CWE-98 · PHP Remote File Inclusion

1235 CVEs classified under CWE-98 (PHP Remote File Inclusion). Browse by severity and year.

Top CVEs for CWE-98
CVESeverityScorePublishedSummary
CVE-2025-25174Critical10.02025-08-14Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in beeteam368 BeeTeam368 Extensions beete…
CVE-2025-52562Critical10.02025-06-23Convoy is a KVM server management panel for hosting businesses. In versions 3.9.0-rc3 to before 4.4.1, there is a directory traversal vulnerability in the Loca…
CVE-2026-9559Critical9.92026-05-29A path traversal vulnerability exists in the campaign import feature of Mautic 7. When extracting uploaded ZIP files during campaign imports, a flaw in the val…
CVE-2026-41228Critical9.92026-04-23Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not valid…
CVE-2023-5199Critical9.92023-10-30The PHP to Page plugin for WordPress is vulnerable Local File Inclusion to Remote Code Execution in versions up to, and including, 0.3 via the 'php-to-page' sh…
CVE-2026-7515Critical9.82026-06-19The BetterDocs Pro plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 3.8.0 via the `doc_style` parameter. This makes…
CVE-2026-27065Critical9.82026-03-19Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress BuilderPress builderpress al…
CVE-2026-3826Critical9.82026-03-11IFTOP developed by WellChoose has a Local File Inclusion vulnerability, allowing unauthenticated remote attackers to execute arbitrary code on the server.
CVE-2026-28043Critical9.82026-03-05Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Healer - Doctor, Clinic & Med…
CVE-2026-0926Critical9.82026-02-19The Prodigy Commerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the 'parameters[template_name]'…
CVE-2021-47900Critical9.82026-01-27Gila CMS versions prior to 2.0.0 contain a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands throu…
CVE-2025-14502Critical9.82026-01-14The News and Blog Designer Bundle plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1 via the template paramet…
CVE-2025-53433Critical9.82025-12-18Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes EasyEat easyeat allows PH…
CVE-2025-65656Critical9.82025-12-02dcat-admin v2.2.3-beta and before is vulnerable to file inclusion in admin/src/Extend/VersionManager.php.
CVE-2025-63888Critical9.82025-11-20The read function in file thinkphp\library\think\template\driver\File.php in ThinkPHP 5.0.24 contains a remote code execution vulnerability.
CVE-2025-41734Critical9.82025-11-18An unauthenticated remote attacker can execute arbitrary php files and gain full access of the affected devices.
CVE-2025-11023Critical9.82025-10-23Inclusion of Functionality from Untrusted Control Sphere, Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion…
CVE-2025-7634Critical9.82025-10-09The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and inclu…
CVE-2025-7721Critical9.82025-10-03The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and includ…
CVE-2025-48293Critical9.82025-08-14Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Dylan Kuhn Geo Mashup geo-mashup allo…