The vulnerability CVE-2025-58955 affects designervily Karzo versions before 2.6 and arises from improper control of filenames in PHP include/require statements. This flaw enables PHP Local File Inclusion, which can be leveraged by attackers to execute arbitrary code or access sensitive files on the server. The CVSS v3.1 score is 8.1, indicating high severity with network attack vector, high complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No patch or vendor advisory is currently available to confirm remediation status.

Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to include local files on the server, potentially leading to arbitrary code execution, data disclosure, and disruption of service. The impact is rated high due to the potential for full system compromise.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting access to vulnerable endpoints and applying web application firewall rules to block suspicious requests targeting file inclusion. Avoid exposing the affected application to untrusted networks if possible.