CVE-2026-39552: PHP Local File Inclusion in Code Supply Co. Blueprint – Patch Guidance
Code Supply Co. Blueprint contains a vulnerability that allows attackers to include and execute arbitrary local files through PHP, provided they can craft specific requests to the affected application. While the vulnerability is classified as "remote" in nature due to network accessibility, exploitation requires specific conditions including high complexity in attack construction. Versions before 1.1.5 are affected. Organizations running Blueprint should prioritize upgrading to the patched version.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-98
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Code Supply Co. Blueprint allows PHP Local File Inclusion. This issue affects Blueprint: from n/a before 1.1.5.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-39552 is a PHP Local File Inclusion (LFI) vulnerability stemming from improper control of filename parameters in include/require statements (CWE-98). The vulnerability allows an attacker to manipulate file inclusion logic to load and execute local files on the affected system. The CVSS v3.1 score of 8.1 reflects the high-complexity network attack vector, high impact across confidentiality, integrity, and availability, and the absence of privilege requirements. The high attack complexity suggests exploitation requires specific conditions or detailed knowledge of the application's file structure and request handling.
Business impact
Successful exploitation could enable an attacker to read sensitive files, execute arbitrary code within the context of the web application, or cause application disruption. Depending on application configuration and file permissions, attackers might access configuration files containing credentials, application source code, or system files. Code execution could allow lateral movement within the infrastructure or compromise of connected systems. The HIGH severity rating underscores the need for timely remediation to prevent potential data breaches or service disruption.
Affected systems
Code Supply Co. Blueprint versions prior to 1.1.5 are vulnerable. The exact scope of affected versions is not fully enumerated in available data; however, any deployment running a version before 1.1.5 should be considered at risk. Organizations should verify their deployed version immediately and cross-reference against vendor advisory documentation for definitive version information.
Exploitability
The CVSS vector indicates high attack complexity (AC:H), meaning exploitation is not trivial and typically requires specific knowledge of the target application's file structure, request handling, or specific environmental conditions. There is no current evidence this vulnerability is being actively exploited in the wild (not listed on CISA's KEV catalog). However, the network-accessible attack surface and the high impact if successful mean this should not be treated as low-risk simply due to complexity; determined attackers with detailed knowledge of Blueprint can likely succeed.
Remediation
Upgrade Code Supply Co. Blueprint to version 1.1.5 or later. Prior to patching, implement network segmentation to restrict access to Blueprint instances, enforce authentication controls if available, and monitor file access logs for suspicious patterns. Apply principle of least privilege to limit the file system scope accessible to the web application process.
Patch guidance
Review the Code Supply Co. Blueprint release notes and security advisory for version 1.1.5 to confirm this version addresses CVE-2026-39552. Test the patch in a non-production environment to verify compatibility with your deployment before rolling out to production. If version 1.1.5 is not available in your supported release channel, contact Code Supply Co. for guidance on patch availability and timeline. Document the patch deployment date and verify successful application across all affected instances.
Detection guidance
Monitor application logs and web server access logs for requests containing suspicious file path patterns (e.g., ../, /etc/, /proc/). Watch for POST/GET parameters that reference local file paths or encoding attempts to bypass filters. Implement SIEM rules to flag unusual include/require parameter values. Review file access patterns from the web application process to identify unexpected reads of sensitive files. Consider deploying a Web Application Firewall (WAF) rule to block common LFI payloads while you plan patching.
Why prioritize this
Although this vulnerability has not yet been added to CISA's Known Exploited Vulnerabilities catalog, the combination of HIGH CVSS severity, network accessibility, and high impact across CIA triad warrants prompt prioritization. The fact that attack complexity is high—not low—provides a moderate window of time, but should not delay patch planning. Organizations should schedule Blueprint upgrades within their standard critical patch cycle (typically 30 days) rather than treating this as an emergency.
Risk score, explained
The CVSS v3.1 score of 8.1 (HIGH) reflects: network-based attack vector (AV:N) with no privilege requirements (PR:N) and no user interaction (UI:N), offset by high attack complexity (AC:H) that requires specific conditions to exploit. The impact is severe across all three pillars—confidentiality (access to local files), integrity (potential code execution), and availability (potential service disruption). The attack complexity prevents this from reaching CRITICAL (9.0+) but does not diminish the high business impact if exploitation succeeds.
Frequently asked questions
Do we need to patch immediately, or can we wait for the next maintenance window?
While CVE-2026-39552 is not currently listed on CISA's KEV catalog, the HIGH CVSS score and potential for code execution merit inclusion in your critical patch cycle. Target patching within 30 days if possible; however, if your organization has strong network controls isolating Blueprint instances or limited internet-facing exposure, a slightly longer window is defensible while you test in staging. Do not delay beyond 60 days.
What should we do if we cannot patch immediately?
Implement compensating controls: restrict network access to Blueprint to known, trusted IP ranges; enable all available authentication and authorization controls; monitor logs aggressively for LFI-related patterns; and confirm the web application process runs with minimal file system permissions. Consider temporarily disabling Blueprint if it is not critical, or deploying a WAF rule to block suspicious include/require parameter patterns. Schedule patching as soon as testing resources permit.
How do I know if Blueprint has been exploited?
Review web server and application logs for: requests with suspicious file path encodings, repeated failed attempts to access /etc/ or system paths, unusual parameter values in include/require handling, and file access logs showing the web application process reading unexpected files. Check for evidence of file access outside the intended application directory. If compromise is suspected, preserve logs and engage forensic or incident response resources immediately.
Are there any known workarounds or temporary fixes?
There is no known workaround that eliminates the vulnerability without upgrading to 1.1.5 or later. Compensating controls (network segmentation, access logging, WAF rules) reduce risk but do not eliminate it. The definitive fix is to apply the patched version as soon as your testing and deployment process permits.
This analysis is provided for informational purposes and represents the knowledge available as of the publication date. CVSS scores, vendor advisories, and patch availability are subject to change; always verify against official Code Supply Co. and NIST/NVD sources before making patching decisions. No exploit code or detailed exploitation techniques are provided herein. Organizations must conduct their own risk assessments and testing in accordance with their security policies and regulatory obligations. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-53440HIGHAxiomthemes Confidant PHP Local File Inclusion (LFI) Vulnerability – CVSS 8.1 HIGH
- CVE-2025-58024HIGHUnboundStudio Accordion FAQ Local File Inclusion Vulnerability – CVSS 7.5 HIGH
- CVE-2025-58705HIGHCrafti PHP Local File Inclusion (LFI) Vulnerability – Patch Guide
- CVE-2025-58707HIGHPHP Local File Inclusion in Axiomthemes Spin 1.8
- CVE-2025-58897HIGHAxiomthemes Fermentio PHP Local File Inclusion Vulnerability (CVSS 8.1)
- CVE-2025-68886HIGHandroThemes Cookiteer PHP Local File Inclusion Vulnerability – CVSS 8.1
- CVE-2025-69369HIGHAxiomthemes Racquet File Inclusion Vulnerability (CVSS 8.1)
- CVE-2026-37266HIGHResponsive File Manager 9.14.0 Remote Code Execution via force_download.php