CVE-2025-58954 is an unauthenticated Local File Inclusion vulnerability in ThemeREX HomeRoofer (<= 2.11.0) caused by improper control of filenames used in PHP include/require statements (CWE-98). This flaw allows remote attackers to include arbitrary local files on the server, which can lead to remote code execution or information disclosure. The CVSS 3.1 base score is 8.1, reflecting high impact on confidentiality, integrity, and availability with network attack vector, high attack complexity, no privileges required, and no user interaction needed. No patch or official remediation level has been published by the vendor as of the latest advisory.

Successful exploitation of this vulnerability can lead to complete compromise of the affected system, including unauthorized disclosure of sensitive information, modification of data, and disruption of service. The attacker can include local files on the server, potentially executing arbitrary code or accessing sensitive configuration files. The vulnerability is exploitable remotely without authentication but requires high attack complexity.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to the vulnerable application and consider implementing web application firewall (WAF) rules to detect and block suspicious file inclusion attempts. Monitor for updates from ThemeREX regarding patches or official mitigations.