CWE-98 1244 個 CVE MITRE 定義 ↗

CWE-98:Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

概覽

CWE-98(Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion'))描述一種在漏洞資料庫與安全評估中使用的弱點類型;定義、背景與對應 CVE 見下方各節。

安全影響
安全影響:因產品與情境而異;請結合 CVE 紀錄、嚴重度評分與 MITRE 說明進行優先級判斷。

描述

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

適用平台

類型 名稱 普遍性 OS / CPE
language PHP Often
technology Web Based Undetermined
technology Web Server Undetermined

本庫相關 CVE

下列 CVE 在本庫中對應到該弱點,並保留以便追溯與檢索。

CVE 公開時間 摘要
CVE-2026-13080 2026-07-09 The WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.12.7 via the 'logKey'…
CVE-2026-12194 2026-07-04 PHPIPAM is affected by an authenticated local file inclusion vulnerability that allows users with access to the API to execute/include arbitrary PHP files on the web server's file system. The API is n…
CVE-2026-5137 2026-07-03 The RTMKit (rometheme-for-elementor) plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.0.7 This is due to insufficient path validation on the 'template' pa…
CVE-2026-57749 2026-07-02 Contributor Local File Inclusion in SportsPress Pro <= 2.7.29 versions.
CVE-2026-57748 2026-07-02 Contributor Local File Inclusion in Shopify <= 1.0.0 versions.
CVE-2026-42382 2026-07-02 Unauthenticated Local File Inclusion in Audrey <= 1.5 versions.
CVE-2026-27412 2026-07-02 Unauthenticated Local File Inclusion in Pearl - Corporate Business <= 3.4.10 versions.
CVE-2025-69133 2026-07-02 Subscriber Local File Inclusion in Tourmaster <= 5.4.5 versions.
CVE-2025-58902 2026-07-02 Unauthenticated Local File Inclusion in Lighthouse <= 1.2.12 versions.
CVE-2026-12923 2026-07-01 The Youtube Showcase plugin for WordPress is vulnerable to Arbitrary Function Call in versions up to and including 4.0.3. This is due to insufficient validation of the 'path' parameter in the emd_dele…
CVE-2026-57647 2026-06-26 Contributor Local File Inclusion in Panorama Viewer – 360 Degree Image + Video Viewer <= 1.6.1 versions.
CVE-2025-68064 2026-06-26 Contributor Local File Inclusion in Goya Core < 1.0.9.4 versions.
CVE-2025-68063 2026-06-26 Contributor Local File Inclusion in Splash - Sport Club WordPress Theme for Basketball, Football, Hockey <= 4.4.3 versions.
CVE-2026-54845 2026-06-25 Unauthenticated Local File Inclusion in MDTF <= 1.3.8 versions.
CVE-2019-25760 2026-06-19 Joomla! Component Easy Shop 1.2.3 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by supplying base64-encoded file paths. Attackers can send…
CVE-2026-7515 2026-06-19 The BetterDocs Pro plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 3.8.0 via the `doc_style` parameter. This makes it possible for unauthenticated attacker…
CVE-2026-48820 2026-06-17 CakePHP is a rapid development framework for PHP. In versions 4.5.11 and earlier, 4.6.0 through 4.6.3, 5.0.0 through 5.1.6, 5.2.0 through 5.2.12, and 5.3.0 through 5.3.5, View::_getElementFileName() d…
CVE-2026-54814 2026-06-17 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in StylemixThemes Motors allows PHP Local File Inclusion. This issue affects Moto…
CVE-2026-39590 2026-06-17 Unauthenticated Local File Inclusion in Atomlab <= 2.4.5 versions.
CVE-2026-39559 2026-06-17 Unauthenticated Local File Inclusion in Uppercase < 1.2.2 versions.

曾用名

  • PHP File Inclusion (2008-04-11)
  • Insufficient Control of Filename for Include/Require Statement in PHP Program (aka 'PHP File Inclusion') (2009-05-27)
  • Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') (2013-02-21)

內容提交

名稱
PLOVER
日期
2006-07-19
版本
Draft 3

內容修訂

日期 名稱 版本 重要性 評論
2008-07-01 Eric Dalci 1.0 updated Time_of_Introduction
2008-09-08 CWE Content Team 1.0 updated Relationships, Relationship_Notes, Research_Gaps, Taxonomy_Mappings
2009-01-12 CWE Content Team 1.2 updated Relationships
2009-03-10 CWE Content Team 1.3 updated Relationships
2009-05-27 CWE Content Team 1.4 updated Description, Name
2009-12-28 CWE Content Team 1.7 updated Alternate_Terms, Applicable_Platforms, Demonstrative_Examples, Likelihood_of_Exploit, Potential_Mitigations, Time_of_Introduction
2010-02-16 CWE Content Team 1.8 Critical converted from Compound_Element to Weakness
2010-02-16 CWE Content Team 1.8 updated Alternate_Terms, Common_Consequences, Detection_Factors, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Type
2010-06-21 CWE Content Team 1.9 updated Potential_Mitigations, References
2010-09-27 CWE Content Team 1.10 updated Potential_Mitigations
2010-12-13 CWE Content Team 1.11 updated Potential_Mitigations
2011-06-27 CWE Content Team 2.0 updated Relationships
2012-10-30 CWE Content Team 2.3 updated Potential_Mitigations, References
2013-02-21 CWE Content Team 2.4 updated Alternate_Terms, Name, Observed_Examples
2017-01-19 CWE Content Team 2.10 updated Relationships
2017-11-08 CWE Content Team 3.0 updated Affected_Resources, Demonstrative_Examples, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships
2019-06-20 CWE Content Team 3.3 updated Type
2020-02-24 CWE Content Team 4.0 updated Potential_Mitigations, Relationships
2020-06-25 CWE Content Team 4.1 updated Potential_Mitigations
2021-03-15 CWE Content Team 4.4 updated Potential_Mitigations
2021-10-28 CWE Content Team 4.6 updated Relationships
2022-04-28 CWE Content Team 4.7 updated Research_Gaps
2022-10-13 CWE Content Team 4.9 updated References
2023-01-31 CWE Content Team 4.10 updated Description, Detection_Factors
2023-04-27 CWE Content Team 4.11 updated References, Relationships, Time_of_Introduction
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes
2025-04-03 CWE Content Team 4.17 updated Demonstrative_Examples
2025-09-09 CWE Content Team 4.18 updated Potential_Mitigations, References
2025-12-11 CWE Content Team 4.19 updated Applicable_Platforms, Demonstrative_Examples, Relationships, Weakness_Ordinalities
cvelogic Threat Intelligence