CWE-98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Abstraction: Variant · CVEs in our corpus: 1,114

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

In certain versions and configurations of PHP, this can allow an attacker to specify a URL to a remote location from which the product will obtain the code to execute. In other cases in association with path traversal, the attacker can specify a local file that may contain executable statements that can be parsed by PHP.

Last updated: 09 May 2026 03:25 UTC

NIST 800-53 r5 controls that address this weakness (0)AI

Control	Title	Family	Why it addresses this CWE
No NIST controls proposed yet.

Top CVEs of this weakness type, ranked by Risk Priority

CVE	Risk	CVSS	EPSS	Published
`CVE-2024-12209`	7.4	9.8	0.8985	2024-12-08
`CVE-2023-3452`	7.2	9.8	0.8783	2023-08-12
`CVE-2024-10571`	7.2	9.8	0.8729	2024-11-14
`CVE-2023-49084`	6.9	8.0	0.8834	2023-12-21
`CVE-2025-68645` KEV	6.8	8.8	0.5096	2025-12-22
`CVE-2023-6989`	5.9	9.8	0.6578	2024-02-05
`CVE-2024-27971`	5.7	8.3	0.6736	2024-05-17
`CVE-2024-3806`	5.5	9.8	0.5936	2024-05-14
`CVE-2024-3136`	5.2	9.8	0.5421	2024-04-09
`CVE-2023-2249`	4.6	8.8	0.4816	2023-06-09
`CVE-2023-5815`	4.6	8.1	0.4916	2023-11-22
`CVE-2024-32523`	4.5	8.1	0.4743	2024-05-17
`CVE-2024-8252`	4.4	8.8	0.4415	2024-08-30
`CVE-2023-31718`	3.8	7.5	0.3764	2023-09-22
`CVE-2023-31716`	3.7	7.5	0.3711	2023-09-22
`CVE-2021-21804`	3.6	9.8	0.2781	2021-07-16
`CVE-2015-10133`	3.6	7.2	0.3653	2025-07-19
`CVE-2026-0926`	3.2	9.8	0.2027	2026-02-19
`CVE-2012-10025`	3.0	0.0	0.5018	2025-08-05
`CVE-2024-9193`	2.9	9.8	0.1605	2025-02-28
`CVE-2022-4606`	2.7	9.8	0.1201	2022-12-18
`CVE-2024-4936`	2.7	9.8	0.1171	2024-06-14
`CVE-2025-4380`	2.6	8.1	0.1651	2025-07-02
`CVE-2024-12571`	2.5	9.8	0.0950	2024-12-20
`CVE-2023-5199`	2.3	9.9	0.0486	2023-10-30