VYPR

CWE-98

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

VariantDraftLikelihood: High

Description

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

In certain versions and configurations of PHP, this can allow an attacker to specify a URL to a remote location from which the product will obtain the code to execute. In other cases in association with path traversal, the attacker can specify a local file that may contain executable statements that can be parsed by PHP.

Hierarchy (View 1000)

Children

none

Related attack patterns (CAPEC)

CAPEC-193

CVEs mapped to this weakness (1,010)

page 13 of 51
  • CVE-2026-27342HigMar 5, 2026
    risk 0.53cvss 8.1epss 0.00

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes TopFit - Fitness and Gym WordPress Theme topfit allows PHP Local File Inclusion.This issue affects TopFit - Fitness and Gym WordPress Theme: from n/a through <= 1.9.

  • CVE-2026-27341HigMar 5, 2026
    risk 0.53cvss 8.1epss 0.00

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes TopScorer - Sports WordPress Theme topscorer allows PHP Local File Inclusion.This issue affects TopScorer - Sports WordPress Theme: from n/a through <= 1.2.

  • CVE-2026-27340HigMar 5, 2026
    risk 0.53cvss 8.1epss 0.00

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Apollo | Night Club, DJ Event WordPress Theme apollo allows PHP Local File Inclusion.This issue affects Apollo | Night Club, DJ Event WordPress Theme: from n/a through <= 1.3.1.

  • CVE-2026-27339HigMar 5, 2026
    risk 0.53cvss 8.1epss 0.00

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Buzz Stone | Magazine & Viral Blog WordPress Theme buzzstone allows PHP Local File Inclusion.This issue affects Buzz Stone | Magazine & Viral Blog WordPress Theme: from n/a through <= 1.0.2.

  • CVE-2026-27337HigMar 5, 2026
    risk 0.53cvss 8.1epss 0.00

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Chronicle - Lifestyle Magazine & Blog WordPress Theme chronicle allows PHP Local File Inclusion.This issue affects Chronicle - Lifestyle Magazine & Blog WordPress Theme: from n/a through <= 1.0.

  • CVE-2026-27336HigMar 5, 2026
    risk 0.53cvss 8.1epss 0.00

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Consultor | Consulting, Accounting & Legal Counsel WordPress Theme consultor allows PHP Local File Inclusion.This issue affects Consultor | Consulting, Accounting & Legal Counsel WordPress Theme: from n/a through <= 1.2.4.

  • CVE-2026-27335HigMar 5, 2026
    risk 0.53cvss 8.1epss 0.00

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Ekoterra - NonProfit, Green Energy & Ecology Theme ekoterra allows PHP Local File Inclusion.This issue affects Ekoterra - NonProfit, Green Energy & Ecology Theme: from n/a through <= 1.0.0.

  • CVE-2026-27334HigMar 5, 2026
    risk 0.53cvss 8.1epss 0.00

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in dan_fisher Alchemists alchemists allows PHP Local File Inclusion.This issue affects Alchemists: from n/a through <= 4.6.0.

  • CVE-2026-27326HigMar 5, 2026
    risk 0.53cvss 8.1epss 0.00

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes AC Services | HVAC, Air Conditioning & Heating Company WordPress Theme window-ac-services allows PHP Local File Inclusion.This issue affects AC Services | HVAC, Air Conditioning & Heating Company WordPress Theme: from n/a through <= 1.2.5.

  • CVE-2026-27097HigMar 5, 2026
    risk 0.53cvss 8.1epss 0.00

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes CasaMia | Property Rental Real Estate WordPress Theme casamia allows PHP Local File Inclusion.This issue affects CasaMia | Property Rental Real Estate WordPress Theme: from n/a through <= 1.1.2.

  • CVE-2026-23801HigMar 5, 2026
    risk 0.53cvss 8.1epss 0.00

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes The Issue theissue allows PHP Local File Inclusion.This issue affects The Issue: from n/a through <= 1.6.11.

  • CVE-2026-22478HigMar 5, 2026
    risk 0.53cvss 8.1epss 0.00

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes FindAll findall allows PHP Local File Inclusion.This issue affects FindAll: from n/a through <= 1.4.

  • CVE-2026-22477HigMar 5, 2026
    risk 0.53cvss 8.1epss 0.00

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Felizia felizia allows PHP Local File Inclusion.This issue affects Felizia: from n/a through <= 1.3.4.

  • CVE-2026-22476HigMar 5, 2026
    risk 0.53cvss 8.1epss 0.00

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Etchy etchy allows PHP Local File Inclusion.This issue affects Etchy: from n/a through <= 1.0.

  • CVE-2026-22457HigMar 5, 2026
    risk 0.53cvss 8.1epss 0.00

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wanderland wanderland allows PHP Local File Inclusion.This issue affects Wanderland: from n/a through <= 1.5.

  • CVE-2026-22456HigMar 5, 2026
    risk 0.53cvss 8.1epss 0.00

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Askka askka allows PHP Local File Inclusion.This issue affects Askka: from n/a through <= 1.0.

  • CVE-2026-22452HigMar 5, 2026
    risk 0.53cvss 8.1epss 0.00

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Hoverex hoverex allows PHP Local File Inclusion.This issue affects Hoverex: from n/a through <= 1.5.10.

  • CVE-2026-22449HigMar 5, 2026
    risk 0.53cvss 8.1epss 0.00

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Don Peppe donpeppe allows PHP Local File Inclusion.This issue affects Don Peppe: from n/a through <= 1.3.

  • CVE-2026-22446HigMar 5, 2026
    risk 0.53cvss 8.1epss 0.00

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Prowess prowess allows PHP Local File Inclusion.This issue affects Prowess: from n/a through <= 1.8.1.

  • CVE-2026-22443HigMar 5, 2026
    risk 0.53cvss 8.1epss 0.00

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Alliance alliance allows PHP Local File Inclusion.This issue affects Alliance: from n/a through <= 3.1.1.