{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27078", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:23:51.341Z", "datePublished": "2026-03-25T16:14:55.015Z", "dateUpdated": "2026-03-25T16:14:55.015Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "emaurri", "product": "Emaurri", "vendor": "Mikado-Themes", "versions": [{"lessThanOrEqual": "<= 1.0.1", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:34.505Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Emaurri emaurri allows PHP Local File Inclusion.<p>This issue affects Emaurri: from n/a through <= 1.0.1.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Emaurri emaurri allows PHP Local File Inclusion.This issue affects Emaurri: from n/a through <= 1.0.1."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:55.015Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/emaurri/vulnerability/wordpress-emaurri-theme-1-0-1-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Emaurri theme <= 1.0.1 - Local File Inclusion vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Emaurri emaurri allows PHP Local File Inclusion.This issue affects Emaurri: from n/a through <= 1.0.1."}], "id": "CVE-2026-27078", "lastModified": "2026-03-25T17:16:55.313", "metrics": {}, "published": "2026-03-25T17:16:55.313", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/emaurri/vulnerability/wordpress-emaurri-theme-1-0-1-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "emaurri", "vendor": "mikado-themes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T18:43:20.437976+00:00", "value": {"mitigation_remediation": ["Apply the latest version of the Emaurri theme, which removes the vulnerable include statement.", "If an update is not immediately possible, deactivate or delete the theme until a patched version is installed.", "Ensure that PHP\u2019s allow_url_include directive is disabled and that the theme\u2019s include paths are restricted to safe directories."], "summary": {"action": "Patch", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "The Mikado\u2011Themes Emaurri WordPress theme is affected. All releases from the earliest available version up through 1.0.1 are vulnerable, including any site that has installed these versions of the theme.", "description_and_impact": "An improper control of the filename used in a PHP include/require statement allows the Emaurri theme to include files from the local filesystem. This vulnerability can lead to reading sensitive files or, if the included file contains executable PHP code, remote code execution by an attacker. The weakness is a classic Local File Inclusion flaw.", "risk_and_exploitability": "The CVSS score is not provided, and the EPSS score is unavailable, so the absolute severity cannot be quantified from the data. However, because the flaw allows inclusion of arbitrary local files, the potential impact is significant and suitable for exploitation by an attacker with network access to the web server. The likely attack vector is remote via a crafted HTTP request that manipulates the include path, but this is inferred from the nature of LFI vulnerabilities. The vulnerability is not listed in CISA\u2019s KEV catalog, suggesting no widely known exploits have been documented yet."}}}}, "created": "2026-03-25T21:43:58.963467+00:00", "updated": "2026-03-26T11:37:56.789809+00:00", "vendors": ["mikado-themes", "mikado-themes$PRODUCT$emaurri", "wordpress", "wordpress$PRODUCT$wordpress"]}