CWE-98
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Description
The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-193
CVEs mapped to this weakness (1,041)
page 52 of 53| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-8392 | Hig | 0.40 | 7.2 | 0.00 | Oct 26, 2024 | The WordPress Post Grid Layouts with Pagination – Sogrid plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.5.6 via the 'tab' parameter. This makes it possible for authenticated attackers, with Administrator-level access and… | ||
| CVE-2026-44177 | hig | 0.38 | — | — | May 26, 2026 | ### TL;DR This vulnerability affects all Kirby sites on Kirby 5.3.0-5.4.0 and is independent from setup conditions and authentication. **This vulnerability is of high severity for all Kirby sites**. ---- ### Introduction Path traversal is a type of attack that allows to… | ||
| CVE-2020-37169 | Med | 0.36 | 5.5 | 0.00 | May 13, 2026 | WordPress Plugin ultimate-member 2.1.3 contains a local file inclusion vulnerability that allows authenticated attackers to include arbitrary files by manipulating the pack parameter in class-admin-upgrade.php. Attackers can send POST requests with malicious pack values to… | ||
| CVE-2026-34036 | Med | 0.35 | 6.5 | 0.00 | Mar 31, 2026 | Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local File Inclusion (LFI) vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc… | ||
| CVE-2024-52386 | Med | 0.35 | 5.3 | 0.01 | Nov 16, 2024 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Classified Listing classified-listing allows PHP Local File Inclusion.This issue affects Classified Listing: from n/a through <= 3.1.16. | ||
| CVE-2024-4359 | Med | 0.35 | 6.5 | 0.01 | Aug 12, 2024 | The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 5.7.2 via the SVG widget and a lack of sufficient file validation in the… | ||
| CVE-2021-22968 | — | 0.35 | 5.4 | 0.03 | Nov 19, 2021 | A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS (concrete5) versions 8.5.6 and below.The external file upload feature stages files in the public directory even if they have disallowed file… | ||
| CVE-2025-22145 | Med | 0.34 | — | 0.00 | Jan 8, 2025 | Carbon is an international PHP extension for DateTime. Application passing unsanitized user input to Carbon::setLocale are at risk of arbitrary file include, if the application allows users to upload files with .php extension in an folder that allows include or require to read… | ||
| CVE-2024-37410 | Med | 0.32 | 4.9 | 0.01 | Jul 9, 2024 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in IdeaBox Creations PowerPack Lite for Beaver Builder powerpack-addon-for-beaver-builder.This issue affects PowerPack Lite for Beaver Builder: from n/a through… | ||
| CVE-2024-35650 | Med | 0.32 | 4.9 | 0.00 | Jun 10, 2024 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Melapress MelaPress Login Security melapress-login-security.This issue affects MelaPress Login Security: from n/a through <= 1.3.0. | ||
| CVE-2025-64714 | Med | 0.31 | 5.8 | 0.00 | Nov 13, 2025 | PrivateBin is an online pastebin where the server has zero knowledge of pasted data. Starting in version 1.7.7 and prior to version 2.0.3, an unauthenticated Local File Inclusion exists in the template-switching feature. If `templateselection` is enabled in the configuration,… | ||
| CVE-2025-49405 | Med | 0.28 | 4.3 | 0.00 | Aug 28, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Favethemes Houzez allows PHP Local File Inclusion.This issue affects Houzez: from n/a before 4.1.4. | ||
| CVE-2024-52385 | Med | 0.28 | 4.3 | 0.01 | Dec 9, 2024 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpmart Team Member team-showcase-supreme.This issue affects Team Member: from n/a through <= 7.4. | ||
| CVE-2023-31716 | 0.03 | — | 0.37 | Sep 21, 2023 | FUXA <= 1.1.12 has a Local File Inclusion vulnerability via file=fuxa.log | |||
| CVE-2023-31718 | 0.03 | — | 0.38 | Sep 21, 2023 | FUXA <= 1.1.12 is vulnerable to Local via Inclusion via /api/download. | |||
| CVE-2026-33513 | 0.00 | — | 0.00 | Mar 23, 2026 | WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint (`APIName=locale`) concatenates user input into an `include` path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under… | |||
| CVE-2025-54138 | 0.00 | — | 0.00 | Jul 22, 2025 | LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating systems. LibreNMS versions 25.6.0 and below contain an architectural vulnerability in the ajax_form.php endpoint that permits Remote… | |||
| CVE-2015-5467 | — | 0.00 | — | 0.00 | Sep 21, 2023 | web\ViewAction in Yii (aka Yii2) 2.x before 2.0.5 allows attackers to execute any local .php file via a relative path in the view parameeter. | ||
| CVE-2023-40033 | 0.00 | — | 0.00 | Aug 16, 2023 | Flarum is an open source forum software. Flarum is affected by a vulnerability that allows an attacker to conduct a Blind Server-Side Request Forgery (SSRF) attack or disclose any file on the server, even with a basic user account on any Flarum forum. By uploading a file… | |||
| CVE-2023-4195 | 0.00 | — | 0.01 | Aug 6, 2023 | PHP Remote File Inclusion in GitHub repository cockpit-hq/cockpit prior to 2.6.3. |
- risk 0.40cvss 7.2epss 0.00
The WordPress Post Grid Layouts with Pagination – Sogrid plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.5.6 via the 'tab' parameter. This makes it possible for authenticated attackers, with Administrator-level access and…
- risk 0.38cvss —epss —
### TL;DR This vulnerability affects all Kirby sites on Kirby 5.3.0-5.4.0 and is independent from setup conditions and authentication. **This vulnerability is of high severity for all Kirby sites**. ---- ### Introduction Path traversal is a type of attack that allows to…
- risk 0.36cvss 5.5epss 0.00
WordPress Plugin ultimate-member 2.1.3 contains a local file inclusion vulnerability that allows authenticated attackers to include arbitrary files by manipulating the pack parameter in class-admin-upgrade.php. Attackers can send POST requests with malicious pack values to…
- risk 0.35cvss 6.5epss 0.00
Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local File Inclusion (LFI) vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc…
- risk 0.35cvss 5.3epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Classified Listing classified-listing allows PHP Local File Inclusion.This issue affects Classified Listing: from n/a through <= 3.1.16.
- risk 0.35cvss 6.5epss 0.01
The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 5.7.2 via the SVG widget and a lack of sufficient file validation in the…
- CVE-2021-22968Nov 19, 2021risk 0.35cvss 5.4epss 0.03
A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS (concrete5) versions 8.5.6 and below.The external file upload feature stages files in the public directory even if they have disallowed file…
- risk 0.34cvss —epss 0.00
Carbon is an international PHP extension for DateTime. Application passing unsanitized user input to Carbon::setLocale are at risk of arbitrary file include, if the application allows users to upload files with .php extension in an folder that allows include or require to read…
- risk 0.32cvss 4.9epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in IdeaBox Creations PowerPack Lite for Beaver Builder powerpack-addon-for-beaver-builder.This issue affects PowerPack Lite for Beaver Builder: from n/a through…
- risk 0.32cvss 4.9epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Melapress MelaPress Login Security melapress-login-security.This issue affects MelaPress Login Security: from n/a through <= 1.3.0.
- risk 0.31cvss 5.8epss 0.00
PrivateBin is an online pastebin where the server has zero knowledge of pasted data. Starting in version 1.7.7 and prior to version 2.0.3, an unauthenticated Local File Inclusion exists in the template-switching feature. If `templateselection` is enabled in the configuration,…
- risk 0.28cvss 4.3epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Favethemes Houzez allows PHP Local File Inclusion.This issue affects Houzez: from n/a before 4.1.4.
- risk 0.28cvss 4.3epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpmart Team Member team-showcase-supreme.This issue affects Team Member: from n/a through <= 7.4.
- CVE-2023-31716Sep 21, 2023risk 0.03cvss —epss 0.37
FUXA <= 1.1.12 has a Local File Inclusion vulnerability via file=fuxa.log
- CVE-2023-31718Sep 21, 2023risk 0.03cvss —epss 0.38
FUXA <= 1.1.12 is vulnerable to Local via Inclusion via /api/download.
- CVE-2026-33513Mar 23, 2026risk 0.00cvss —epss 0.00
WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint (`APIName=locale`) concatenates user input into an `include` path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under…
- CVE-2025-54138Jul 22, 2025risk 0.00cvss —epss 0.00
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating systems. LibreNMS versions 25.6.0 and below contain an architectural vulnerability in the ajax_form.php endpoint that permits Remote…
- CVE-2015-5467Sep 21, 2023risk 0.00cvss —epss 0.00
web\ViewAction in Yii (aka Yii2) 2.x before 2.0.5 allows attackers to execute any local .php file via a relative path in the view parameeter.
- CVE-2023-40033Aug 16, 2023risk 0.00cvss —epss 0.00
Flarum is an open source forum software. Flarum is affected by a vulnerability that allows an attacker to conduct a Blind Server-Side Request Forgery (SSRF) attack or disclose any file on the server, even with a basic user account on any Flarum forum. By uploading a file…
- CVE-2023-4195Aug 6, 2023risk 0.00cvss —epss 0.01
PHP Remote File Inclusion in GitHub repository cockpit-hq/cockpit prior to 2.6.3.