{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27076", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:23:51.341Z", "datePublished": "2026-03-25T16:14:54.687Z", "dateUpdated": "2026-03-25T16:14:54.687Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "luxedrive", "product": "LuxeDrive", "vendor": "Mikado-Themes", "versions": [{"lessThanOrEqual": "<= 1.0", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:34.037Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes LuxeDrive luxedrive allows PHP Local File Inclusion.<p>This issue affects LuxeDrive: from n/a through <= 1.0.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes LuxeDrive luxedrive allows PHP Local File Inclusion.This issue affects LuxeDrive: from n/a through <= 1.0."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:54.687Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/luxedrive/vulnerability/wordpress-luxedrive-theme-1-0-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress LuxeDrive theme <= 1.0 - Local File Inclusion vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes LuxeDrive luxedrive allows PHP Local File Inclusion.This issue affects LuxeDrive: from n/a through <= 1.0."}], "id": "CVE-2026-27076", "lastModified": "2026-03-25T17:16:55.050", "metrics": {}, "published": "2026-03-25T17:16:55.050", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/luxedrive/vulnerability/wordpress-luxedrive-theme-1-0-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "luxedrive", "vendor": "mikado-themes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T19:26:47.244920+00:00", "value": {"mitigation_remediation": ["Upgrade Mikado\u2011Themes LuxeDrive to a version newer than 1.0"], "summary": {"action": "Apply Patch", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "All installations of Mikado\u2011Themes LuxeDrive version 1.0 or earlier are affected. No specific patch versions are listed in the CVE data; therefore any release up to and including 1.0 may be vulnerable. Versions newer than 1.0, if they exist, are presumed not to contain the flaw.", "description_and_impact": "The LuxeDrive WordPress theme contains an improper control of the filename used in a PHP include/require statement, identified as CWE\u201198. This flaw permits the theme to read or execute files that should not be accessible. If an attacker can place a PHP file in a writable directory, inclusion of that file could lead to arbitrary code execution. Even without code execution, reading sensitive configuration or database files poses severe confidentiality risks.", "risk_and_exploitability": "The likely attack vector involves supplying crafted input that determines the filename passed to the include/require call, such as a specially designed URL or form submission. The CVE does not provide an EPSS score or KEV listing, suggesting no widespread exploitation has been documented yet. Nonetheless, the vulnerability remains significant, especially on sites where the theme has write access to web-accessible directories, enabling attackers to upload malicious files and trigger execution or read critical configuration data."}}}}, "created": "2026-03-25T21:44:01.166158+00:00", "updated": "2026-03-26T11:37:58.688295+00:00", "vendors": ["mikado-themes", "mikado-themes$PRODUCT$luxedrive", "wordpress", "wordpress$PRODUCT$wordpress"]}