CVE-2026-39552

Vulnerability

An Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, also known as PHP Remote File Inclusion, exists in Code Supply Co. Blueprint. This vulnerability allows for PHP Local File Inclusion. It affects Blueprint versions prior to 1.1.5 [1].

Exploitation

An attacker can exploit this vulnerability by including local files from the target website. The output of these files can then be displayed on the screen. No specific authentication or network position requirements are mentioned in the available references, but it is noted that such vulnerabilities are often used in mass-exploit campaigns [1].

Impact

Successful exploitation allows a malicious actor to include and display local files, potentially leading to the disclosure of sensitive information such as database credentials. Depending on the server configuration, this could result in a complete database takeover [1].

Mitigation

Update to version 1.1.5 or later to resolve this vulnerability. If an immediate update is not possible, users are advised to seek assistance from their hosting provider or web developer. Patchstack has issued a mitigation rule to block attacks until a patched version is installed [1].