CVE-2026-28051 is a Local File Inclusion (LFI) vulnerability found in the ThemeREX Yacht Rental PHP application, affecting versions up to 2.6. The vulnerability stems from improper control over the filename parameter used in PHP's include or require statements, allowing attackers to manipulate the input to include arbitrary files from the server's filesystem. This occurs due to insufficient input validation or sanitization, which fails to restrict the file paths that can be included. An attacker exploiting this vulnerability can read sensitive files such as configuration files, password files, or application source code, potentially leading to information disclosure. In some cases, if the attacker can upload files or leverage other vulnerabilities, this LFI can escalate to remote code execution by including malicious scripts. The vulnerability does not require authentication but does require the attacker to interact with the application by supplying crafted input parameters. No CVSS score has been assigned yet, and no known public exploits exist at this time. The vulnerability was published on March 5, 2026, and no official patches or fixes have been linked yet. The affected product, Yacht Rental by ThemeREX, is a PHP-based web application or theme commonly used in yacht rental business websites, often integrated with CMS platforms like WordPress. The lack of patch and the nature of the vulnerability make it critical to address promptly to prevent exploitation.

The potential impact of CVE-2026-28051 is significant for organizations using the ThemeREX Yacht Rental theme or application. Successful exploitation can lead to unauthorized disclosure of sensitive information stored on the server, including configuration files, database credentials, and user data, compromising confidentiality. Additionally, attackers may leverage this vulnerability to execute arbitrary code if combined with other weaknesses, threatening system integrity and availability. This can result in website defacement, data breaches, or full server compromise. Organizations with public-facing websites using this theme are at risk of targeted attacks, especially if they do not have proper input validation or web application firewalls in place. The vulnerability can also be used as a foothold for lateral movement within a network. Given the widespread use of PHP and WordPress-based themes globally, the scope of affected systems is broad, increasing the risk of mass exploitation once public exploits emerge.

To mitigate CVE-2026-28051, organizations should immediately implement strict input validation and sanitization on all user-supplied parameters that influence file inclusion functions. Employ whitelisting techniques to restrict file paths and names to known safe values only. Disable the use of dynamic file inclusion where possible or replace include/require statements with safer alternatives. Use PHP configuration directives such as open_basedir to limit the directories accessible to PHP scripts. Monitor web server logs for suspicious requests attempting directory traversal or unusual file inclusion patterns. Deploy a Web Application Firewall (WAF) with rules targeting LFI attack signatures to block exploitation attempts. Keep the ThemeREX Yacht Rental theme and all related software up to date and apply patches promptly once available. Conduct regular security audits and penetration testing to identify similar vulnerabilities. If feasible, isolate the affected application in a sandboxed environment to minimize potential damage.