{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27081", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:23:58.963Z", "datePublished": "2026-03-25T16:14:55.507Z", "dateUpdated": "2026-03-25T16:14:55.507Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "rosebud", "product": "Rosebud", "vendor": "Mikado-Themes", "versions": [{"lessThanOrEqual": "<= 1.4", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:35.375Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Rosebud rosebud allows PHP Local File Inclusion.<p>This issue affects Rosebud: from n/a through <= 1.4.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Rosebud rosebud allows PHP Local File Inclusion.This issue affects Rosebud: from n/a through <= 1.4."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:55.507Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/rosebud/vulnerability/wordpress-rosebud-theme-1-4-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Rosebud theme <= 1.4 - Local File Inclusion vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Rosebud rosebud allows PHP Local File Inclusion.This issue affects Rosebud: from n/a through <= 1.4."}], "id": "CVE-2026-27081", "lastModified": "2026-03-25T17:16:55.700", "metrics": {}, "published": "2026-03-25T17:16:55.700", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/rosebud/vulnerability/wordpress-rosebud-theme-1-4-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Rosebud", "source": "cna", "vendor": "Mikado-Themes"}, "product": "rosebud", "vendor": "mikado-themes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T18:42:35.524788+00:00", "value": {"mitigation_remediation": ["Update the Rosebud theme to a version newer than 1.4 or uninstall the theme if it is not needed.", "If an update is not immediately possible, restrict the theme\u2019s file inclusion path by commenting out or removing any include/require directives that accept user input.", "Verify that the PHP setting allow_url_include is disabled and that file permissions limit the web server\u2019s ability to read sensitive files.", "Monitor the site for unusual file inclusion attempts and audit PHP error logs for anomalous activity."], "summary": {"action": "Patch Immediately", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all releases of the Rosebud WordPress theme from its initial version up to and including 1.4, distributed by Mikado\u2011Themes. Any WordPress site that has this theme installed and has not applied the latest update or removed the theme is at risk.", "description_and_impact": "Mikado\u2011Themes Rosebud theme allows a local file inclusion vulnerability in PHP. The flaw results from improper handling of filenames passed to include/require statements, enabling an attacker to read arbitrary files on the server or, in some configurations, execute code from local files. The impact includes potential exposure of sensitive data and possible remote code execution, depending on the server\u2019s file\u2011system permissions and PHP configuration. The weakness corresponds to CWE\u201198, capturing the lack of validation of input used in file operations.", "risk_and_exploitability": "The CVSS score is not provided, and no EPSS value is available, indicating that the likelihood of exploitation in the wild is uncertain. However, the described issue can be leveraged by sending crafted requests to the site, and if the server allows local file inclusion, an attacker could read files outside the web root or execute local PHP code. As the vulnerability has been publicly documented, it is plausible that exploitation tools could be developed. The lack of a KEV listing does not preclude risk, as similar issues often generate targeted attacks once discovered."}}}}, "created": "2026-03-25T21:43:55.883740+00:00", "updated": "2026-03-26T11:37:54.035081+00:00", "vendors": ["mikado-themes", "mikado-themes$PRODUCT$rosebud", "wordpress", "wordpress$PRODUCT$wordpress"]}