What the vulnerability does
01Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Depot depot allows PHP Local File Inclusion.This issue affects Depot: from n/a through <= 1.16.
Explanation of Vulnerability in Simple Terms
02Summary
Depot versions 1.16 and earlier contain a code injection vulnerability that allows unauthenticated attackers to execute arbitrary code on affected sites. The vulnerability requires high attack complexity but grants full read, write, and system access once exploited. Site administrators should update immediately to a version newer than 1.16.
What an attacker can do
03Attacker Capabilities
Execute arbitrary code on the site and access all data without authentication.
Potential impact on your site
04Site Impact
Complete compromise of site data, functionality, and server resources if exploited.
Conditions required to exploit
05Prerequisites
Network access to the site; no user authentication required, but exploitation requires specific technical conditions.
Key dates
06Disclosure timeline
January 22, 2026
CVE published
April 28, 2026
Record updated