CVE-2026-12194
Received Received - Intake

Authenticated Local File Inclusion in PHPIPAM API

Vulnerability report for CVE-2026-12194, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-04

Last updated on: 2026-07-04

Assigner: ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a

Description

PHPIPAM is affected by an authenticated local file inclusion vulnerability that allows users with access to the API to execute/include arbitrary PHP files on the web server's file system. The API is not enabled by default on installations.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-04
Last Modified
2026-07-04
Generated
2026-07-04
AI Q&A
2026-07-04
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
phpipam phpipam to 1.8.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-12194 is an authenticated local file inclusion (LFI) vulnerability in PHPIPAM version 1.8.1 that occurs when the API is enabled. It allows users with API access to include or execute arbitrary PHP files on the web server by manipulating the controller parameter without proper input sanitization.

The API is not enabled by default, which limits the exposure of this vulnerability.

Impact Analysis

If exploited, this vulnerability could allow an authenticated user to execute arbitrary PHP code on the server, potentially leading to unauthorized actions or data exposure.

However, the impact is limited because the API is disabled by default and there are no default files available to exploit.

Detection Guidance

The vulnerability CVE-2026-12194 in PHPIPAM can be detected by analyzing the code for improper sanitization of the controller parameter in the API, which allows authenticated users to include or execute arbitrary PHP files.

Traditional tools like Semgrep and some cloud-based AI agents failed to reliably detect this issue. However, a local AI model with a custom harness that reviews files individually was successful in consistently identifying the vulnerability.

No specific network or system commands are provided in the available resources for direct detection on a live system or network.

Mitigation Strategies

The API in PHPIPAM is not enabled by default, so one immediate mitigation step is to ensure that the API remains disabled if it is not required.

Since the vulnerability involves authenticated local file inclusion via the API, restricting API access to trusted users and environments can reduce risk.

No official patches or fixes are detailed in the provided resources, and a related GitHub pull request intended to fix the issue was closed without merging.

Therefore, monitoring for updates from the PHPIPAM project and applying any future security patches promptly is recommended.

Compliance Impact

The provided information does not specify how the authenticated local file inclusion vulnerability in PHPIPAM impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12194. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart