CVE-2026-25380 is a Local File Inclusion (LFI) vulnerability found in the jwsthemes Feedy product, specifically affecting versions prior to 2.1.5. The vulnerability stems from improper control over the filename parameter used in PHP include or require statements, which allows an attacker to manipulate the file path and include arbitrary files from the server's filesystem. This can lead to disclosure of sensitive files such as configuration files, source code, or other data stored on the server. In some cases, LFI can be leveraged to execute arbitrary code if combined with other vulnerabilities or if the attacker can upload malicious files. The vulnerability does not require authentication, making it accessible to remote attackers who can send crafted requests to the vulnerable application. Although no public exploits have been reported yet, the flaw is publicly disclosed and documented in the CVE database. The lack of a CVSS score means severity must be assessed based on the impact on confidentiality, integrity, and availability, ease of exploitation, and scope of affected systems. Feedy is a PHP-based theme or plugin product used in web content management, and the vulnerability affects all installations running versions before 2.1.5. The root cause is insufficient input validation or sanitization of parameters controlling file inclusion paths, a common and critical security weakness in PHP applications.

The primary impact of CVE-2026-25380 is unauthorized disclosure of sensitive information through Local File Inclusion. Attackers can read arbitrary files on the server, potentially exposing credentials, configuration data, or private user information. This can lead to further attacks such as privilege escalation, remote code execution (if combined with other vulnerabilities), or lateral movement within the network. The vulnerability compromises confidentiality and potentially integrity if attackers can manipulate included files. Availability impact is generally low unless the attacker uses the vulnerability to disrupt service. Organizations running vulnerable versions of Feedy risk data breaches, reputational damage, and compliance violations. Since the vulnerability requires no authentication and can be exploited remotely, the attack surface is broad. The lack of known exploits currently limits immediate widespread damage, but the public disclosure increases the risk of future exploitation. Web servers hosting Feedy themes are the primary targets, and the impact is more severe in environments with sensitive data or critical web applications.

To mitigate CVE-2026-25380, organizations should immediately upgrade Feedy to version 2.1.5 or later where the vulnerability is patched. If upgrading is not immediately possible, implement strict input validation and sanitization on all parameters controlling file inclusion paths to ensure only allowed files can be included. Employ whitelisting of permissible file paths and disable dynamic file inclusion where feasible. Configure PHP settings to disable allow_url_include and limit file access permissions to reduce the impact of exploitation. Use web application firewalls (WAFs) to detect and block suspicious requests attempting to exploit LFI patterns. Regularly audit and monitor web server logs for unusual access patterns or errors related to file inclusion. Conduct security testing and code reviews focused on input handling in PHP include/require statements. Educate developers on secure coding practices to prevent similar vulnerabilities in the future.