Total
1108 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-47576 | 2025-05-21 | 8.8 High | ||
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Bringthepixel Bimber - Viral Magazine WordPress Theme.This issue affects Bimber - Viral Magazine WordPress Theme: from n/a through 9.2.5. | ||||
| CVE-2025-26735 | 2025-05-21 | 7.5 High | ||
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Candid themes Grip.This issue affects Grip: from n/a through 1.0.9. | ||||
| CVE-2022-41547 | 1 Opensecurity | 1 Mobile Security Framework | 2025-05-10 | 7.5 High |
| Mobile Security Framework (MobSF) v0.9.2 and below was discovered to contain a local file inclusion (LFI) vulnerability in the StaticAnalyzer/views.py script. This vulnerability allows attackers to read arbitrary files via a crafted HTTP request. | ||||
| CVE-2024-30849 | 2 Donbermoy, Sourcecodester | 2 Complete E-commerce Site, Complete Ecommerce Site | 2025-05-05 | 9.8 Critical |
| Arbitrary file upload vulnerability in Sourcecodester Complete E-Commerce Site v1.0, allows remote attackers to execute arbitrary code via filename parameter in admin/products_photo.php. | ||||
| CVE-2022-44786 | 1 Maggioli | 1 Appalti \& Contratti | 2025-04-29 | 7.5 High |
| An issue was discovered in Appalti & Contratti 9.12.2. The target web applications allow Local File Inclusion in any page relying on the href parameter to specify the JSP page to be rendered. This affects ApriPagina.do POST and GET requests to each application. | ||||
| CVE-2024-33863 | 2 Linqi, Microsoft | 2 Linqi, Windows | 2025-04-28 | 9.8 Critical |
| An issue was discovered in linqi before 1.4.0.1 on Windows. There is /api/Cdn/GetFile local file inclusion. | ||||
| CVE-2025-0632 | 2025-04-28 | N/A | ||
| Local File Inclusion (LFI) vulnerability in a Render function of Formulatrix Rock Maker Web (RMW) allows a remote attacker to obtain sensitive data via arbitrary code execution. A malicious actor could execute malicious scripts to automatically download configuration files in known locations to exfiltrate data including credentials, and with no rate limiting a malicious actor could enumerate the filesystem of the host machine and potentially lead to full host compromise. This issue affects Rock Maker Web: from 3.2.1.1 and later | ||||
| CVE-2025-31340 | 2025-04-17 | N/A | ||
| A improper control of filename for include/require statement in PHP program vulnerability in the retrieve course Information function of Wisdom Master Pro versions 5.0 through 5.2 allows remote attackers to perform arbitrary system commands by running a malicious file. | ||||
| CVE-2022-4606 | 1 Flatpress | 1 Flatpress | 2025-04-14 | 9.8 Critical |
| PHP Remote File Inclusion in GitHub repository flatpressblog/flatpress prior to 1.3. | ||||
| CVE-2022-4446 | 1 Corebos | 1 Corebos | 2025-04-14 | 9.8 Critical |
| PHP Remote File Inclusion in GitHub repository tsolucio/corebos prior to 8.0. | ||||
| CVE-2024-36569 | 2 Mayurik, Sourcecodester | 2 Gas Agency Management System, Gas Agency Management System | 2025-04-11 | 8.1 High |
| Sourcecodester Gas Agency Management System v1.0 is vulnerable to arbitrary code execution via editClientImage.php. | ||||
| CVE-2021-29113 | 1 Esri | 1 Arcgis Server | 2025-04-10 | 4.7 Medium |
| A remote file inclusion vulnerability in the ArcGIS Server help documentation may allow a remote, unauthenticated attacker to inject attacker supplied html into a page. | ||||
| CVE-2025-26137 | 1 Systemic-rm | 1 Risk Value | 2025-04-01 | 7.5 High |
| Systemic Risk Value <=2.8.0 is vulnerable to Local File Inclusion via /GetFile.aspx?ReportUrl=. An unauthenticated attacker can exploit this issue to read arbitrary system files by supplying a crafted file path, potentially exposing sensitive information. | ||||
| CVE-2025-1771 | 1 Shinecommerce | 1 Traveler | 2025-03-28 | 9.8 Critical |
| The Traveler theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.8 via the 'hotel_alone_load_more_post' function 'style' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included. | ||||
| CVE-2024-13790 | 2025-03-19 | 9.8 Critical | ||
| The MinimogWP – The High Converting eCommerce WordPress Theme theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.7.0 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | ||||
| CVE-2024-21687 | 1 Atlassian | 3 Bamboo, Bamboo Data Center, Bamboo Server | 2025-03-14 | 8.1 High |
| This High severity File Inclusion vulnerability was introduced in versions 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0 and 9.6.0 of Bamboo Data Center and Server. This File Inclusion vulnerability, with a CVSS Score of 8.1, allows an authenticated attacker to get the application to display the contents of a local file, or execute a different files already stored locally on the server which has high impact to confidentiality, high impact to integrity, no impact to availability, and requires no user interaction. Atlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions listed on this CVE See the release notes (https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html). You can download the latest version of Bamboo Data Center and Server from the download center (https://www.atlassian.com/software/bamboo/download-archives). This vulnerability was reported via our Bug Bounty program. | ||||
| CVE-2024-34314 | 1 Cmseasy | 1 Cmseasy | 2025-03-14 | 7.5 High |
| CmsEasy v7.7.7.9 was discovered to contain a local file inclusion vunerability via the file_get_contents function in the fetch_action method of /admin/template_admin.php. This vulnerability allows attackers to read arbitrary files. | ||||
| CVE-2023-24217 | 1 Agilebio | 1 Electronic Lab Notebook | 2025-03-06 | 8.8 High |
| AgileBio Electronic Lab Notebook v4.234 was discovered to contain a local file inclusion vulnerability. | ||||
| CVE-2025-22145 | 2025-02-25 | N/A | ||
| Carbon is an international PHP extension for DateTime. Application passing unsanitized user input to Carbon::setLocale are at risk of arbitrary file include, if the application allows users to upload files with .php extension in an folder that allows include or require to read it, then they are at risk of arbitrary code ran on their servers. This vulnerability is fixed in 3.8.4 and 2.72.6. | ||||
| CVE-2025-26757 | 2025-02-24 | 7.5 High | ||
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in FULL SERVICES FULL Customer allows PHP Local File Inclusion. This issue affects FULL Customer: from n/a through 3.1.26. | ||||