Total
1102 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-53442 | 1 Axiomthemes | 1 Rentic | 2026-01-20 | N/A | 8.1 HIGH |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Rentic rentic allows PHP Local File Inclusion.This issue affects Rentic: from n/a through <= 1.1. | |||||
| CVE-2025-53441 | 1 Axiomthemes | 1 Greeny | 2026-01-20 | N/A | 8.1 HIGH |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Greeny greeny allows PHP Local File Inclusion.This issue affects Greeny: from n/a through <= 2.6. | |||||
| CVE-2025-53439 | 1 Axiomthemes | 1 Harper | 2026-01-20 | N/A | 8.1 HIGH |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Harper harper allows PHP Local File Inclusion.This issue affects Harper: from n/a through <= 1.13. | |||||
| CVE-2025-53438 | 1 Axiomthemes | 1 Fitline | 2026-01-20 | N/A | 8.1 HIGH |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes FitLine fitline allows PHP Local File Inclusion.This issue affects FitLine: from n/a through <= 1.6. | |||||
| CVE-2025-53435 | 1 Axiomthemes | 1 Plan My Day | 2026-01-20 | N/A | 8.1 HIGH |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Plan My Day planmyday allows PHP Local File Inclusion.This issue affects Plan My Day: from n/a through <= 1.1.13. | |||||
| CVE-2021-47734 | 1 Cmsimple | 1 Cmsimple | 2026-01-05 | N/A | 7.8 HIGH |
| CMSimple 5.4 contains an authenticated local file inclusion vulnerability that allows remote attackers to manipulate PHP session files and execute arbitrary code. Attackers can leverage the vulnerability by changing the functions file path and uploading malicious PHP code through session file upload mechanisms. | |||||
| CVE-2015-10133 | 1 Markjaquith | 1 Subscribe To Comments | 2025-12-23 | N/A | 7.2 HIGH |
| The Subscribe to Comments for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.1.2 via the Path to header value. This allows authenticated attackers, with administrative privileges and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. This same function can also be used to execute arbitrary PHP code. | |||||
| CVE-2023-52325 | 1 Trendmicro | 1 Apex Central | 2025-12-22 | N/A | 7.5 HIGH |
| A local file inclusion vulnerability in one of Trend Micro Apex Central's widgets could allow a remote attacker to execute arbitrary code on affected installations. Please note: this vulnerability must be used in conjunction with another one to exploit an affected system. In addition, an attacker must first obtain a valid set of credentials on target system in order to exploit this vulnerability. | |||||
| CVE-2025-63738 | 1 Rockoa | 1 Rockoa | 2025-12-12 | N/A | 4.3 MEDIUM |
| An issue was discovered in file index.php in Xinhu Rainrock RockOA 2.7.0 allowing attackers to gain sensitive information via phpinfo via the a parameter to the index.php. | |||||
| CVE-2025-60574 | 1 Webair | 1 Tquadra Cms | 2025-12-11 | N/A | 7.5 HIGH |
| A Local File Inclusion (LFI) vulnerability has been identified in tQuadra CMS 4.2.1117. The issue exists in the "/styles/" path, which fails to properly sanitize user-supplied input. An attacker can exploit this by sending a crafted GET request to retrieve arbitrary files from the underlying system. | |||||
| CVE-2025-65656 | 1 Dcatadmin | 1 Dcat Admin | 2025-12-03 | N/A | 9.8 CRITICAL |
| dcat-admin v2.2.3-beta and before is vulnerable to file inclusion in admin/src/Extend/VersionManager.php. | |||||
| CVE-2025-63888 | 1 Thinkphp | 1 Thinkphp | 2025-11-25 | N/A | 9.8 CRITICAL |
| The read function in file thinkphp\library\think\template\driver\File.php in ThinkPHP 5.0.24 contains a remote code execution vulnerability. | |||||
| CVE-2025-41734 | 1 Metz-connect | 6 Ewio2-bm, Ewio2-bm Firmware, Ewio2-m and 3 more | 2025-11-21 | N/A | 9.8 CRITICAL |
| An unauthenticated remote attacker can execute arbitrary php files and gain full access of the affected devices. | |||||
| CVE-2024-14002 | 1 Nagios | 1 Nagios Xi | 2025-11-06 | N/A | 5.5 MEDIUM |
| Nagios XI versions prior to 2024R1.1.4 contain a local file inclusion (LFI) vulnerability via its NagVis integration. An authenticated user can supply crafted path values that cause the server to include local files, potentially exposing sensitive information from the underlying host. | |||||
| CVE-2024-31459 | 2 Cacti, Fedoraproject | 2 Cacti, Fedora | 2025-11-04 | N/A | 8.0 HIGH |
| Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, there is a file inclusion issue in the `lib/plugin.php` file. Combined with SQL injection vulnerabilities, remote code execution can be implemented. There is a file inclusion issue with the `api_plugin_hook()` function in the `lib/plugin.php` file, which reads the plugin_hooks and plugin_config tables in database. The read data is directly used to concatenate the file path which is used for file inclusion. Version 1.2.27 contains a patch for the issue. | |||||
| CVE-2025-51057 | 1 Vedo Suite Project | 1 Vedo Suite | 2025-10-09 | N/A | 6.5 MEDIUM |
| A local file inclusion (LFI) vulnerability in Vedo Suite version 2024.17 allows remote authenticated attackers to read arbitrary filesystem files by exploiting an unsanitized 'readfile()' function call in '/api_vedo/video/preview'. | |||||
| CVE-2025-8913 | 1 Wellchoose | 1 Organization Portal System | 2025-08-21 | N/A | 9.8 CRITICAL |
| Organization Portal System developed by WellChoose has a Local File Inclusion vulnerability, allowing unauthenticated remote attackers to execute arbitrary code on the server. | |||||
| CVE-2024-45077 | 1 Ibm | 1 Maximo Asset Management | 2025-08-14 | N/A | 6.5 MEDIUM |
| IBM Maximo Asset Management 7.6.1.3 MXAPIASSET API is vulnerable to unrestricted file upload which allows authenticated low privileged user to upload restricted file types with a simple method of adding a dot to the end of the file name if Maximo is installed on Windows operating system. | |||||
| CVE-2025-24937 | 1 Nokia | 1 Wavesuite Noc | 2025-08-11 | N/A | 9.0 CRITICAL |
| File contents could be read from the local file system by an attacker. Additionally, malicious code could be inserted in the file, leading to a full compromise of the web application and the container it is running on. The vulnerable component is bound to the network stack and the set of possible attackers extends up to and including the entire Internet. The web application allows arbitrary files to be included in a file that was downloadable and executable by the web server. | |||||
| CVE-2025-0682 | 1 Themerex | 1 Addons | 2025-08-08 | N/A | 8.8 HIGH |
| The ThemeREX Addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.33.0 via the 'trx_sc_reviews' shortcode 'type' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included. | |||||