The vulnerability CVE-2025-49261 affects the thembay Diza PHP application through improper validation or control of filenames used in include or require statements. This allows remote attackers to perform Remote File Inclusion (RFI), potentially executing arbitrary code on the server. The affected versions are up to and including 1.3.8. The CVSS 3.1 score of 8.1 reflects high impact on confidentiality, integrity, and availability, with an attack vector over the network and no privileges or user interaction required. No patch or vendor advisory is currently available to confirm remediation status.

Successful exploitation of this vulnerability can lead to remote code execution, allowing attackers to compromise the affected system fully. This includes unauthorized disclosure of information, modification or deletion of data, and disruption of service. Given the high CVSS score and nature of the vulnerability, the impact is critical to the security posture of affected installations.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or restricting the vulnerable functionality if possible, and apply general PHP security best practices such as disabling remote file inclusion in PHP configuration (e.g., setting allow_url_include to Off). Monitor vendor channels for updates and apply patches promptly once available.