HIGH 8.1

CVE-2026-39552: PHP Local File Inclusion in Code Supply Co. Blueprint – Patch Guidance

Code Supply Co. Blueprint contains a vulnerability that allows attackers to include and execute arbitrary local files through PHP, provided they can craft specific requests to the affected application. While the vulnerability is classified as "remote" in nature due to network accessibility, exploitation requires specific conditions including high complexity in attack construction. Versions before 1.1.5 are affected. Organizations running Blueprint should prioritize upgrading to the patched version.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-98
Affected products
0 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Code Supply Co. Blueprint allows PHP Local File Inclusion. This issue affects Blueprint: from n/a before 1.1.5.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-39552 is a PHP Local File Inclusion (LFI) vulnerability stemming from improper control of filename parameters in include/require statements (CWE-98). The vulnerability allows an attacker to manipulate file inclusion logic to load and execute local files on the affected system. The CVSS v3.1 score of 8.1 reflects the high-complexity network attack vector, high impact across confidentiality, integrity, and availability, and the absence of privilege requirements. The high attack complexity suggests exploitation requires specific conditions or detailed knowledge of the application's file structure and request handling.

Business impact

Successful exploitation could enable an attacker to read sensitive files, execute arbitrary code within the context of the web application, or cause application disruption. Depending on application configuration and file permissions, attackers might access configuration files containing credentials, application source code, or system files. Code execution could allow lateral movement within the infrastructure or compromise of connected systems. The HIGH severity rating underscores the need for timely remediation to prevent potential data breaches or service disruption.

Affected systems

Code Supply Co. Blueprint versions prior to 1.1.5 are vulnerable. The exact scope of affected versions is not fully enumerated in available data; however, any deployment running a version before 1.1.5 should be considered at risk. Organizations should verify their deployed version immediately and cross-reference against vendor advisory documentation for definitive version information.

Exploitability

The CVSS vector indicates high attack complexity (AC:H), meaning exploitation is not trivial and typically requires specific knowledge of the target application's file structure, request handling, or specific environmental conditions. There is no current evidence this vulnerability is being actively exploited in the wild (not listed on CISA's KEV catalog). However, the network-accessible attack surface and the high impact if successful mean this should not be treated as low-risk simply due to complexity; determined attackers with detailed knowledge of Blueprint can likely succeed.

Remediation

Upgrade Code Supply Co. Blueprint to version 1.1.5 or later. Prior to patching, implement network segmentation to restrict access to Blueprint instances, enforce authentication controls if available, and monitor file access logs for suspicious patterns. Apply principle of least privilege to limit the file system scope accessible to the web application process.

Patch guidance

Review the Code Supply Co. Blueprint release notes and security advisory for version 1.1.5 to confirm this version addresses CVE-2026-39552. Test the patch in a non-production environment to verify compatibility with your deployment before rolling out to production. If version 1.1.5 is not available in your supported release channel, contact Code Supply Co. for guidance on patch availability and timeline. Document the patch deployment date and verify successful application across all affected instances.

Detection guidance

Monitor application logs and web server access logs for requests containing suspicious file path patterns (e.g., ../, /etc/, /proc/). Watch for POST/GET parameters that reference local file paths or encoding attempts to bypass filters. Implement SIEM rules to flag unusual include/require parameter values. Review file access patterns from the web application process to identify unexpected reads of sensitive files. Consider deploying a Web Application Firewall (WAF) rule to block common LFI payloads while you plan patching.

Why prioritize this

Although this vulnerability has not yet been added to CISA's Known Exploited Vulnerabilities catalog, the combination of HIGH CVSS severity, network accessibility, and high impact across CIA triad warrants prompt prioritization. The fact that attack complexity is high—not low—provides a moderate window of time, but should not delay patch planning. Organizations should schedule Blueprint upgrades within their standard critical patch cycle (typically 30 days) rather than treating this as an emergency.

Risk score, explained

The CVSS v3.1 score of 8.1 (HIGH) reflects: network-based attack vector (AV:N) with no privilege requirements (PR:N) and no user interaction (UI:N), offset by high attack complexity (AC:H) that requires specific conditions to exploit. The impact is severe across all three pillars—confidentiality (access to local files), integrity (potential code execution), and availability (potential service disruption). The attack complexity prevents this from reaching CRITICAL (9.0+) but does not diminish the high business impact if exploitation succeeds.

Frequently asked questions

Do we need to patch immediately, or can we wait for the next maintenance window?

While CVE-2026-39552 is not currently listed on CISA's KEV catalog, the HIGH CVSS score and potential for code execution merit inclusion in your critical patch cycle. Target patching within 30 days if possible; however, if your organization has strong network controls isolating Blueprint instances or limited internet-facing exposure, a slightly longer window is defensible while you test in staging. Do not delay beyond 60 days.

What should we do if we cannot patch immediately?

Implement compensating controls: restrict network access to Blueprint to known, trusted IP ranges; enable all available authentication and authorization controls; monitor logs aggressively for LFI-related patterns; and confirm the web application process runs with minimal file system permissions. Consider temporarily disabling Blueprint if it is not critical, or deploying a WAF rule to block suspicious include/require parameter patterns. Schedule patching as soon as testing resources permit.

How do I know if Blueprint has been exploited?

Review web server and application logs for: requests with suspicious file path encodings, repeated failed attempts to access /etc/ or system paths, unusual parameter values in include/require handling, and file access logs showing the web application process reading unexpected files. Check for evidence of file access outside the intended application directory. If compromise is suspected, preserve logs and engage forensic or incident response resources immediately.

Are there any known workarounds or temporary fixes?

There is no known workaround that eliminates the vulnerability without upgrading to 1.1.5 or later. Compensating controls (network segmentation, access logging, WAF rules) reduce risk but do not eliminate it. The definitive fix is to apply the patched version as soon as your testing and deployment process permits.

This analysis is provided for informational purposes and represents the knowledge available as of the publication date. CVSS scores, vendor advisories, and patch availability are subject to change; always verify against official Code Supply Co. and NIST/NVD sources before making patching decisions. No exploit code or detailed exploitation techniques are provided herein. Organizations must conduct their own risk assessments and testing in accordance with their security policies and regulatory obligations. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).