{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25464", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:59.641Z", "datePublished": "2026-03-25T16:14:51.623Z", "dateUpdated": "2026-04-28T16:14:59.533Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "jannah", "product": "Jannah", "vendor": "TieLabs", "versions": [{"changes": [{"at": "7.6.5", "status": "unaffected"}], "lessThanOrEqual": "7.6.4", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Ananda Dhakal (Patchstack)"}], "datePublic": "2026-04-22T14:18:21.437Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TieLabs Jannah jannah allows PHP Local File Inclusion.<p>This issue affects Jannah: from n/a through <= 7.6.4.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TieLabs Jannah jannah allows PHP Local File Inclusion.This issue affects Jannah: from n/a through <= 7.6.4."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:59.533Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/jannah/vulnerability/wordpress-jannah-theme-7-6-3-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Jannah theme <= 7.6.4 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T15:19:06.103991Z", "id": "CVE-2026-25464", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T01:46:11.973Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25464", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:59.641Z", "datePublished": "2026-03-25T16:14:51.623Z", "dateUpdated": "2026-04-28T01:46:11.973Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "jannah", "product": "Jannah", "vendor": "TieLabs", "versions": [{"changes": [{"at": "7.6.5", "status": "unaffected"}], "lessThanOrEqual": "7.6.4", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Ananda Dhakal (Patchstack)"}], "datePublic": "2026-04-22T14:18:21.437Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TieLabs Jannah jannah allows PHP Local File Inclusion.<p>This issue affects Jannah: from n/a through <= 7.6.4.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TieLabs Jannah jannah allows PHP Local File Inclusion.This issue affects Jannah: from n/a through <= 7.6.4."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:09.979Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/jannah/vulnerability/wordpress-jannah-theme-7-6-3-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Jannah theme <= 7.6.4 - Local File Inclusion vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25464", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T15:19:06.103991Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T15:19:00.497Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TieLabs Jannah jannah allows PHP Local File Inclusion.This issue affects Jannah: from n/a through <= 7.6.4."}, {"lang": "es", "value": "Control inadecuado del nombre de fichero para la declaraci\u00f3n Include/Require en el programa PHP, vulnerabilidad ('inclusi\u00f3n remota de ficheros PHP') en TieLabs Jannah jannah permite la inclusi\u00f3n local de ficheros PHP. Este problema afecta a Jannah: desde n/a hasta &lt;= 7.6.3."}], "id": "CVE-2026-25464", "lastModified": "2026-04-24T16:35:20.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:52.563", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/jannah/vulnerability/wordpress-jannah-theme-7-6-3-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.6.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Jannah", "source": "cna", "vendor": "TieLabs"}, "product": "jannah", "vendor": "tielabs"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T21:56:52.244379+00:00", "value": {"mitigation_remediation": ["Update the Jannah theme to the latest patched release that is newer than 7.6.4.", "If an update is not immediately available, limit the PHP code that uses user\u2011controlled filenames or remove such statements, and ensure the web server\u2019s file system permissions prevent reading of sensitive files like configuration files.", "Deploy or tune a web application firewall to block or scrub requests that contain path traversal or other patterns indicative of an attempt to include local files."], "summary": {"action": "Immediate Patch", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "The TieLabs Jannah theme for WordPress is affected. All releases from the initial launch up through version\u00a07.6.4 contain the flaw. WordPress sites that have installed any of these theme versions are at risk; no other vendors or products are listed.", "description_and_impact": "The flaw originates from improper control of filenames used in PHP include/require statements within the TieLabs Jannah theme, allowing an attacker to trigger PHP Local File Inclusion. By manipulating the filename parameter, an adversary can include arbitrary local files on the server, potentially exposing sensitive configuration data, credentials, or providing a foothold for further exploitation such as code execution. This vulnerability corresponds to CWE\u201198: Improper Control of Filename for Include/Require Statement.", "risk_and_exploitability": "The CVSS score of 8.1 indicates high severity, while an EPSS score of less than 1% suggests a low likelihood of exploitation in the near term. The CVE is not part of the CISA KEV catalog. The likely attack vector is via the web interface where the theme is active, by sending crafted HTTP requests that trigger the vulnerable include. Based on the description, it is inferred that authentication is not required for the inclusion, meaning unauthenticated or low\u2011privilege users could potentially succeed, with the ultimate impact depending on file system permissions and web server configuration."}}}}, "created": "2026-03-25T21:44:17.244175+00:00", "updated": "2026-04-28T22:00:14.174882+00:00", "vendors": ["tielabs", "tielabs$PRODUCT$jannah", "wordpress", "wordpress$PRODUCT$wordpress"]}