CVE-2026-57647
Deferred Deferred - Pending Action
Local File Inclusion in Panorama Viewer 360 Degree Image Video Viewer

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: Patchstack

Description
Contributor Local File Inclusion in Panorama Viewer – 360 Degree Image + Video Viewer <= 1.6.1 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-57647
EUVD
EUVD-2026-39762
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
patchstack panorama_viewer to 1.6.1 (inc)
patchstack panorama_viewer From 1.7.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The WordPress Panorama Viewer – 360 Degree Image + Video Viewer Plugin, versions 1.6.1 and below, is vulnerable to Local File Inclusion (LFI). This means an attacker with contributor-level privileges can exploit the vulnerability to include and display local files from the target website.

If sensitive files such as those containing database credentials are accessed, this could potentially lead to a complete database takeover depending on the server configuration.

The vulnerability is classified under OWASP Top 10 A3: Injection and has a CVSS severity score of 7.5.

Impact Analysis

This vulnerability can allow an attacker with contributor-level access to include and view local files on your website.

If the attacker accesses sensitive files such as database credentials, it could lead to a complete database takeover, compromising the confidentiality, integrity, and availability of your data.

Overall, this can result in significant security breaches and loss of control over your website's data.

Detection Guidance

The vulnerability is a Local File Inclusion (LFI) in the Panorama Viewer plugin versions 1.6.1 and below, which requires contributor-level privileges to exploit.

Detection can focus on identifying the presence of the vulnerable plugin version on your WordPress installation.

Since the vulnerability involves inclusion of local files, monitoring web requests for suspicious parameters attempting to include local files may help detect exploitation attempts.

Specific commands are not provided in the available resources.

Mitigation Strategies

The immediate mitigation step is to update the Panorama Viewer plugin to version 1.7.0 or later, which contains the patch for this vulnerability.

If you are a Patchstack user, enabling auto-updates for vulnerable plugins is recommended to reduce risk.

Since exploitation requires contributor-level privileges, reviewing and restricting user permissions may also help mitigate risk.

Compliance Impact

The Local File Inclusion vulnerability in the Panorama Viewer plugin could allow attackers to access sensitive files, including those containing credentials. This exposure could lead to a complete database takeover depending on server configuration.

Such unauthorized access to sensitive data may result in non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Therefore, if exploited, this vulnerability could compromise the confidentiality and integrity of sensitive data, potentially leading to violations of these common standards and regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57647. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart