This vulnerability (CVE-2026-22338) involves improper control of filenames used in include or require statements within the PHP-based ThemeREX EcoBlue product, specifically affecting versions up to 1.15. The flaw allows unauthenticated attackers to perform local file inclusion, which can be leveraged to execute arbitrary code or disclose sensitive information. The CVSS v3.1 base score is 8.1, indicating high impact with network attack vector, high attack complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No patch or official remediation level has been published as of the provided data.

Successful exploitation can lead to remote code execution, full system compromise, and unauthorized disclosure or modification of data. The vulnerability affects confidentiality, integrity, and availability at a high level. Since the attack requires no authentication and can be performed remotely, the risk to affected systems is significant.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting access to vulnerable endpoints, applying web application firewalls with rules to detect and block file inclusion attempts, and monitoring for suspicious activity related to file inclusion. Avoid exposing the vulnerable application to untrusted networks where possible.