Total
1102 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-54138 | 1 Librenms | 1 Librenms | 2025-08-05 | N/A | 7.5 HIGH |
| LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating systems. LibreNMS versions 25.6.0 and below contain an architectural vulnerability in the ajax_form.php endpoint that permits Remote File Inclusion based on user-controlled POST input. The application directly uses the type parameter to dynamically include .inc.php files from the trusted path includes/html/forms/, without validation or allowlisting. This pattern introduces a latent Remote Code Execution (RCE) vector if an attacker can stage a file in this include path — for example, via symlink, development misconfiguration, or chained vulnerabilities. This is fixed in version 25.7.0. | |||||
| CVE-2024-10873 | 1 La-studioweb | 1 Element Kit For Elementor | 2025-07-12 | N/A | 8.8 HIGH |
| The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.4.2 via the _load_template function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | |||||
| CVE-2023-49031 | 1 Oneadvanced | 1 Tikit Emarketing | 2025-07-11 | N/A | 5.1 MEDIUM |
| Directory Traversal (Local File Inclusion) vulnerability in Tikit (now Advanced) eMarketing platform 6.8.3.0 allows a remote attacker to read arbitrary files and obtain sensitive information via a crafted payload to the filename parameter to the OpenLogFile endpoint. | |||||
| CVE-2024-37479 | 1 La-studioweb | 1 Element Kit For Elementor | 2025-07-10 | N/A | 8.5 HIGH |
| Local File Inclusion vulnerability in LA-Studio LA-Studio Element Kit for Elementor via "LaStudioKit Progress Bar" widget in New Post, specifically in the "progress_type" attribute.This issue affects LA-Studio Element Kit for Elementor: from n/a through 1.3.8.1. | |||||
| CVE-2024-1600 | 1 Lollms | 1 Lollms Web Ui | 2025-07-09 | N/A | 9.3 CRITICAL |
| A Local File Inclusion (LFI) vulnerability exists in the parisneo/lollms-webui application, specifically within the `/personalities` route. An attacker can exploit this vulnerability by crafting a URL that includes directory traversal sequences (`../../`) followed by the desired system file path, URL encoded. Successful exploitation allows the attacker to read any file on the filesystem accessible by the web server. This issue arises due to improper control of filename for include/require statement in the application. | |||||
| CVE-2025-7327 | 1 Radiustheme | 1 Widget For Google Reviews | 2025-07-09 | N/A | 8.8 HIGH |
| The Widget for Google Reviews plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.0.15 via the layout parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. This is limited to just PHP files. | |||||
| CVE-2025-6746 | 1 Xtemos | 1 Woodmart | 2025-07-09 | N/A | 8.8 HIGH |
| The WoodMart plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 8.2.3 via the 'layout' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php files can be uploaded and included. | |||||
| CVE-2025-4380 | 1 Scripteo | 1 Ads Pro | 2025-07-08 | N/A | 8.1 HIGH |
| The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.89 via the 'bsa_template' parameter of the `bsa_preview_callback` function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases .php files can can be uploaded and included, or already exist on the site. | |||||
| CVE-2025-4689 | 1 Scripteo | 1 Ads Pro | 2025-07-08 | N/A | 9.8 CRITICAL |
| The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion which leads to Remote Code Execution in all versions up to, and including, 4.89. This is due to the presence of a SQL Injection vulnerability and Local File Inclusion vulnerability that can be chained with an image upload. This makes it possible for unauthenticated attackers to execute code on the server upload image files on the server than can be fetched via a SQL injection vulnerability, and ultimately executed as PHP code through the local file inclusion vulnerability. | |||||
| CVE-2024-40112 | 1 Sitecom | 2 Wlx-2006, Wlx-2006 Firmware | 2025-06-25 | N/A | 5.9 MEDIUM |
| A Local File Inclusion (LFI) vulnerability exists in Sitecom WLX-2006 Wall Mount Range Extender N300 v1.5 and before, which allows an attacker to manipulate the "language" cookie to include arbitrary files from the server. This vulnerability can be exploited to disclose sensitive information. | |||||
| CVE-2025-25539 | 3 Linux, Microsoft, Onespan | 3 Linux Kernel, Windows, Vasco Self-service Portal | 2025-06-25 | N/A | 6.5 MEDIUM |
| Local File Inclusion vulnerability in Vasco v3.14and before allows a remote attacker to obtain sensitive information via help menu. | |||||
| CVE-2024-51319 | 1 Zucchetti | 1 Ad Hoc Infinity | 2025-05-28 | N/A | 7.3 HIGH |
| A local file include vulnerability in the /servlet/Report of Zucchetti Ad Hoc Infinity 2.4 allows an authenticated attacker to achieve Remote Code Execution by uploading a jsp web/reverse shell through /jsp/zimg_upload.jsp. | |||||
| CVE-2022-40089 | 1 Simple College Website Project | 1 Simple College Website | 2025-05-27 | N/A | 9.8 CRITICAL |
| A remote file inclusion (RFI) vulnerability in Simple College Website v1.0 allows attackers to execute arbitrary code via a crafted PHP file. This vulnerability is exploitable when the directive allow_url_include is set to On. | |||||
| CVE-2024-13592 | 1 Webdevocean | 1 Team-builder-for-wpbakery-page-builder | 2025-05-24 | N/A | 7.5 HIGH |
| The Team Builder For WPBakery Page Builder(Formerly Visual Composer) plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0 via the 'team-builder-vc' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | |||||
| CVE-2022-41547 | 1 Opensecurity | 1 Mobile Security Framework | 2025-05-10 | N/A | 7.5 HIGH |
| Mobile Security Framework (MobSF) v0.9.2 and below was discovered to contain a local file inclusion (LFI) vulnerability in the StaticAnalyzer/views.py script. This vulnerability allows attackers to read arbitrary files via a crafted HTTP request. | |||||
| CVE-2024-30849 | 1 Donbermoy | 1 Complete E-commerce Site | 2025-05-05 | N/A | 9.8 CRITICAL |
| Arbitrary file upload vulnerability in Sourcecodester Complete E-Commerce Site v1.0, allows remote attackers to execute arbitrary code via filename parameter in admin/products_photo.php. | |||||
| CVE-2022-44786 | 1 Maggioli | 1 Appalti \& Contratti | 2025-04-29 | N/A | 7.5 HIGH |
| An issue was discovered in Appalti & Contratti 9.12.2. The target web applications allow Local File Inclusion in any page relying on the href parameter to specify the JSP page to be rendered. This affects ApriPagina.do POST and GET requests to each application. | |||||
| CVE-2024-33863 | 2 Linqi, Microsoft | 2 Linqi, Windows | 2025-04-28 | N/A | 9.8 CRITICAL |
| An issue was discovered in linqi before 1.4.0.1 on Windows. There is /api/Cdn/GetFile local file inclusion. | |||||
| CVE-2024-36569 | 1 Mayurik | 1 Gas Agency Management System | 2025-04-11 | N/A | 8.1 HIGH |
| Sourcecodester Gas Agency Management System v1.0 is vulnerable to arbitrary code execution via editClientImage.php. | |||||
| CVE-2025-26137 | 1 Systemic-rm | 1 Risk Value | 2025-04-01 | N/A | 7.5 HIGH |
| Systemic Risk Value <=2.8.0 is vulnerable to Local File Inclusion via /GetFile.aspx?ReportUrl=. An unauthenticated attacker can exploit this issue to read arbitrary system files by supplying a crafted file path, potentially exposing sensitive information. | |||||