CVE-2026-32505 identifies a Local File Inclusion (LFI) vulnerability in the CreativeWS Kiddy PHP application, affecting versions up to and including 2.0.8. The vulnerability stems from improper control over the filename parameter used in PHP's include or require statements, which are functions that incorporate external files into the executing script. When user input is not properly sanitized or validated before being used in these statements, attackers can manipulate the input to include unintended files from the local filesystem. This can lead to disclosure of sensitive information such as configuration files, source code, or credentials. In some cases, LFI can be leveraged to execute arbitrary code, especially if combined with other vulnerabilities or if the attacker can upload malicious files to the server. The vulnerability does not require authentication, making it accessible to unauthenticated remote attackers who can send crafted HTTP requests to the affected application. There are no known public exploits or active attacks reported at this time, but the vulnerability is published and should be treated seriously. The lack of a CVSS score suggests that the vulnerability is newly disclosed and pending further analysis. The affected product, Kiddy, is a PHP-based application developed by CreativeWS, and the vulnerability affects all versions up to 2.0.8. The root cause is insufficient input validation on parameters controlling file inclusion paths, a common security issue in PHP applications. Without proper mitigation, attackers can gain unauthorized access to sensitive files or execute code, potentially compromising the entire web server and connected systems.

The exploitation of this vulnerability can have severe consequences for organizations running the affected versions of CreativeWS Kiddy. An attacker exploiting the LFI flaw can access sensitive files on the server, such as configuration files containing database credentials, user data, or application source code. This exposure can lead to further attacks, including privilege escalation or lateral movement within the network. In some scenarios, attackers may chain this vulnerability with other weaknesses to achieve remote code execution, resulting in full system compromise. The confidentiality, integrity, and availability of the affected systems are at risk. Organizations may face data breaches, service disruptions, and reputational damage. The impact is particularly critical for organizations hosting sensitive or regulated data, such as financial, healthcare, or government sectors. Additionally, the vulnerability can be exploited without authentication, increasing the attack surface and risk. Although no active exploits are reported, the potential for rapid weaponization exists once exploit code becomes publicly available. Therefore, timely mitigation is essential to prevent exploitation and protect organizational assets.

To mitigate CVE-2026-32505, organizations should first check for and apply any official patches or updates released by CreativeWS for the Kiddy product. If patches are not yet available, immediate mitigations include implementing strict input validation and sanitization on all parameters used in include or require statements to ensure only intended files can be included. Employ whitelisting techniques to restrict file inclusion to a predefined set of safe files or directories. Disable the use of remote file inclusion features in PHP configuration (e.g., setting allow_url_include to Off) to reduce risk. Use web application firewalls (WAFs) to detect and block suspicious requests attempting to exploit file inclusion vulnerabilities. Conduct thorough code reviews and security testing to identify and remediate similar issues in the application. Monitor server and application logs for unusual file access patterns or error messages indicative of exploitation attempts. Additionally, consider implementing least privilege principles for the web server process to limit the impact of a successful attack. Regular backups and incident response plans should be in place to recover quickly if exploitation occurs.