcecode College Management System 1.0 allows authenticated remote attackers to manipulate the course_code parameter in /admin/class-result.php and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires high-level privileges but can be executed over the network with minimal complexity.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-27012 PHP CRITICAL POC Act Now

Privilege escalation and auth bypass in OpenSTAManager 2.9.8. PoC available.

PHP Privilege Escalation Authentication Bypass Openstamanager
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-24898 CRITICAL POC PATCH Act Now

Unauthenticated token disclosure in OpenEMR before 8.0.0. CVSS 10.0. PoC and patch available.

Authentication Bypass Information Disclosure PHP Openemr
NVD GitHub
CVSS 3.1
10.0
EPSS
0.2%
CVE-2026-24848 CRITICAL POC Act Now

Path traversal in OpenEMR 7.0.4 disposeDocument() allows file access. PoC available.

PHP RCE Openemr
NVD GitHub
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-3486 LOW POC Monitor

SQL injection in itsourcecode College Management System 1.0 via the roll_no parameter in /admin/student-fee.php allows authenticated administrators to execute arbitrary database queries remotely. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires high-level privileges but poses a risk to confidentiality, integrity, and availability of student records.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-26892 HIGH POC This Week

Simple Logistic Hub Parcel\'S Management System versions up to 1.0 is affected by sql injection (CVSS 7.2).

PHP SQLi
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-26891 LOW POC Monitor

Simple Logistic Hub Parcel\'S Management System versions up to 1.0 is affected by sql injection (CVSS 2.7).

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-26889 LOW POC Monitor

Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_category.php. [CVSS 2.7 LOW]

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-26888 LOW POC Monitor

Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_stock.php. [CVSS 2.7 LOW]

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-26887 LOW POC Monitor

Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_supplier.php. [CVSS 2.7 LOW]

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-26890 LOW POC Monitor

Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_product.php. [CVSS 2.7 LOW]

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-26886 LOW POC Monitor

Simple Online Men\'S Salon Management System versions up to 1.0 is affected by sql injection (CVSS 2.7).

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-26885 LOW POC Monitor

Simple Online Men\'S Salon Management System versions up to 1.0 is affected by sql injection (CVSS 2.7).

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-26884 LOW POC Monitor

Simple Online Men\'S Salon Management System versions up to 1.0 is affected by sql injection (CVSS 2.7).

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
EPSS 0% CVSS 8.1
HIGH This Week

ThemeREX The Qlean WordPress theme through version 2.12 contains a local file inclusion vulnerability in its PHP file handling that enables attackers to read arbitrary files from the server. The vulnerability requires no authentication and can be exploited remotely to access sensitive configuration files and source code. While no patch is currently available, the relatively low EPSS score suggests limited real-world exploitation at this time.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

ThemeREX OsTende versions up to 1.4.3 contain a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files on the server. The vulnerability stems from improper validation of filename parameters in include/require statements, enabling attackers to access sensitive configuration files and application data. No patch is currently available for this issue.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX Humanum through version 1.1.4 enables attackers to read arbitrary files on the server by exploiting improper input validation in file inclusion mechanisms. The vulnerability requires network access but no authentication or user interaction, allowing complete compromise of confidentiality and integrity with high impact. No patch is currently available.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

RadiusTheme Metro versions 2.13 and earlier are susceptible to local file inclusion through improper input validation in PHP include/require statements, enabling attackers to read arbitrary files on the server. An unauthenticated remote attacker can exploit this vulnerability over the network to access sensitive information or potentially execute arbitrary code. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

PHP Local File Inclusion in Aora through version 1.3.15 enables unauthenticated remote attackers to read arbitrary files on affected systems through improper validation of file inclusion parameters. The vulnerability carries a CVSS score of 8.1 with high impact across confidentiality, integrity, and availability, though no patch is currently available.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Mikado-Themes TopFit - Fitness and Gym WordPress Theme topfit is affected by php remote file inclusion (CVSS 8.1).

WordPress PHP LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Mikado-Themes TopScorer - Sports WordPress Theme topscorer is affected by php remote file inclusion (CVSS 8.1).

WordPress PHP LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

The AncoraThemes Apollo | Night Club, DJ Event WordPress Theme through version 1.3.1 contains a PHP local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files on the server. This CWE-98 weakness in improper filename control could enable attackers to access sensitive configuration files or other protected data. No patch is currently available for affected installations.

WordPress PHP LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

The Buzz Stone WordPress theme through version 1.0.2 contains a local file inclusion vulnerability in its PHP code that allows unauthenticated attackers to read arbitrary files on the affected server. With network access and no user interaction required, an attacker can leverage improper input validation in file inclusion functions to access sensitive data or potentially execute code. No patch is currently available for this vulnerability affecting WordPress installations using the vulnerable theme versions.

WordPress PHP LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

The Chronicle WordPress theme version 1.0 and earlier contains a local file inclusion vulnerability in its PHP code that allows unauthenticated attackers to read arbitrary files from the affected server. An attacker can exploit this weakness to access sensitive configuration files, database credentials, or other confidential data stored on the web server. Currently, no patch is available and the vulnerability has a 0.2% probability of exploitation according to EPSS scoring.

WordPress PHP LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

The Consultor WordPress theme through version 1.2.4 contains a local file inclusion vulnerability in its PHP include/require handling that allows unauthenticated remote attackers to read arbitrary files on the server. An attacker can exploit this weakness to access sensitive configuration files, database credentials, and other confidential data. Currently no patch is available, leaving all affected installations vulnerable.

WordPress PHP LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

The Ekoterra WordPress theme through version 1.0.0 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. This high-severity flaw (CVSS 8.1) stems from improper validation of file paths in include/require statements, enabling attackers to access sensitive configuration files and other protected data. No patch is currently available for affected installations.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

PHP Local File Inclusion in dan_fisher Alchemists versions through 4.6.0 allows unauthenticated remote attackers to read arbitrary files on affected servers through improper handling of file inclusion statements. The vulnerability requires specific network conditions to exploit but carries high impact potential across confidentiality, integrity, and availability. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

The AC Services WordPress theme through version 1.2.5 contains a local file inclusion vulnerability in PHP that enables unauthenticated remote attackers to read arbitrary files on affected servers. This high-severity flaw allows attackers to access sensitive configuration files and potentially extract credentials or other confidential data. WordPress installations using this theme should upgrade immediately as no patch is currently available.

WordPress PHP LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

The CasaMia WordPress theme through version 1.1.2 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. This high-severity flaw (CVSS 8.1) could expose sensitive configuration files, database credentials, and other confidential data stored on affected WordPress installations. No patch is currently available for this vulnerability.

WordPress PHP LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper file inclusion handling in PHP-based The Issue theme versions 1.6.11 and earlier enables attackers to include and execute arbitrary local files, potentially leading to remote code execution. An unauthenticated attacker can exploit this vulnerability over the network to read sensitive files or execute malicious PHP code. No patch is currently available.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

The FindAll plugin for PHP through version 1.4 contains a local file inclusion vulnerability that enables attackers to read arbitrary files from the affected system through improper input validation on file inclusion statements. An unauthenticated remote attacker can exploit this vulnerability to access sensitive files and potentially execute arbitrary code with the privileges of the web server process. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in AncoraThemes Felizia through version 1.3.4 enables unauthenticated attackers to read arbitrary files from the affected server through improper input validation on file inclusion parameters. The vulnerability carries high severity with a CVSS score of 8.1 and impacts confidentiality, integrity, and availability of affected systems. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Elated-Themes Etchy through version 1.0 contains a local file inclusion vulnerability in its PHP file handling that enables attackers to read arbitrary files from the affected server without authentication. The vulnerability stems from improper validation of filename parameters in include/require statements, allowing directory traversal attacks to access sensitive system files. While a patch is not currently available, the low EPSS score suggests limited real-world exploitation likelihood at this time.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Mikado-Themes Wanderland versions 1.5 and earlier contain a local file inclusion vulnerability in PHP that enables attackers to read arbitrary files from the affected server without authentication. The vulnerability stems from improper validation of file paths in include/require statements, allowing an unauthenticated remote attacker to access sensitive system files. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in Elated-Themes Askka version 1.0 and earlier allows unauthenticated remote attackers to read arbitrary files from the affected server through improper validation of include/require statements. The vulnerability carries high severity with potential for information disclosure and system compromise. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

ThemeREX Hoverex versions up to 1.5.10 contain a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files from the server through improper handling of include/require statements. An attacker with network access can exploit this to disclose sensitive configuration files, source code, or other critical data without authentication. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Don Peppe WordPress theme version 1.3 and earlier contains a local file inclusion vulnerability in its file handling mechanism that could allow an attacker to read arbitrary files from the affected server. The vulnerability stems from improper input validation on filename parameters used in PHP include/require statements, enabling attackers to traverse the filesystem and access sensitive data. Currently, no patch is available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Select-Themes Prowess version 1.8.1 and earlier contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the affected system. The vulnerability stems from improper validation of filenames in include/require statements, enabling attackers to traverse directories and access sensitive data. No patch is currently available for this high-severity vulnerability (CVSS 8.1).

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

ThemeREX Alliance versions up to 3.1.1 contain a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files from the server through improper handling of filename parameters in include/require statements. With a CVSS score of 8.1, this vulnerability enables attackers to access sensitive system files and potentially execute code depending on server configuration. No patch is currently available for affected versions.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

LaunchandSell Tribe plugin for PHP versions through 1.7.3 contains a local file inclusion vulnerability that allows unauthenticated remote attackers to read arbitrary files on the server. The flaw stems from improper validation of filenames in include/require statements, enabling attackers to access sensitive data without authentication. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Elated-Themes Zentrum version 1.0 and earlier contains a local file inclusion vulnerability in its PHP file handling that enables attackers to read arbitrary files from the server without authentication. The high CVSS score of 8.1 reflects the potential for complete compromise of confidentiality and integrity, though exploitation requires specific conditions. No patch is currently available for affected installations.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in AncoraThemes Green Planet through version 1.1.14 allows unauthenticated attackers to read arbitrary files on affected servers by manipulating include/require statements in PHP. This CWE-98 vulnerability carries a CVSS score of 8.1 with high impact on confidentiality and integrity, though no patch is currently available.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

AncoraThemes Playa versions up to 1.3.9 contain a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files from the affected server. The flaw stems from improper validation of file paths in include/require statements, enabling attackers to traverse directories and access sensitive system files. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in Elated-Themes Helvig through version 1.0 enables unauthenticated remote attackers to read arbitrary files from affected systems. The vulnerability stems from improper control of filename parameters in PHP include/require statements, allowing attackers to traverse the filesystem and access sensitive data. No patch is currently available.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

ElectroServ through version 1.3.2 contains a local file inclusion vulnerability in its PHP-based file handling that enables unauthenticated attackers to read arbitrary files from the server. An attacker can exploit this weakness over the network without user interaction to access sensitive data or potentially execute code through log poisoning techniques. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in AncoraThemes Crown Art through version 1.2.11 enables unauthenticated remote attackers to read arbitrary files from the affected server through improper handling of include/require statements. This vulnerability carries a high CVSS score of 8.1 and allows potential access to sensitive configuration files and application data. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

PHP Local File Inclusion in AncoraThemes CloudMe through version 1.2.2 enables unauthenticated attackers to read arbitrary files on affected systems through improper filename validation in include/require statements. The high CVSS score of 8.1 reflects the potential for confidentiality and integrity compromise, though no patch is currently available.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Woopy through version 1.2 by AncoraThemes contains a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files from the affected system. The vulnerability stems from improper validation of filename parameters in include/require statements, enabling attackers to traverse the file system and access sensitive data. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

AncoraThemes Wabi-Sabi theme version 1.2 and earlier contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files on the server through improper handling of file inclusion parameters. An attacker can exploit this to access sensitive configuration files, database credentials, and other confidential data stored on the affected WordPress installation. No patch is currently available.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Mikado-Themes Verdure WordPress theme version 1.6 and earlier contains an improper file inclusion vulnerability that enables attackers to read arbitrary files from the affected server without authentication. The flaw in the theme's include/require statement handling allows local and remote file inclusion attacks, potentially exposing sensitive configuration files and other critical data. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

The Tooth Fairy WordPress theme through version 1.16 contains a local file inclusion vulnerability in its PHP file handling that allows attackers to read arbitrary files from the server. An unauthenticated remote attacker can exploit this by manipulating file inclusion parameters to access sensitive data or potentially execute code. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Mikado-Themes GoTravel versions 2.1 and earlier contain a local file inclusion vulnerability in PHP file handling that allows unauthenticated attackers to read arbitrary files from the affected server. The vulnerability stems from improper input validation on filename parameters used in PHP include/require statements, enabling attackers to traverse the filesystem and access sensitive data without authentication.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Elated-Themes Sweet Jane theme through version 1.2 contains a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files on the server. The vulnerability stems from improper validation of file paths in include/require statements, enabling attackers to traverse directories and access sensitive information. No patch is currently available for affected installations.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in AncoraThemes Shaha versions up to 1.1.2 enables attackers to read arbitrary files through improper input validation in PHP include/require statements. An unauthenticated remote attacker can exploit this vulnerability to access sensitive server files and potentially execute arbitrary code, with no patch currently available.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

SetSail theme versions 1.8 and earlier for PHP are vulnerable to local file inclusion attacks due to improper input validation on file inclusion statements, potentially allowing attackers to read arbitrary files on the server. The vulnerability carries a high CVSS score of 8.1 and affects confidentiality, integrity, and availability, though no patch is currently available. Remote exploitation is possible under specific conditions, and affected users should implement access controls or upgrade once patches become available.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

AncoraThemes Quantum theme versions up to 1.0 contain a local file inclusion vulnerability that enables attackers to read arbitrary files from the server through improper input validation in file inclusion functions. An unauthenticated remote attacker can exploit this to access sensitive configuration files and potentially execute arbitrary code on affected WordPress installations. No patch is currently available, though the vulnerability has a low exploit probability (0.2% EPSS).

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in AncoraThemes Horizon through version 1.1 enables unauthenticated attackers to read arbitrary files on affected servers through improper filename validation in PHP include/require statements. With a CVSS score of 8.1, this vulnerability allows complete compromise of confidentiality, integrity, and availability, though exploitation requires specific conditions. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

AncoraThemes Honor version 2.3 and earlier contains a PHP local file inclusion vulnerability that allows unauthenticated remote attackers to read arbitrary files from the server through improper input validation on file inclusion parameters. An attacker can exploit this to access sensitive configuration files, source code, or other confidential data stored on the affected web server. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in AncoraThemes Great Lotus through version 1.3.1 allows unauthenticated attackers to read arbitrary files on affected servers by exploiting improper input validation in file inclusion functions. The vulnerability carries a CVSS score of 8.1 and enables attackers to access sensitive data including configuration files and source code, though no patch is currently available.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

PHP Local File Inclusion in AncoraThemes FixTeam through version 1.4 enables unauthenticated remote attackers to read arbitrary files on affected systems through improper handling of file include/require statements. The vulnerability carries a high CVSS score of 8.1 with potential for information disclosure and system compromise, though no patch is currently available.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

The Mounty WordPress theme through version 1.1 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The vulnerability stems from improper validation of file paths in include/require statements, enabling attackers to access sensitive configuration files and potentially source code. With a CVSS score of 8.1 and no patch currently available, affected sites running vulnerable versions face significant risk of information disclosure.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Mikado-Themes Marra version 1.2 and earlier contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files on the server. The vulnerability stems from improper validation of filenames used in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. No patch is currently available for this issue.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in Mikado-Themes Malgré versions up to 1.0.3 allows unauthenticated attackers to read arbitrary files from the affected server through improper handling of file inclusion parameters. An attacker can exploit this vulnerability over the network without user interaction to access sensitive information, potentially leading to credential disclosure or further system compromise. No patch is currently available.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Mikado-Themes Eona versions 1.3 and earlier contain a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files from the affected server. The vulnerability stems from improper validation of filename parameters in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in Mikado-Themes Dolcino through version 1.6 allows unauthenticated remote attackers to read arbitrary files on affected systems by manipulating include/require parameters. The vulnerability stems from improper validation of filenames in PHP file inclusion statements, enabling attackers to traverse the filesystem without authentication. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local and remote file inclusion in Mikado-Themes Justicia through version 1.2 enables attackers to read arbitrary files or execute malicious PHP code on affected systems. The vulnerability stems from improper validation of file paths in include/require statements, allowing unauthenticated remote exploitation. No patch is currently available; affected users should upgrade to a patched version when released or implement web application firewall rules to restrict suspicious file inclusion attempts.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in Mikado-Themes Overton version 1.3 and earlier allows unauthenticated remote attackers to read arbitrary files on the server through improper handling of PHP include/require statements. The vulnerability requires specific conditions to exploit (high complexity) but could lead to complete compromise of confidentiality and integrity. No patch is currently available for affected installations.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Mikado-Themes Innovio through version 1.7 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The vulnerability stems from improper validation of filenames used in PHP include/require statements, enabling attackers to access sensitive data without authentication. No patch is currently available for this high-severity issue affecting all versions through 1.7.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in Mikado-Themes Holmes version 1.7 and earlier allows unauthenticated remote attackers to read arbitrary files on affected servers through improper input validation in PHP include/require statements. The vulnerability has a CVSS score of 8.1 and enables attackers to potentially access sensitive configuration files and database credentials. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Mikado-Themes Fleur version 2.0 and earlier contains a local file inclusion vulnerability in PHP that permits attackers to read arbitrary files on affected systems through improper input validation in file inclusion functions. The vulnerability requires specific conditions to exploit but grants high-impact access to sensitive data and potential system compromise. No patch is currently available.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Mikado-Themes Fiorello through version 1.0 contains a local file inclusion vulnerability in its PHP code that fails to properly validate filenames used in include/require statements, enabling attackers to read arbitrary files on the affected server. The vulnerability requires specific conditions to exploit but carries high impact, allowing unauthorized access to sensitive data and potential code execution. No security patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Mikado-Themes Evently plugin version 1.7 and earlier contains a local file inclusion vulnerability in its PHP include/require handling that enables attackers to read arbitrary files from the server without authentication. The flaw stems from improper filename validation, allowing unauthenticated remote attackers to disclose sensitive information such as configuration files and source code. No patch is currently available for affected installations.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Mikado-Themes Cortex version 1.5 and earlier contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated remote attackers to read arbitrary files on the server. The vulnerability stems from improper validation of filenames in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Mikado-Themes Cocco versions up to 1.5.1 contain a local file inclusion vulnerability in PHP file handling that enables attackers to read arbitrary files on affected systems. An unauthenticated remote attacker can exploit improper input validation in include/require statements to access sensitive data without authentication. No patch is currently available for this high-severity vulnerability (CVSS 8.1).

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Mikado-Themes Aviana through version 2.1 contains a local file inclusion vulnerability in PHP that enables attackers to read arbitrary files on the server through improper handling of include/require statements. An unauthenticated remote attacker can exploit this weakness to access sensitive files and potentially execute arbitrary code, though no patch is currently available. The vulnerability carries a CVSS score of 8.1 and affects all versions up to and including Aviana 2.1.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

PHP Local File Inclusion in Wolmart through version 1.9.6 enables unauthenticated attackers over the network to read arbitrary files on affected systems due to improper input validation in file inclusion functions. The vulnerability carries high impact potential for confidentiality and integrity, though no patch is currently available. An attacker with network access can leverage this flaw to access sensitive configuration files, source code, or other protected resources without authentication.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in don-themes Molla molla allows PHP Local File Inclusion.This issue affects Molla: from n/a through <= 1.5.16. [CVSS 8.1 HIGH]

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Remons remons allows PHP Local File Inclusion.This issue affects Remons: from n/a through <= 1.3.4. [CVSS 8.1 HIGH]

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Berger berger allows PHP Local File Inclusion.This issue affects Berger: from n/a through <= 1.1.1. [CVSS 8.1 HIGH]

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

SQL injection in the Apocalypse Meow WordPress plugin up to version 22.1.0 allows authenticated administrators to execute arbitrary SQL queries due to a flawed validation check combined with improper quote escaping. An authenticated attacker with administrator privileges can exploit this via the 'type' parameter to extract sensitive database information. No patch is currently available.

WordPress PHP SQLi
NVD
EPSS 0% CVSS 8.8
HIGH POC This Week

Ashop Shopping Cart Software contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'shop' parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.2
HIGH POC This Week

FreeSMS 2.1.2 contains a boolean-based blind SQL injection vulnerability in the password parameter that allows unauthenticated attackers to bypass authentication by injecting SQL code through the login endpoint. [CVSS 8.2 HIGH]

PHP SQLi Authentication Bypass +1
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC This Week

PHPads 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the bannerID parameter in click.php3. [CVSS 7.1 HIGH]

PHP SQLi Phpads
NVD Exploit-DB
EPSS 0% CVSS 8.2
HIGH POC This Week

Simple Job Script contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting malicious SQL code through the app_id parameter. [CVSS 8.2 HIGH]

PHP SQLi Authentication Bypass +1
NVD Exploit-DB
EPSS 0% CVSS 8.2
HIGH POC This Week

Simple Job Script contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the job_id parameter. [CVSS 8.2 HIGH]

PHP SQLi Authentication Bypass +1
NVD Exploit-DB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Code injection bypass in Craft CMS before 5.9.0-beta.1/4.17.0-beta.1 via blocklist evasion. Patch available.

PHP SSRF Craft Cms
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

RCE in Craft CMS before 4.17.0-beta.1/5.9.0-beta.1 via template injection for authenticated admins. PoC and patch available.

PHP RCE Craft Cms
NVD GitHub
EPSS 0% CVSS 7.2
HIGH POC PATCH This Week

Remote code execution in Craft CMS 5.8.21 allows authenticated administrators to execute arbitrary PHP code through Server-Side Template Injection in the create() Twig function combined with Symfony Process gadget chains. Public exploit code exists for this vulnerability, which bypasses the previous patch for CVE-2025-57811. Updates are available in Craft CMS 5.9.0-beta.1 and 4.17.0-beta.1.

PHP RCE Craft Cms
NVD GitHub
EPSS 1% CVSS 7.2
HIGH PATCH This Week

Remote code execution in Concrete CMS prior to version 9.4.8 stems from unsafe deserialization of PHP objects in the Express Entry List block configuration. An authenticated administrator can inject malicious serialized data through the columns parameter that executes arbitrary code when unserialized without validation. This allows attackers with admin privileges to achieve complete system compromise through stored object injection attacks.

PHP RCE Deserialization +1
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL POC PATCH Act Now

File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.

PHP Laravel RCE +2
NVD GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in itsourcecode College Management System 1.0 allows authenticated remote attackers to manipulate the course_code parameter in /admin/class-result.php and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires high-level privileges but can be executed over the network with minimal complexity.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Privilege escalation and auth bypass in OpenSTAManager 2.9.8. PoC available.

PHP Privilege Escalation Authentication Bypass +1
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL POC PATCH Act Now

Unauthenticated token disclosure in OpenEMR before 8.0.0. CVSS 10.0. PoC and patch available.

Authentication Bypass Information Disclosure PHP +1
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL POC Act Now

Path traversal in OpenEMR 7.0.4 disposeDocument() allows file access. PoC available.

PHP RCE Openemr
NVD GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in itsourcecode College Management System 1.0 via the roll_no parameter in /admin/student-fee.php allows authenticated administrators to execute arbitrary database queries remotely. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires high-level privileges but poses a risk to confidentiality, integrity, and availability of student records.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH POC This Week

Simple Logistic Hub Parcel\'S Management System versions up to 1.0 is affected by sql injection (CVSS 7.2).

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW POC Monitor

Simple Logistic Hub Parcel\'S Management System versions up to 1.0 is affected by sql injection (CVSS 2.7).

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW POC Monitor

Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_category.php. [CVSS 2.7 LOW]

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW POC Monitor

Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_stock.php. [CVSS 2.7 LOW]

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW POC Monitor

Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_supplier.php. [CVSS 2.7 LOW]

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW POC Monitor

Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_product.php. [CVSS 2.7 LOW]

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW POC Monitor

Simple Online Men\'S Salon Management System versions up to 1.0 is affected by sql injection (CVSS 2.7).

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW POC Monitor

Simple Online Men\'S Salon Management System versions up to 1.0 is affected by sql injection (CVSS 2.7).

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW POC Monitor

Simple Online Men\'S Salon Management System versions up to 1.0 is affected by sql injection (CVSS 2.7).

PHP SQLi
NVD GitHub
Prev Page 32 of 275 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy