Cyber Resilience

CVE-2022-40089

CriticalPublic PoC

Published: 22 September 2022

Published
22 September 2022
Modified
27 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0287 86.6th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-40089 is a critical-severity PHP Remote File Inclusion (CWE-98) vulnerability in Simple College Website Project Simple College Website. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 13.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-40089 is a remote file inclusion vulnerability affecting Simple College Website version 1.0. The flaw, tracked under CWE-98, permits execution of arbitrary code through a crafted PHP file when the PHP directive allow_url_include is enabled. It carries a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation with no required credentials or user interaction.

Unauthenticated remote attackers can supply a malicious URL pointing to attacker-controlled PHP code, resulting in full compromise of the web application and underlying server when the vulnerable condition is met. The issue stems from insufficient validation of included files in the affected source code distribution.

No vendor advisories or official patches are referenced in available sources. The EPSS score rose from low values to a peak of 0.0539 on 2025-01-22 before receding to the current 0.0287, indicating a post-disclosure increase in observed exploitation interest.

EU & UK References

Vulnerability details

A remote file inclusion (RFI) vulnerability in Simple College Website v1.0 allows attackers to execute arbitrary code via a crafted PHP file. This vulnerability is exploitable when the directive allow_url_include is set to On.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

simple college website project
simple college website
1.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References