CVE-2026-27998
Published: 05 March 2026
Summary
CVE-2026-27998 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-27998 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion, which allows PHP Local File Inclusion in the ThemeREX Vixus WordPress theme. The issue affects Vixus versions from n/a through 1.0.16 and is associated with CWE-98. It carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility and significant impacts on confidentiality, integrity, and availability.
Remote unauthenticated attackers can exploit this vulnerability over the network, though it requires high attack complexity and no user interaction. Successful exploitation enables attackers to include local files via PHP's include/require statements, potentially leading to arbitrary code execution, sensitive data exposure, file modification, or denial of service, aligning with the high impact ratings across confidentiality, integrity, and availability.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/vixus/vulnerability/wordpress-vixus-theme-1-0-16-local-file-inclusion-vulnerability?_s_id=cve, which covers the Local File Inclusion vulnerability in the Vixus WordPress theme version 1.0.16.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9668
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Vixus vixus allows PHP Local File Inclusion.This issue affects Vixus: from n/a through <= 1.0.16.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a PHP Local File Inclusion (LFI) in a public-facing WordPress theme, directly exploited over the network via improper filename control in include/require statements, matching T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the improper control of filenames in PHP include/require statements by validating user-supplied inputs to prevent local file inclusion.
Ensures timely patching and remediation of the LFI vulnerability in ThemeREX Vixus WordPress theme versions through 1.0.16.
Identifies the PHP LFI vulnerability via vulnerability scanning, enabling proactive remediation before exploitation.