CVE-2026-22380 is a vulnerability identified in AncoraThemes' UnlimHost product, specifically affecting versions up to and including 1.2.3. The issue arises from improper control over the filename parameter used in PHP include or require statements, which enables Remote File Inclusion (RFI) or Local File Inclusion (LFI). This flaw allows attackers to manipulate the file path input to include arbitrary files from remote or local sources. When exploited, this can lead to arbitrary code execution on the server, compromising the confidentiality, integrity, and availability of the system. The vulnerability is remotely exploitable over the network without requiring authentication or user interaction, although the attack complexity is rated high, likely due to the need for specific conditions or configurations. The CVSS v3.1 base score is 8.1, reflecting a high severity with network attack vector, no privileges required, no user interaction, and high impact on all security properties. Despite no known exploits currently in the wild, the vulnerability represents a critical risk for web servers running vulnerable versions of UnlimHost, especially those exposed to the internet. The lack of available patches at the time of publication necessitates immediate attention to alternative mitigations.

The impact of CVE-2026-22380 is substantial for organizations using AncoraThemes UnlimHost versions up to 1.2.3. Successful exploitation can lead to remote code execution, allowing attackers to execute arbitrary commands, deploy malware, or pivot within the network. This compromises system confidentiality by exposing sensitive data, integrity by allowing unauthorized modifications, and availability by potentially causing service disruptions or denial of service. Given the vulnerability requires no authentication and no user interaction, any internet-facing UnlimHost installation is at risk. The high attack complexity may limit widespread exploitation but does not eliminate the threat, especially from skilled attackers targeting specific organizations. This vulnerability could be leveraged in targeted attacks against hosting providers, websites, or applications relying on UnlimHost, leading to data breaches, defacement, or infrastructure compromise.

To mitigate CVE-2026-22380, organizations should first check for and apply any official patches or updates from AncoraThemes as they become available. In the absence of patches, immediate steps include disabling or restricting the use of dynamic include/require statements in PHP code, especially those that incorporate user-supplied input. Implement strict input validation and sanitization to ensure only allowed file paths are processed. Employ web application firewalls (WAFs) with rules designed to detect and block suspicious file inclusion attempts. Restrict file permissions and isolate web server directories to limit the impact of any file inclusion. Monitor server logs for unusual access patterns or errors related to file inclusion. Additionally, consider deploying runtime application self-protection (RASP) tools to detect and prevent exploitation attempts in real time. Regularly audit and review PHP configurations to disable remote file inclusion if not required (e.g., setting allow_url_include to Off).