{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39681", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:58:05.155Z", "datePublished": "2026-04-08T08:30:41.127Z", "dateUpdated": "2026-04-08T08:30:41.127Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "homeo", "product": "Homeo", "vendor": "ApusTheme", "versions": [{"lessThanOrEqual": "1.2.59", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:41.938Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Homeo homeo allows PHP Local File Inclusion.<p>This issue affects Homeo: from n/a through <= 1.2.59.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Homeo homeo allows PHP Local File Inclusion.This issue affects Homeo: from n/a through <= 1.2.59."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:41.127Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/homeo/vulnerability/wordpress-homeo-theme-1-2-59-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Homeo theme <= 1.2.59 - Local File Inclusion vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Homeo homeo allows PHP Local File Inclusion.This issue affects Homeo: from n/a through <= 1.2.59."}], "id": "CVE-2026-39681", "lastModified": "2026-04-08T21:26:13.410", "metrics": {}, "published": "2026-04-08T09:16:39.870", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/homeo/vulnerability/wordpress-homeo-theme-1-2-59-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.59]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Homeo", "source": "cna", "vendor": "ApusTheme"}, "product": "homeo", "vendor": "apustheme"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T09:56:15.986615+00:00", "value": {"mitigation_remediation": ["Apply the latest Homeo theme update that fixes the LFI issue.", "Verify that the Homeo theme version is 1.2.60 or later.", "Disable WordPress file editing by adding define('DISALLOW_FILE_EDIT', true); to wp-config.php.", "If an update is not yet available, restrict the theme directory permissions to read only for the owner to limit local file access."], "summary": {"action": "Immediate Update", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "Any WordPress site that incorporates the Homeo theme version 1.2.59 or older is affected. No other products or platforms are listed.", "description_and_impact": "The vulnerability arises from an improper control of the filename used in a PHP include/require statement within the ApusTheme Homeo WordPress theme. Attackers can force the application to include arbitrary files, potentially exposing sensitive configuration data or executing injected PHP code. This flaw can lead to full compromise of the site, aligning with CWE\u201198.", "risk_and_exploitability": "The flaw enables Local File Inclusion, which can be leveraged for remote code execution if an attacker can supply a path to a PHP file they control. The lack of CVSS or EPSS data does not suggest a low risk, and the potential severity warrants caution. The exploit requires some user interaction or uploaded content, making the risk moderate to high in the absence of a patch."}}}}, "created": "2026-04-08T19:27:52.648423+00:00", "updated": "2026-04-08T19:40:39.902846+00:00", "vendors": ["apustheme", "apustheme$PRODUCT$homeo", "wordpress", "wordpress$PRODUCT$wordpress"]}