{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28066", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-25T12:13:39.590Z", "datePublished": "2026-03-05T05:54:19.780Z", "dateUpdated": "2026-04-28T17:39:12.353Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "legrand", "product": "Legrand", "vendor": "ThemeREX", "versions": [{"lessThanOrEqual": "2.17", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bonds | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:52.026Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Legrand legrand allows PHP Local File Inclusion.<p>This issue affects Legrand: from n/a through <= 2.17.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Legrand legrand allows PHP Local File Inclusion.This issue affects Legrand: from n/a through <= 2.17."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:06.755Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/legrand/vulnerability/wordpress-legrand-theme-2-17-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Legrand theme <= 2.17 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-05T20:57:48.481251Z", "id": "CVE-2026-28066", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:39:12.353Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28066", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-05T20:57:48.481251Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T20:57:08.696Z"}}], "cna": {"title": "WordPress Legrand theme <= 2.17 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Bonds | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ThemeREX", "product": "Legrand", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.17"}], "packageName": "legrand", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:05:52.026Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/legrand/vulnerability/wordpress-legrand-theme-2-17-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Legrand legrand allows PHP Local File Inclusion.This issue affects Legrand: from n/a through <= 2.17.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Legrand legrand allows PHP Local File Inclusion.<p>This issue affects Legrand: from n/a through <= 2.17.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:06.755Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28066", "state": "PUBLISHED", "dateUpdated": "2026-04-28T17:39:12.353Z", "dateReserved": "2026-02-25T12:13:39.590Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-05T05:54:19.780Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Legrand legrand allows PHP Local File Inclusion.This issue affects Legrand: from n/a through <= 2.17."}, {"lang": "es", "value": "Control inadecuado del nombre de fichero para la declaraci\u00f3n include/require en el programa PHP ('Inclusi\u00f3n Remota de Ficheros PHP') vulnerabilidad en ThemeREX Legrand legrand permite la Inclusi\u00f3n Local de Ficheros PHP. Este problema afecta a Legrand: desde n/a hasta &lt;= 2.17."}], "id": "CVE-2026-28066", "lastModified": "2026-04-22T21:27:27.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:40.480", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/legrand/vulnerability/wordpress-legrand-theme-2-17-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.17]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "legrand", "vendor": "themerex"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T23:01:51.775698+00:00", "value": {"mitigation_remediation": ["Update ThemeREX\u202fLegrand to version\u202f2.18 or later when it becomes available", "Restrict include/require calls to a whitelist of trusted file paths, rejecting any input that attempts directory traversal or file names outside that list", "Disable PHP remote file inclusion (set allow_url_include=Off and enable open_basedir restrictions) to prevent both local and remote file inclusions"], "summary": {"action": "Immediate Patch", "impact": "Potential remote code execution via Local File Inclusion"}, "threat_synthesis": {"affected_systems": "WordPress sites using the ThemeREX Legrand theme, versions n/a through 2.17. Site owners should check the active theme version and identify any deployment of the affected theme.", "description_and_impact": "ThemeREX Legrand theme up to version 2.17 contains an improper control of filename for include/require statements in PHP. The flaw allows an attacker with sufficient access to supply path arguments that are passed directly to include/require, enabling local file inclusion. Local file inclusion can expose sensitive information or, if attacker-controlled files are included, allow arbitrary code execution. The weakness is identified as CWE-98, indicating failure to properly sanitize filename inputs.", "risk_and_exploitability": "The CVSS base score of 8.1 reflects a high severity impact. The EPSS score of less than 1% indicates that exploitation is currently considered unlikely, and the vulnerability is not listed in the CISA KEV catalog, so no widespread exploitation has been confirmed. Nevertheless, the attack vector requires the ability to influence the filename parameter passed to an include/require operation, which could be achieved through crafted input such as HTTP GET/POST parameters or directory traversal attempts. The potential for remote code execution makes this vulnerability a critical security concern for administrators who have not applied a fix or mitigated the issue."}}}}, "created": "2026-03-06T15:10:53.071555+00:00", "updated": "2026-04-15T23:15:17.749412+00:00", "vendors": ["themerex", "themerex$PRODUCT$legrand", "wordpress", "wordpress$PRODUCT$wordpress"]}