CWE-98
High likelihoodImproper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
1,149 vulnerabilities with CWE-98
CVE-2026-49954
HIGH
Discuz! X5.0 Local File Inclusion via enable_disable.php Plugin Directory
CVSS 7.2
CVE-2026-9662
HIGH
Recover Exit For WooCommerce <= 1.0.3 - Unauthenticated Local File Inclusion via 'tpf' Parameter
CVSS 8.1
CVE-2026-39553
HIGH
WordPress WaveRide theme <= 1.4 - Local File Inclusion vulnerability
CVSS 8.1
CVE-2026-39552
HIGH
WordPress Blueprint theme < 1.1.5 - Local File Inclusion vulnerability
CVSS 8.1
CVE-2026-44239
HIGH
FreePBX: Authenticated Local File Inclusion in Dashboard Module
CVSS 8.8
CVE-2026-9559
CRITICAL
Mautic 7 - Authenticated Path Traversal and Remote Code Execution via Campaign Import ZIP Extraction
CVSS 9.9
CVE-2026-37266
HIGH
Responsive FileManager 9.14.0 - Remote Code Execution via force_download.php
CVSS 8.0
CVE-2026-48972
HIGH
WordPress SeedProd Pro plugin < 6.19.5 - Local File Inclusion vulnerability
CVSS 7.5
CVE-2026-9200
HIGH
Query Shortcode <= 0.2.1 - Authenticated (Contributor+) Local File Inclusion via 'lens' Shortcode Attribute
CVSS 7.5
CVE-2026-48133
HIGH
checkpoint Quantum Security Gateway - Identity Awareness Captive Portal - Unauthenticated Local File Inclusion
CVSS 7.5
CVE-2026-39661
HIGH
WordPress SW Core plugin <= 1.7.18 - Local File Inclusion vulnerability
CVSS 7.5
CVE-2026-8134
HIGH
Concrete CMS 9.5.0 and below is vulnerable to Authenticated RCE via Composer customTemplate Path Traversal leading to PHP File Inclusion
CVSS 7.2
CVE-2026-39850
HIGH
Yii 2: Local file inclusion via view parameter name collision
CVSS 7.4
CVE-2026-7522
HIGH
Advanced Database Cleaner – Premium <= 4.1.0 - Authenticated (Subscriber+) Local File Inclusion via 'template'
CVSS 8.8
CVE-2026-3425
HIGH
RTMKit Addons for Elementor <= 2.0.2 - Authenticated (Author+) Local File Inclusion via 'path'
CVSS 8.8
CVE-2026-8208
HIGH
Gibbon < 30.0.01 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
CVE-2026-41228
CRITICAL
Froxlor has Local File Inclusion via path traversal in API `def_language` parameter that leads to Remote Code Execution
CVSS 9.9
CVE-2026-1620
HIGH
Livemesh Addons by Elementor <= 9.0 - Authenticated (Contributor+) Local File Inclusion via Widget Template Parameter
CVSS 8.8
CVE-2026-39387
HIGH
BoidCMS: Local File Inclusion (LFI) leads to Remote Code Execution (RCE) via tpl parameter
CVSS 7.2
CVE-2026-30480
MEDIUM
LibreNMS 22.11.0-23-gd091788f2 - LFI
CVSS 6.5
CVE-2026-39684
HIGH
WordPress OrganicFood theme <= 3.6.4 - Local File Inclusion vulnerability
CVSS 7.5
CVE-2026-39681
HIGH
WordPress Homeo theme <= 1.2.59 - Local File Inclusion vulnerability
CVSS 7.5
CVE-2026-39679
HIGH
WordPress Freeio theme <= 1.3.21 - Local File Inclusion vulnerability
CVSS 7.5
CVE-2026-39677
HIGH
WordPress Emphires theme <= 3.9 - Local File Inclusion vulnerability
CVSS 7.5
CVE-2026-39623
HIGH
WordPress Biolife theme <= 3.2.3 - Local File Inclusion vulnerability
CVSS 7.5
Details
Vulnerabilities
1,149
Exploit Likelihood
High