CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
low-riskThe PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Common Consequences
Detection Methods
Manual white-box analysis can be very effective for finding this issue, since there is typically a relatively small number of include or require statements in each program.
The external control or influence of filenames can often be detected using automated static analysis that models data flow within the product. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes. If the program uses a customized input validation library, then some tools may allow the analyst to create custom signatures to detect usage of those routines.
Real-World Examples (10)
| CVE | CVSS | EPSS | KEV |
|---|---|---|---|
| CVE-2024-12209 | 9.8 | 88.7% | — |
| CVE-2023-49084 | 8.0 | 88.3% | — |
| CVE-2024-10571 | 9.8 | 87.3% | — |
| CVE-2023-3452 | 9.8 | 87.1% | — |
| CVE-2023-6989 | 9.8 | 61.9% | — |
| CVE-2024-3806 | 9.8 | 56.5% | — |
| CVE-2025-68645 | 8.8 | 50.1% | Y |
| CVE-2024-3136 | 9.8 | 49.6% | — |
| CVE-2023-2249 | 8.8 | 48.2% | — |
| CVE-2023-5815 | 8.1 | 43.2% | — |