CWE-98

High likelihood

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Parent: CWE-706 - Use of Incorrectly-Resolved Name or Reference

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

1,149 vulnerabilities with CWE-98
CVE-2026-25548 CRITICAL
InvoicePlane 1.7.0 - RCE via LFI & Log Poisoning
CVSS 9.1
CVE-2026-1988 HIGH
Flexi Product Slider & Grid - Local File Inclusion
CVSS 7.5
CVE-2026-25027 HIGH
ThemeMove Unicamp <2.7.1 - Code Injection
CVSS 7.5
CVE-2026-1257 HIGH
WordPress <0.3.4 - Local File Inclusion
CVSS 7.5
CVE-2026-24635 HIGH
DevsBlink EduBlink Core <2.0.8 - Code Injection
CVSS 7.5
CVE-2026-24609 HIGH
Laurent <= 3.1 - PHP Local File Inclusion
CVSS 7.5
CVE-2026-24608 HIGH
Laurent Core <2.4.1 - Code Injection
CVSS 7.5
CVE-2026-24538 HIGH
Omnipress <= 1.6.7 - PHP Local File Inclusion
CVSS 7.5
CVE-2026-24531 HIGH
Select-Themes Prowess <= 2.3 - Code Injection
CVSS 7.5
CVE-2026-24390 HIGH
QantumThemes Kentha Elementor Widgets < 3.1 - Code Injection
CVSS 7.5
CVE-2026-23978 HIGH
Softwebmedia Gyan Elements <= 2.2.1 - Code Injection
CVSS 7.5
CVE-2026-23975 HIGH
uxper Golo < 1.7.5 - PHP Local File Inclusion
CVSS 7.5
CVE-2026-22464 HIGH
wphocus My auctions allegro <3.6.33 - Code Injection
CVSS 7.5
CVE-2026-22402 HIGH
pavothemes Triply <= 2.4.7 - Code Injection
CVSS 7.5
CVE-2026-22401 HIGH
pavothemes Freshio <2.4.2 - Code Injection
CVSS 7.5
CVE-2026-22521 HIGH
G5Theme Handmade Framework <3.9 - Code Injection
CVSS 7.5
CVE-2025-69369 HIGH
WordPress Racquet theme <= 1.12.0 - Local File Inclusion vulnerability
CVSS 8.1
CVE-2025-68886 HIGH
WordPress Cookiteer theme <= 1.4.8 - Local File Inclusion vulnerability
CVSS 8.1
CVE-2025-58897 HIGH
WordPress Fermentio theme <= 1.5.0 - Local File Inclusion vulnerability
CVSS 8.1
CVE-2025-58707 HIGH
WordPress Spin theme <= 1.8 - Local File Inclusion vulnerability
CVSS 8.1
CVE-2025-58705 HIGH
WordPress Crafti theme <= 1.12 - Local File Inclusion vulnerability
CVSS 8.1
CVE-2025-58024 HIGH
WordPress Accordion FAQ Plugin <= 2.2.1 - Local File Inclusion Vulnerability
CVSS 7.5
CVE-2025-53440 HIGH
WordPress Confidant theme <= 1.4 - Local File Inclusion vulnerability
CVSS 8.1
CVE-2025-5804 HIGH
WordPress Case Theme User < 1.0.4 - Local File Inclusion Vulnerability
CVSS 7.5
CVE-2025-58913 HIGH
WordPress VideoPro theme <= 2.3.8.1 - Local File Inclusion vulnerability
CVSS 8.1
Details
Vulnerabilities 1,149
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits