CWE-98
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
VariantDraftLikelihood: High
Description
The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
In certain versions and configurations of PHP, this can allow an attacker to specify a URL to a remote location from which the product will obtain the code to execute. In other cases in association with path traversal, the attacker can specify a local file that may contain executable statements that can be parsed by PHP.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-193
CVEs mapped to this weakness (1,010)
page 7 of 51| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-22516 | Hig | 0.53 | 8.1 | 0.00 | Mar 25, 2026 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Wizor's wizors-investments allows PHP Local File Inclusion.This issue affects Wizor's: from n/a through <= 2.12. | |
| CVE-2026-22515 | Hig | 0.53 | 8.1 | 0.00 | Mar 25, 2026 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes VegaDays vegadays allows PHP Local File Inclusion.This issue affects VegaDays: from n/a through <= 1.2.0. | |
| CVE-2026-22514 | Hig | 0.53 | 8.1 | 0.00 | Mar 25, 2026 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Unica unica allows PHP Local File Inclusion.This issue affects Unica: from n/a through <= 1.4.1. | |
| CVE-2026-22513 | Hig | 0.53 | 8.1 | 0.00 | Mar 25, 2026 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Triompher triompher allows PHP Local File Inclusion.This issue affects Triompher: from n/a through <= 1.1.0. | |
| CVE-2026-22512 | Hig | 0.53 | 8.1 | 0.00 | Mar 25, 2026 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Roisin roisin allows PHP Local File Inclusion.This issue affects Roisin: from n/a through <= 1.2.1. | |
| CVE-2026-22511 | Hig | 0.53 | 8.1 | 0.00 | Mar 25, 2026 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes NeoBeat neobeat allows PHP Local File Inclusion.This issue affects NeoBeat: from n/a through <= 1.2. | |
| CVE-2026-22509 | Hig | 0.53 | 8.1 | 0.00 | Mar 25, 2026 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Gioia gioia allows PHP Local File Inclusion.This issue affects Gioia: from n/a through <= 1.4. | |
| CVE-2026-22508 | Hig | 0.53 | 8.1 | 0.00 | Mar 25, 2026 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Dentalux dentalux allows PHP Local File Inclusion.This issue affects Dentalux: from n/a through <= 3.3. | |
| CVE-2026-22506 | Hig | 0.53 | 8.1 | 0.00 | Mar 25, 2026 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Amoli amoli allows PHP Local File Inclusion.This issue affects Amoli: from n/a through <= 1.0. | |
| CVE-2026-22504 | Hig | 0.53 | 8.1 | 0.00 | Mar 25, 2026 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX ProLingua prolingua allows PHP Local File Inclusion.This issue affects ProLingua: from n/a through <= 1.1.12. | |
| CVE-2026-22503 | Hig | 0.53 | 8.1 | 0.00 | Mar 25, 2026 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Nelson nelson allows PHP Local File Inclusion.This issue affects Nelson: from n/a through <= 1.2.0. | |
| CVE-2026-22502 | Hig | 0.53 | 8.1 | 0.00 | Mar 25, 2026 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Mr. Cobbler mr-cobbler allows PHP Local File Inclusion.This issue affects Mr. Cobbler: from n/a through <= 1.1.9. | |
| CVE-2026-22499 | Hig | 0.53 | 8.1 | 0.00 | Mar 25, 2026 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Lella lella allows PHP Local File Inclusion.This issue affects Lella: from n/a through <= 1.2. | |
| CVE-2026-22498 | Hig | 0.53 | 8.1 | 0.00 | Mar 25, 2026 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Laurent laurent allows PHP Local File Inclusion.This issue affects Laurent: from n/a through <= 3.1. | |
| CVE-2026-22496 | Hig | 0.53 | 8.1 | 0.00 | Mar 25, 2026 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Hypnotherapy hypnotherapy allows PHP Local File Inclusion.This issue affects Hypnotherapy: from n/a through <= 1.2.10. | |
| CVE-2026-22495 | Hig | 0.53 | 8.1 | 0.00 | Mar 25, 2026 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Greenville greenville allows PHP Local File Inclusion.This issue affects Greenville: from n/a through <= 1.3.2. | |
| CVE-2026-22494 | Hig | 0.53 | 8.1 | 0.00 | Mar 25, 2026 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Good Homes good-homes allows PHP Local File Inclusion.This issue affects Good Homes: from n/a through <= 1.3.13. | |
| CVE-2026-22493 | Hig | 0.53 | 8.1 | 0.00 | Mar 25, 2026 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Gaspard gaspard allows PHP Local File Inclusion.This issue affects Gaspard: from n/a through <= 1.3. | |
| CVE-2026-22324 | Hig | 0.53 | 8.1 | 0.00 | Mar 20, 2026 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Melania allows PHP Local File Inclusion.This issue affects Melania: from n/a through 2.5.0. | |
| CVE-2026-27093 | Hig | 0.53 | 8.1 | 0.00 | Mar 19, 2026 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Tripgo tripgo allows PHP Local File Inclusion.This issue affects Tripgo: from n/a through < 1.5.6. |