CVE-2026-32401 is a vulnerability classified as Improper Control of Filename for Include/Require Statement in PHP programs, specifically affecting the 'Client Invoicing by Sprout Invoices' plugin by BoldGrid. This vulnerability allows Remote File Inclusion (RFI), where an attacker can manipulate the filename parameter used in PHP's include or require statements to load arbitrary remote files. This can lead to remote code execution on the server hosting the vulnerable application. The vulnerability affects all versions up to and including 20.8.9. The root cause is insufficient validation or sanitization of user-supplied input that controls the file path in include/require functions. Exploiting this flaw, an attacker can execute malicious PHP code remotely, potentially gaining full control over the web server, accessing sensitive data, modifying or deleting files, or pivoting to other internal systems. No CVSS score has been assigned yet, and no public exploit code is known at this time. The vulnerability was reserved and published in March 2026 by Patchstack. The lack of patches or mitigations from the vendor increases the urgency for organizations to implement interim protective measures. This issue is critical because it allows unauthenticated attackers to execute arbitrary code remotely, which is one of the most severe classes of web application vulnerabilities.

The impact of CVE-2026-32401 is severe for organizations using the affected invoicing plugin. Successful exploitation can lead to remote code execution, allowing attackers to fully compromise the web server. This can result in data breaches exposing sensitive client and financial information, disruption of invoicing services causing business interruptions, and potential lateral movement within the corporate network. The integrity of financial data and invoices can be compromised, leading to fraudulent transactions or financial loss. Additionally, attackers could deploy ransomware or other malware, further escalating the damage. Since the vulnerability requires no authentication and can be triggered remotely, the attack surface is broad, especially for internet-facing installations. Organizations relying on this plugin for client invoicing are at high risk, and the reputational damage from a breach could be significant. The absence of known exploits currently provides a limited window for mitigation, but the potential for rapid exploitation once exploit code becomes available is high.

To mitigate CVE-2026-32401, organizations should immediately audit and restrict all user inputs that influence file inclusion paths within the affected plugin. Implement strict input validation and sanitization to ensure only expected, safe file paths are processed. Employ allowlisting of file names or directories that can be included, avoiding dynamic inclusion of user-controlled paths. Disable remote file inclusion in PHP configurations by setting 'allow_url_include' to 'Off' and 'allow_url_fopen' to 'Off' where possible. Monitor web server logs for suspicious requests attempting to manipulate include parameters. Use Web Application Firewalls (WAFs) to detect and block exploitation attempts targeting file inclusion vulnerabilities. Isolate the invoicing application environment to limit potential lateral movement if compromised. Stay alert for vendor patches or updates and apply them promptly once available. Consider temporarily disabling or replacing the plugin if immediate patching is not feasible. Conduct regular backups of invoicing data and test recovery procedures to minimize impact from potential attacks.