CVE-2025-26760 identifies a Local File Inclusion (LFI) vulnerability in the Wow-Company Calculator Builder software, specifically versions up to and including 1.6.2. The root cause is improper control over the filename parameter used in PHP include or require statements, which allows an attacker to manipulate the file path and cause the application to include unintended local files. This can lead to unauthorized disclosure of sensitive files such as configuration files, source code, or system files, and potentially enable code execution if combined with other vulnerabilities or misconfigurations. The vulnerability arises because the application does not adequately sanitize or validate user-supplied input controlling the file inclusion mechanism. Although the vulnerability is classified as a Local File Inclusion rather than Remote File Inclusion, it still poses serious risks by enabling attackers to read arbitrary files on the server. No public patches or exploit code are currently available, and no known active exploitation has been reported. However, the presence of this vulnerability in a web-facing PHP application means that attackers can exploit it remotely by crafting malicious requests to the affected endpoints. The lack of a CVSS score indicates that the vulnerability has not yet been fully assessed, but the technical details and impact suggest a significant threat. The vulnerability affects web servers running PHP with the Calculator Builder product installed, which is used to create custom calculators embedded in websites or applications. The improper input validation and control of include paths are common issues in PHP applications that can lead to serious security breaches if not addressed.

The impact of CVE-2025-26760 can be substantial for organizations using the Wow-Company Calculator Builder. Successful exploitation allows attackers to read arbitrary files on the server, potentially exposing sensitive information such as credentials, configuration files, or proprietary source code. This can lead to further attacks, including privilege escalation, remote code execution, or lateral movement within the network. The confidentiality of data is primarily at risk, but integrity and availability could also be compromised if attackers leverage the vulnerability to execute malicious code or disrupt services. Organizations relying on Calculator Builder for customer-facing or internal applications may face data breaches, reputational damage, and compliance violations. The ease of exploitation is moderate since it requires crafting specific HTTP requests to manipulate file inclusion parameters, but no authentication is needed, increasing the attack surface. The scope is limited to systems running the vulnerable versions of Calculator Builder, but given the widespread use of PHP web applications globally, many organizations could be affected. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as exploit code could be developed rapidly once the vulnerability is public.

To mitigate CVE-2025-26760, organizations should take the following specific actions: 1) Monitor Wow-Company communications and security advisories for official patches or updates addressing this vulnerability and apply them promptly. 2) Implement strict input validation and sanitization on all parameters controlling file inclusion to ensure only allowed filenames or paths are accepted. 3) Employ whitelisting techniques to restrict included files to a predefined set of safe files or directories. 4) Configure PHP settings to disable dangerous functions or limit file inclusion paths using open_basedir restrictions. 5) Conduct code reviews and security testing on Calculator Builder integrations to identify and remediate similar insecure coding patterns. 6) Use web application firewalls (WAFs) with rules designed to detect and block attempts to exploit file inclusion vulnerabilities. 7) Limit the privileges of the web server user to minimize the impact of any successful exploitation. 8) Regularly audit server logs for suspicious requests that may indicate exploitation attempts. These measures go beyond generic advice by focusing on both immediate patching and longer-term secure coding and configuration practices specific to PHP file inclusion vulnerabilities.