What the vulnerability does
01Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Alexander AnyComment anycomment allows PHP Local File Inclusion.This issue affects AnyComment: from n/a through <= 0.3.6.
Explanation of Vulnerability in Simple Terms
02Summary
AnyComment versions 0.3.6 and earlier contain a code injection vulnerability that allows attackers to execute arbitrary code on affected sites. The vulnerability requires user interaction—typically a victim must click a malicious link or visit a crafted page. An attacker with no prior authentication can exploit this to read sensitive data, modify site content, or disrupt service.
What an attacker can do
03Attacker Capabilities
Execute arbitrary code on the site, read sensitive data, modify content, or cause service disruption.
Potential impact on your site
04Site Impact
An attacker can run malicious code on your site without needing a user account, potentially compromising your entire installation.
Conditions required to exploit
05Prerequisites
No authentication required, but the victim must click a link or visit a page controlled by the attacker.
Key dates
06Disclosure timeline
November 6, 2025
CVE published
April 28, 2026
Record updated