Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

CVEs (1,143)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-31718 1Frangoteam 1Fuxa Nov 21, 2024 Sep 22, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 FUXA <= 1.1.12 is vulnerable to Local via Inclusion via /api/download.
CVE-2023-31716 1Frangoteam 1Fuxa Nov 21, 2024 Sep 22, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 FUXA <= 1.1.12 has a Local File Inclusion vulnerability via file=fuxa.log
CVE-2023-23565 1Geomatika 1Isigeo Web Nov 21, 2024 Aug 22, 2023 N/A· v4 4.9 MEDIUM· v3 N/A· v2 An issue was discovered in Geomatika IsiGeo Web 6.0. It allows remote authenticated users to retrieve PHP files from the server via Local File Inclusion.
CVE-2023-3452 1Canto 1Canto Apr 8, 2026 Aug 12, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The Canto plugin for WordPress is vulnerable to Remote File Inclusion in versions up to, and including, 3.0.4 via the 'wp_abspath' parameter. This allows unauthenticated attackers to include and execute arbitrary remote...Show more The Canto plugin for WordPress is vulnerable to Remote File Inclusion in versions up to, and including, 3.0.4 via the 'wp_abspath' parameter. This allows unauthenticated attackers to include and execute arbitrary remote code on the server, provided that allow_url_include is enabled. Local File Inclusion is also possible, albeit less useful because it requires that the attacker be able to upload a malicious php file via FTP or some other means into a directory readable by the web server.Show less
CVE-2023-4195 1Agentejo 1Cockpit Nov 21, 2024 Aug 6, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 PHP Remote File Inclusion in GitHub repository cockpit-hq/cockpit prior to 2.6.3.
CVE-2023-2249 1Gvectors 1Wpforo Forum Apr 8, 2026 Jun 9, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 The wpForo Forum plugin for WordPress is vulnerable to Local File Include, Server-Side Request Forgery, and PHAR Deserialization in versions up to, and including, 2.1.7. This is due to the insecure use of file_get_conten...Show more The wpForo Forum plugin for WordPress is vulnerable to Local File Include, Server-Side Request Forgery, and PHAR Deserialization in versions up to, and including, 2.1.7. This is due to the insecure use of file_get_contents without appropriate verification of the data being supplied to the function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to retrieve the contents of files like wp-config.php hosted on the system, perform a deserialization attack and possibly achieve remote code execution, and make requests to internal services.Show less
CVE-2023-2551 1Bumsys Project 1Bumsys Nov 21, 2024 May 5, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 PHP Remote File Inclusion in GitHub repository unilogies/bumsys prior to 2.1.1.
CVE-2023-24217 1Agilebio 1Electronic Lab Notebook Mar 6, 2025 Mar 6, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 AgileBio Electronic Lab Notebook v4.234 was discovered to contain a local file inclusion vulnerability.
CVE-2022-4606 1Flatpress 1Flatpress Nov 21, 2024 Dec 18, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 PHP Remote File Inclusion in GitHub repository flatpressblog/flatpress prior to 1.3.
CVE-2022-4446 1Corebos 1Corebos Nov 21, 2024 Dec 13, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 PHP Remote File Inclusion in GitHub repository tsolucio/corebos prior to 8.0.
CVE-2022-44786 1Maggioli 1Appalti & Contratti Apr 29, 2025 Nov 21, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 An issue was discovered in Appalti & Contratti 9.12.2. The target web applications allow Local File Inclusion in any page relying on the href parameter to specify the JSP page to be rendered. This affects ApriPagina.do P...Show more An issue was discovered in Appalti & Contratti 9.12.2. The target web applications allow Local File Inclusion in any page relying on the href parameter to specify the JSP page to be rendered. This affects ApriPagina.do POST and GET requests to each application.Show less
CVE-2022-41547 1Opensecurity 1Mobile Security Framework May 10, 2025 Oct 18, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 Mobile Security Framework (MobSF) v0.9.2 and below was discovered to contain a local file inclusion (LFI) vulnerability in the StaticAnalyzer/views.py script. This vulnerability allows attackers to read arbitrary files v...Show more Mobile Security Framework (MobSF) v0.9.2 and below was discovered to contain a local file inclusion (LFI) vulnerability in the StaticAnalyzer/views.py script. This vulnerability allows attackers to read arbitrary files via a crafted HTTP request.Show less
CVE-2022-40089 1Simple College Website Project 1Simple College Website May 27, 2025 Sep 22, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A remote file inclusion (RFI) vulnerability in Simple College Website v1.0 allows attackers to execute arbitrary code via a crafted PHP file. This vulnerability is exploitable when the directive allow_url_include is set...Show more A remote file inclusion (RFI) vulnerability in Simple College Website v1.0 allows attackers to execute arbitrary code via a crafted PHP file. This vulnerability is exploitable when the directive allow_url_include is set to On.Show less
CVE-2021-29113 1Esri 1Arcgis Server Nov 21, 2024 Dec 7, 2021 N/A· v4 4.7 MEDIUM· v3 4.3 MEDIUM· v2 A remote file inclusion vulnerability in the ArcGIS Server help documentation may allow a remote, unauthenticated attacker to inject attacker supplied html into a page.
CVE-2021-22968 1Concretecms 1Concrete Cms Nov 21, 2024 Nov 19, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS (concrete5) versions 8.5.6 and below.The external file upload feature stages files in the...Show more A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS (concrete5) versions 8.5.6 and below.The external file upload feature stages files in the public directory even if they have disallowed file extensions. They are stored in a directory with a random name, but it's possible to stall the uploads and brute force the directory name. You have to be an admin with the ability to upload files, but this bug gives you the ability to upload restricted file types and execute them depending on server configuration.To fix this, a check for allowed file extensions was added before downloading files to a tmp directory.Concrete CMS Security Team gave this a CVSS v3.1 score of 5.4 AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:NThis fix is also in Concrete version 9.0.0Show less
CVE-2021-21804 1Advantech 1R Seenet Nov 21, 2024 Jul 16, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A local file inclusion (LFI) vulnerability exists in the options.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). A specially crafted HTTP request can lead to arbitrary PHP code execution. An attacke...Show more A local file inclusion (LFI) vulnerability exists in the options.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). A specially crafted HTTP request can lead to arbitrary PHP code execution. An attacker can send a crafted HTTP request to trigger this vulnerability.Show less
CVE-2020-13175 1Teradici 2Cloud Access Connector Cloud Access Connector Legacy Nov 21, 2024 Aug 11, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 The Management Interface of the Teradici Cloud Access Connector and Cloud Access Connector Legacy for releases prior to April 20, 2020 (v15 and earlier for Cloud Access Connector) contains a local file inclusion vulnerab...Show more The Management Interface of the Teradici Cloud Access Connector and Cloud Access Connector Legacy for releases prior to April 20, 2020 (v15 and earlier for Cloud Access Connector) contains a local file inclusion vulnerability which allows an unauthenticated remote attacker to leak LDAP credentials via a specially crafted HTTP request.Show less
CVE-2020-5295 1Octobercms 1October Nov 21, 2024 Jun 3, 2020 N/A· v4 4.9 MEDIUM· v3 4.0 MEDIUM· v2 In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to read local files of an October CMS server. The vulnerability is only exploitable by...Show more In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to read local files of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the `cms.manage_assets` permission. Issue has been patched in Build 466 (v1.0.466).Show less
CVE-2019-5479 1Larvit 1Larvitbase Nov 21, 2024 Sep 3, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An unintended require vulnerability in <v0.5.5 larvitbase-api may allow an attacker to load arbitrary non-production code (JavaScript file).
CVE-2014-9186 1Honeywell 1Experion Process Knowledge System Nov 21, 2024 Apr 8, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A file inclusion vulnerability exists in the confd.exe module in Honeywell Experion PKS R40x before R400.6, R41x before R410.6, and R43x before R430.2, which could lead to accepting an arbitrary file into the function, a...Show more A file inclusion vulnerability exists in the confd.exe module in Honeywell Experion PKS R40x before R400.6, R41x before R410.6, and R43x before R430.2, which could lead to accepting an arbitrary file into the function, and potential information disclosure or remote code execution. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version.Show less

Previous 1...54 55 565758 Next