The vulnerability CVE-2024-49649 affects hakeemnala Build App Online up to version 1.0.23 and is caused by improper control of filenames used in PHP include or require statements. This leads to a PHP Local File Inclusion vulnerability, enabling attackers to include arbitrary files on the server, potentially resulting in remote code execution or data disclosure. The CVSS 3.1 base score is 9.8, reflecting critical impact with network attack vector and no required privileges or user interaction. No patch or official remediation guidance is currently provided by the vendor. The vulnerability is publicly disclosed and assigned by Patchstack, but no known active exploitation has been reported.

Successful exploitation of this vulnerability can lead to full compromise of the affected system, including unauthorized disclosure of sensitive information, modification of data, and disruption of service. The critical CVSS score of 9.8 indicates that an attacker can remotely exploit this flaw without authentication or user interaction, making it highly dangerous. However, there are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting access to the affected application, applying web application firewall rules to detect and block malicious requests targeting file inclusion, and reviewing application configurations to limit file inclusion paths. Monitor vendor communications for updates and apply patches promptly once available.