The vulnerability CVE-2026-32369 affects the Medilink-Core plugin by RadiusTheme and is characterized by improper control over the filename parameter in PHP include or require statements. This flaw enables PHP Local File Inclusion, which can be exploited to include unauthorized files on the server. The affected versions include all versions before 2.0.7. The CVSS v3.1 score is 7.5, indicating a high severity with network attack vector, high complexity, low privileges required, no user interaction, and impacts on confidentiality, integrity, and availability.

Successful exploitation of this vulnerability can lead to unauthorized disclosure of sensitive information, modification of data, and disruption of service on affected systems running vulnerable versions of Medilink-Core. The high CVSS score reflects significant potential damage if exploited.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no patch or official fix information is provided, users should monitor RadiusTheme's advisories for updates. Until a fix is available, restricting access to the vulnerable component and applying any recommended temporary mitigations from the vendor is advised.