By weakness (CWE)
CWE-98: related vulnerabilities
CVEs classified under CWE-98. Understanding the weakness class helps prioritize systemic fixes over one-off patches.
11 published vulnerabilities
- CVE-2026-44239HIGH 8.8
FreePBX, a widely deployed open-source phone system platform, contains a path traversal vulnerability in its Dashboard module that allows authenticated users to execute arbitrary PHP code. By manipulating a parameter in a web request, an attacker can bypass normal file access restrictions and cause the system to load and execute specially-named PHP files from unexpected locations on the server. This is a serious issue because it grants code execution to any user with valid login credentials.
- CVE-2025-53440HIGH 8.1
CVE-2025-53440 is a PHP Local File Inclusion (LFI) vulnerability in Axiomthemes Confidant that allows an attacker to manipulate file path inputs, potentially leading to the inclusion and execution of arbitrary files on the affected server. The vulnerability stems from improper validation of filenames used in PHP include/require statements. An attacker can exploit this over the network without authentication to read sensitive files or execute malicious code, posing a significant risk to websites using vulnerable versions of Confidant.
- CVE-2025-58705HIGH 8.1
CVE-2025-58705 is a PHP Local File Inclusion (LFI) vulnerability in Axiomthemes Crafti through version 1.12. An attacker can exploit improper filename validation in PHP include/require statements to include and execute arbitrary local files on the server. This allows remote code execution without authentication, making it a critical risk for any organization running vulnerable Crafti installations. The vulnerability has a CVSS 3.1 score of 8.1 (HIGH severity) with network accessibility and high impact across confidentiality, integrity, and availability.
- CVE-2025-58707HIGH 8.1
CVE-2025-58707 is a file inclusion vulnerability in Axiomthemes Spin that allows attackers to include and execute arbitrary local files on the server. By manipulating input parameters, an unauthenticated attacker can reference files outside the intended directory, potentially exposing sensitive data or executing malicious code. The vulnerability affects Spin versions up through 1.8 and carries a CVSS score of 8.1, reflecting its severity.
- CVE-2025-58897HIGH 8.1
Axiomthemes Fermentio contains a vulnerability that allows attackers to include and execute arbitrary PHP files from the local server, potentially leading to unauthorized access, data theft, or system compromise. The vulnerability stems from insufficient validation of filenames used in PHP include/require statements, enabling attackers to manipulate file paths without authentication. Versions up to and including 1.5.0 are affected.
- CVE-2025-68886HIGH 8.1
A vulnerability in androThemes Cookiteer plugin allows an attacker to include and execute arbitrary local files through improper input handling in PHP include/require statements. While the vulnerability is classified as a Local File Inclusion (LFI) rather than true Remote File Inclusion, the network-accessible nature of web plugins means an unauthenticated attacker can exploit this remotely to read sensitive files or potentially execute code, depending on file availability and server configuration. All versions through 1.4.8 are affected.
- CVE-2025-69369HIGH 8.1
CVE-2025-69369 is a file inclusion vulnerability in Axiomthemes Racquet versions up to 1.12.0 that allows an attacker to manipulate how the application loads files, potentially executing arbitrary code or accessing sensitive data on the server. The flaw stems from insufficient validation of file paths in PHP include/require statements, making it possible to load unintended files from the local filesystem or, in some configurations, from remote sources.
- CVE-2026-39552HIGH 8.1
Code Supply Co. Blueprint contains a vulnerability that allows attackers to include and execute arbitrary local files through PHP, provided they can craft specific requests to the affected application. While the vulnerability is classified as "remote" in nature due to network accessibility, exploitation requires specific conditions including high complexity in attack construction. Versions before 1.1.5 are affected. Organizations running Blueprint should prioritize upgrading to the patched version.
- CVE-2026-39553HIGH 8.1
A PHP Local File Inclusion (LFI) vulnerability exists in Select-Themes WaveRide versions up to and including 1.4. The flaw allows an attacker to manipulate filename parameters used in PHP include or require statements, potentially enabling unauthorized file access and code execution on affected systems. The vulnerability is triggered through network requests and does not require authentication or user interaction.
- CVE-2026-37266HIGH 8.0
Responsive File Manager version 9.14.0 contains a remote code execution vulnerability in its force_download.php component. An authenticated attacker can exploit this flaw to execute arbitrary code on the server, potentially gaining full control of the application and underlying system. The vulnerability requires an attacker to have valid login credentials and user interaction (such as clicking a malicious link), but poses a significant risk in multi-user or publicly accessible deployments.
- CVE-2025-58024HIGH 7.5
UnboundStudio's Accordion FAQ plugin contains a vulnerability that allows authenticated users to include and execute arbitrary local files on the server. An attacker with login credentials could potentially read sensitive files or execute malicious code by manipulating how the plugin handles file inclusion requests. This is a local file inclusion (LFI) issue, not a remote file inclusion despite the CWE classification, meaning attackers must have valid user access to exploit it.