CVE-2026-39681
Published: 08 April 2026
Summary
CVE-2026-39681 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-39681 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified under CWE-98 and described as enabling PHP Local File Inclusion despite being labeled as PHP Remote File Inclusion. It affects the ApusTheme Homeo WordPress theme, impacting all versions from n/a through 1.2.59.
The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating exploitation is possible over the network by low-privileged users (PR:L) with high attack complexity and no user interaction. Successful attacks can result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary file inclusion leading to sensitive data exposure, code execution, or system compromise on affected WordPress sites running the vulnerable theme.
Patchstack has published an advisory detailing the local file inclusion vulnerability in Homeo theme version 1.2.59, available at https://patchstack.com/database/Wordpress/Theme/homeo/vulnerability/wordpress-homeo-theme-1-2-59-local-file-inclusion-vulnerability?_s_id=cve, which security practitioners should consult for mitigation guidance and patch information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-20365
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Homeo homeo allows PHP Local File Inclusion.This issue affects Homeo: from n/a through <= 1.2.59.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LFI in public-facing WordPress theme directly enables T1190 exploitation of public-facing apps; facilitates T1005 by allowing arbitrary local file reads for data exposure; and T1505.003 via file inclusion for web shell-based code execution and compromise.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely patching of the vulnerable Homeo WordPress theme to remediate the PHP local file inclusion flaw.
Validates user-supplied filenames in PHP include/require statements to block directory traversal and unauthorized local file access.
Enforces secure PHP configuration settings like open_basedir restrictions to limit the scope of local file inclusion exploits.