{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22413", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T12:21:56.450Z", "datePublished": "2026-03-05T05:53:36.410Z", "dateUpdated": "2026-04-28T17:07:16.098Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "malgre", "product": "Malgr\u00e9", "vendor": "Mikado-Themes", "versions": [{"lessThanOrEqual": "1.0.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:09.359Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Malgr\u00e9 malgre allows PHP Local File Inclusion.<p>This issue affects Malgr\u00e9: from n/a through <= 1.0.3.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Malgr\u00e9 malgre allows PHP Local File Inclusion.This issue affects Malgr\u00e9: from n/a through <= 1.0.3."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:43.534Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/malgre/vulnerability/wordpress-malgre-theme-1-0-3-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Malgr\u00e9 theme <= 1.0.3 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T16:52:53.025878Z", "id": "CVE-2026-22413", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:07:16.098Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22413", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T12:21:56.450Z", "datePublished": "2026-03-05T05:53:36.410Z", "dateUpdated": "2026-04-28T17:07:16.098Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "malgre", "product": "Malgr\u00e9", "vendor": "Mikado-Themes", "versions": [{"lessThanOrEqual": "1.0.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:09.359Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Malgr\u00e9 malgre allows PHP Local File Inclusion.<p>This issue affects Malgr\u00e9: from n/a through <= 1.0.3.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Malgr\u00e9 malgre allows PHP Local File Inclusion.This issue affects Malgr\u00e9: from n/a through <= 1.0.3."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:43.534Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/malgre/vulnerability/wordpress-malgre-theme-1-0-3-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Malgr\u00e9 theme <= 1.0.3 - Local File Inclusion vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22413", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T16:52:53.025878Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T16:50:53.910Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Malgr\u00e9 malgre allows PHP Local File Inclusion.This issue affects Malgr\u00e9: from n/a through <= 1.0.3."}, {"lang": "es", "value": "Control inadecuado del nombre de fichero para la declaraci\u00f3n include/require en un programa PHP (vulnerabilidad de 'inclusi\u00f3n remota de ficheros PHP') en Mikado-Themes Malgr\u00e9 malgre permite la inclusi\u00f3n local de ficheros PHP. Este problema afecta a Malgr\u00e9: desde n/a hasta &lt;= 1.0.3."}], "id": "CVE-2026-22413", "lastModified": "2026-04-22T21:26:58.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:15.033", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/malgre/vulnerability/wordpress-malgre-theme-1-0-3-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "malgr\u00e9", "vendor": "mikado-themes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T05:35:44.537406+00:00", "value": {"mitigation_remediation": ["Update the Malgre theme to the latest version or apply the vendor\u2019s security patch.", "If an update is not yet available, disable the theme immediately and switch to a trusted alternative WordPress theme.", "Restrict file permissions on the WordPress installation so that the web server cannot read sensitive configuration files outside the theme directory."], "summary": {"action": "Apply Patch", "impact": "Local File Inclusion that may lead to unauthorized file disclosure or remote code execution"}, "threat_synthesis": {"affected_systems": "Mikado\u2011Themes Malgre WordPress theme versions up to and including 1.0.3 are impacted. Versions before 1.0.3 are also affected as the issue exists throughout the series up to the stated maximum release. The specific product is the Malgre theme for WordPress.", "description_and_impact": "The vulnerability is an improper control of the filename used in a PHP include or require statement. An attacker can manipulate the include path and force the WordPress theme to load local files. This allows the attacker to read sensitive files, such as configuration files, and in some cases execute arbitrary PHP code if the attacker can write to included files or includes a PHP file that executes code. The weakness is categorized as CWE\u201198, a classic local file inclusion flaw.", "risk_and_exploitability": "The CVSS base score is 8.1, indicating high severity. The EPSS score is reported as less than 1\u202f%, suggesting that, at the time of analysis, the likelihood of exploitation is very low but not zero. The vulnerability is not currently featured in the CISA KEV catalog. Exploitation requires an attacker to send a crafted HTTP request that triggers the theme\u2019s unsanitized include logic; no physical access or privileged credentials are needed. Given the low EPSS, passive monitoring may delay detection, but the high CVSS means that a successful exploitation would lead to significant impact."}}}}, "created": "2026-03-06T15:14:37.752082+00:00", "updated": "2026-04-16T05:45:26.012697+00:00", "vendors": ["mikado-themes", "mikado-themes$PRODUCT$malgr\u00e9", "wordpress", "wordpress$PRODUCT$wordpress"]}