The vulnerability CVE-2025-49508 affects LoftOcean CozyStay before version 1.7.1 and is caused by improper validation of filenames used in PHP include or require statements. This improper control enables a Local File Inclusion attack, where an attacker can cause the application to include unintended files from the local filesystem. The CVSS 3.1 vector indicates the attack requires network access, has high complexity, no privileges or user interaction needed, and impacts confidentiality, integrity, and availability with high severity. The vulnerability is published and assigned by Patchstack, but no patch or vendor advisory is currently available.

Successful exploitation of this vulnerability can lead to local file inclusion, which may allow attackers to read sensitive files, execute arbitrary code, or escalate privileges depending on the server configuration and application context. The CVSS score of 8.1 reflects a high impact on confidentiality, integrity, and availability. No known exploits have been reported so far.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider applying temporary mitigations such as restricting file inclusion paths, disabling remote file inclusion in PHP settings, or using web application firewalls to detect and block suspicious requests. Monitor vendor channels for updates and apply official patches promptly once released.