The vulnerability CVE-2026-22362 in axiomthemes Photolia theme arises from improper validation or control of filenames used in PHP include or require statements, enabling PHP Local File Inclusion (LFI). This can allow an attacker to include and execute arbitrary local files on the server, potentially leading to remote code execution or data disclosure. The affected versions include Photolia up to 1.0.3. The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates network attack vector, high attack complexity, no privileges or user interaction required, unchanged scope, and high impact on confidentiality, integrity, and availability.

Successful exploitation of this vulnerability can lead to full compromise of the affected system, including unauthorized disclosure of sensitive information, modification of data, and disruption of service. Given the high CVSS score and impact metrics, the vulnerability poses a serious risk to systems running vulnerable versions of Photolia.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no patch or official fix information is provided, users should monitor vendor channels for updates. Until a fix is available, consider disabling or removing the affected Photolia theme to mitigate risk.