CVE-2026-27077
Local File Inclusion in MultiOffice β€ 1.2 Enables Code Execution
Publication date: 2026-03-25
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mikado-themes | multioffice | to 1.2 (inc) |
| mikado-themes | multioffice | From 1.0 (inc) to 1.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an improper control of the filename used in an include or require statement in a PHP program, specifically in Mikado-Themes MultiOffice. It is a PHP Local File Inclusion (LFI) vulnerability, which means that an attacker can manipulate the filename parameter to include unintended files from the local server.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to include and execute arbitrary files from the local server, potentially leading to unauthorized access to sensitive information, code execution, or further compromise of the affected system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-27077 vulnerability allows unauthenticated attackers to include and display local files from the target website, potentially exposing sensitive information such as database credentials.
Exposure of sensitive data could lead to unauthorized access and data breaches, which may result in non-compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information.
Therefore, exploitation of this vulnerability could compromise the confidentiality and integrity of protected data, impacting compliance with these common standards and regulations.
What immediate steps should I take to mitigate this vulnerability?
The CVE-2026-27077 vulnerability currently has no official patch available.
Users are advised to update the affected MultiOffice theme if possible.
Until an official patch is released and tested, applying the mitigation rule issued by Patchstack can help block attacks.
It is also recommended to seek assistance from your hosting provider or web developer to implement these mitigations promptly.