CWE-98 · PHP Remote File Inclusion
1235 CVEs classified under CWE-98 (PHP Remote File Inclusion). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2025-25174 | Critical | 10.0 | 2025-08-14 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in beeteam368 BeeTeam368 Extensions beete… |
CVE-2025-52562 | Critical | 10.0 | 2025-06-23 | Convoy is a KVM server management panel for hosting businesses. In versions 3.9.0-rc3 to before 4.4.1, there is a directory traversal vulnerability in the Loca… |
CVE-2026-9559 | Critical | 9.9 | 2026-05-29 | A path traversal vulnerability exists in the campaign import feature of Mautic 7. When extracting uploaded ZIP files during campaign imports, a flaw in the val… |
CVE-2026-41228 | Critical | 9.9 | 2026-04-23 | Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not valid… |
CVE-2023-5199 | Critical | 9.9 | 2023-10-30 | The PHP to Page plugin for WordPress is vulnerable Local File Inclusion to Remote Code Execution in versions up to, and including, 0.3 via the 'php-to-page' sh… |
CVE-2026-7515 | Critical | 9.8 | 2026-06-19 | The BetterDocs Pro plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 3.8.0 via the `doc_style` parameter. This makes… |
CVE-2026-27065 | Critical | 9.8 | 2026-03-19 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress BuilderPress builderpress al… |
CVE-2026-3826 | Critical | 9.8 | 2026-03-11 | IFTOP developed by WellChoose has a Local File Inclusion vulnerability, allowing unauthenticated remote attackers to execute arbitrary code on the server. |
CVE-2026-28043 | Critical | 9.8 | 2026-03-05 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Healer - Doctor, Clinic & Med… |
CVE-2026-0926 | Critical | 9.8 | 2026-02-19 | The Prodigy Commerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the 'parameters[template_name]'… |
CVE-2021-47900 | Critical | 9.8 | 2026-01-27 | Gila CMS versions prior to 2.0.0 contain a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands throu… |
CVE-2025-14502 | Critical | 9.8 | 2026-01-14 | The News and Blog Designer Bundle plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1 via the template paramet… |
CVE-2025-53433 | Critical | 9.8 | 2025-12-18 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes EasyEat easyeat allows PH… |
CVE-2025-65656 | Critical | 9.8 | 2025-12-02 | dcat-admin v2.2.3-beta and before is vulnerable to file inclusion in admin/src/Extend/VersionManager.php. |
CVE-2025-63888 | Critical | 9.8 | 2025-11-20 | The read function in file thinkphp\library\think\template\driver\File.php in ThinkPHP 5.0.24 contains a remote code execution vulnerability. |
CVE-2025-41734 | Critical | 9.8 | 2025-11-18 | An unauthenticated remote attacker can execute arbitrary php files and gain full access of the affected devices. |
CVE-2025-11023 | Critical | 9.8 | 2025-10-23 | Inclusion of Functionality from Untrusted Control Sphere, Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion… |
CVE-2025-7634 | Critical | 9.8 | 2025-10-09 | The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and inclu… |
CVE-2025-7721 | Critical | 9.8 | 2025-10-03 | The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and includ… |
CVE-2025-48293 | Critical | 9.8 | 2025-08-14 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Dylan Kuhn Geo Mashup geo-mashup allo… |