{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22511", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:44:36.068Z", "datePublished": "2026-03-25T16:14:26.897Z", "dateUpdated": "2026-03-25T16:14:26.897Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "neobeat", "product": "NeoBeat", "vendor": "Elated-Themes", "versions": [{"lessThanOrEqual": "<= 1.2", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:10.194Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes NeoBeat neobeat allows PHP Local File Inclusion.<p>This issue affects NeoBeat: from n/a through <= 1.2.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes NeoBeat neobeat allows PHP Local File Inclusion.This issue affects NeoBeat: from n/a through <= 1.2."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:26.897Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/neobeat/vulnerability/wordpress-neobeat-theme-1-2-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress NeoBeat theme <= 1.2 - Local File Inclusion vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes NeoBeat neobeat allows PHP Local File Inclusion.This issue affects NeoBeat: from n/a through <= 1.2."}], "id": "CVE-2026-22511", "lastModified": "2026-03-25T17:16:33.410", "metrics": {}, "published": "2026-03-25T17:16:33.410", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/neobeat/vulnerability/wordpress-neobeat-theme-1-2-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T17:50:14.754488+00:00", "value": {"mitigation_remediation": ["Update NeoBeat to the latest version if a patch has been released; if no patch is available, upgrade to a supported theme or contact the vendor for guidance.", "Disable the PHP configuration settings that enable URL includes and set safe_mode to OFF. Ensure that allow_url_include directive is set to Off.", "Validate or hard\u2011code all file paths used in include or require statements to prevent user control of the filename."], "summary": {"action": "Assess Impact", "impact": "Local File Inclusion (potential RCE)"}, "threat_synthesis": {"affected_systems": "Vendors and products affected are Elated\u2011Themes NeoBeat theme versions up to and including 1.2. All installations using NeoBeat 1.2 or earlier are potentially vulnerable.", "description_and_impact": "This vulnerability arises from improper handling of filenames in PHP include or require statements within the NeoBeat theme. The flaw can allow an attacker to specify arbitrary local file paths, leading to Local File Inclusion attacks and potentially enabling execution of arbitrary PHP code. The flaw is categorized as CWE\u201198, indicating an insecure handling of filenames or paths.", "risk_and_exploitability": "While no CVSS score or EPSS value is supplied, the nature of a Local File Inclusion flaw that can lead to remote code execution represents a moderate to high risk. The attack vector is inferred to be a remote web request that supplies a crafted parameter controlling the include path. In the absence of mitigation, an attacker could read sensitive files or run malicious code, compromising confidentiality, integrity, and availability of the affected site."}}}}, "created": "2026-03-25T21:35:09.268002+00:00", "updated": "2026-03-25T21:35:09.268099+00:00", "vendors": []}