CVE-2026-28065 identifies a Local File Inclusion (LFI) vulnerability in the ThemeREX Eject product, a PHP-based theme or plugin component used in web applications. The vulnerability arises from improper control over the filename parameter used in PHP's include or require statements, allowing an attacker to manipulate the input and cause the application to include unintended files from the local filesystem. This can lead to disclosure of sensitive files such as configuration files, password stores, or source code, and in some cases, can be leveraged to execute arbitrary code if combined with other vulnerabilities or misconfigurations. The affected versions are all up to and including 2.17. The vulnerability was published in March 2026, with no CVSS score assigned yet and no known exploits reported. The flaw is significant because PHP include/require statements are critical points of trust, and improper validation can lead to severe security breaches. The vulnerability is categorized under improper control of filenames for include/require statements, a common vector for LFI attacks. Since the vulnerability is local file inclusion rather than remote file inclusion, the attacker is limited to files accessible on the server, but this still poses a serious risk. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for immediate mitigation steps.

The impact of this vulnerability can be severe for organizations using ThemeREX Eject, particularly those running PHP-based web applications or content management systems that incorporate this theme. Exploitation could allow attackers to read sensitive files such as configuration files containing database credentials, environment variables, or application source code, leading to information disclosure. In some scenarios, attackers might chain this vulnerability with other flaws to achieve remote code execution, resulting in full server compromise. This could lead to data breaches, defacement, service disruption, or use of the compromised server as a pivot point for further attacks. The vulnerability affects confidentiality and potentially integrity and availability if exploited to execute malicious code or disrupt services. Organizations with public-facing web servers using the affected versions are at the highest risk. The absence of known exploits currently reduces immediate threat but does not eliminate the risk, as attackers may develop exploits once the vulnerability details are widely known.

Organizations should immediately audit their use of the ThemeREX Eject product and identify if they are running affected versions (up to 2.17). Until an official patch is released, practical mitigations include: 1) Implement strict input validation and sanitization on any parameters used in include or require statements to prevent manipulation. 2) Employ web application firewalls (WAFs) with rules designed to detect and block attempts to exploit file inclusion vulnerabilities. 3) Restrict PHP file inclusion paths using open_basedir or disable allow_url_include in PHP configurations to limit file inclusion to safe directories. 4) Monitor web server logs for suspicious requests attempting to include unexpected files. 5) Consider temporarily disabling or replacing the vulnerable component if feasible. 6) Stay updated with vendor advisories and apply patches immediately once available. 7) Conduct security testing and code review focused on file inclusion points within the application. These steps go beyond generic advice by focusing on configuration hardening and proactive detection tailored to this vulnerability type.