CVE-2026-24538 is a vulnerability classified as 'Improper Control of Filename for Include/Require Statement in PHP Program,' commonly known as a Local File Inclusion (LFI) flaw, found in the Omnipress product by omnipressteam. The vulnerability affects Omnipress versions up to and including 1.6.6. It arises because the application does not properly validate or sanitize user-supplied input used in PHP include or require statements, allowing an attacker with at least low-level privileges to manipulate the filename parameter. This manipulation enables the attacker to include arbitrary local files on the server, potentially exposing sensitive information such as configuration files, source code, or credentials. The CVSS v3.1 score is 7.6, indicating a high severity with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L, meaning the attack can be launched remotely over the network with low attack complexity, requires low privileges, no user interaction, and impacts confidentiality highly, with limited integrity and availability impacts. Although no known exploits are currently reported in the wild, the vulnerability presents a significant risk due to the potential for information disclosure and partial system compromise. The vulnerability is particularly dangerous in web-facing environments where Omnipress is deployed, as attackers can leverage it to gain insights into the system or pivot to further attacks.

For European organizations, exploitation of CVE-2026-24538 could lead to unauthorized disclosure of sensitive data, including internal configuration files, user credentials, or proprietary information, severely impacting confidentiality. This could result in compliance violations under GDPR due to data exposure. The partial integrity impact may allow attackers to influence application behavior or escalate privileges, while availability impact, though limited, could disrupt services. Organizations relying on Omnipress for publishing or content management may face operational disruptions and reputational damage. The risk is heightened for sectors with stringent data protection requirements such as finance, healthcare, and government institutions. Additionally, the vulnerability could be leveraged as a foothold for lateral movement within networks, increasing the overall threat landscape.

1. Apply official patches or updates from omnipressteam as soon as they become available to address the vulnerability directly. 2. Until patches are released, implement strict input validation and sanitization on all parameters used in include/require statements to ensure only intended files can be included. 3. Employ web application firewalls (WAF) with rules designed to detect and block attempts to exploit file inclusion vulnerabilities. 4. Restrict PHP include paths using configuration directives such as open_basedir to limit accessible directories. 5. Conduct regular code audits and penetration testing focusing on file inclusion and input validation weaknesses. 6. Monitor logs for unusual file access patterns or errors indicative of exploitation attempts. 7. Limit privileges of web server and application accounts to minimize the impact of successful exploitation. 8. Educate development teams on secure coding practices related to file inclusion and input handling.