CVE-2025-67982 in Urna Plugin
Summary
by MITRE • 02/20/2026
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Urna urna allows PHP Local File Inclusion.This issue affects Urna: from n/a through <= 2.5.12.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/22/2026
The CVE-2025-67982 vulnerability represents a critical PHP Remote File Inclusion flaw that enables attackers to manipulate include/require statements within the thembay Urna application. This vulnerability specifically targets the improper control of filename parameters in PHP include operations, creating a pathway for remote code execution through local file inclusion attacks. The flaw exists in the Urna application version range from the initial release through version 2.5.12, indicating a persistent issue that has affected multiple iterations of the software. This type of vulnerability falls under the CWE-88 category, which specifically addresses improper control of filename for include/require statements, making it a well-documented and dangerous security weakness in web applications.
The technical implementation of this vulnerability allows malicious actors to inject arbitrary file paths into the include/require directives of the PHP application. When the application processes user-controllable input without proper sanitization or validation, it becomes possible for attackers to specify local file paths that can be included as PHP code. This creates a scenario where an attacker can leverage the include functionality to execute arbitrary code on the server, potentially gaining full control over the application environment. The vulnerability is particularly dangerous because it can be exploited without requiring authentication, making it accessible to anyone who can interact with the vulnerable application.
The operational impact of this vulnerability extends beyond simple code execution, as it provides attackers with the capability to escalate privileges, access sensitive data, and potentially compromise the entire server infrastructure. Attackers can exploit this weakness to upload malicious files, execute shell commands, and establish persistent backdoors within the application environment. The vulnerability affects the core functionality of the Urna application, potentially leading to data breaches, service disruption, and unauthorized access to sensitive information. Organizations using affected versions of the application face significant risk of compromise, particularly in environments where the application handles sensitive user data or business-critical operations.
Mitigation strategies for CVE-2025-67982 require immediate implementation of input validation and sanitization measures to prevent malicious filename injection. Organizations should upgrade to the latest available version of the Urna application, as version 2.5.13 or higher likely contains patches addressing this vulnerability. Security measures should include disabling remote file inclusion features in PHP configuration, implementing proper input validation for all user-controllable parameters, and establishing secure coding practices that prevent direct inclusion of user-supplied filenames. Additionally, implementing web application firewalls and intrusion detection systems can provide additional layers of protection against exploitation attempts. The ATT&CK framework categorizes this vulnerability under T1190 - Exploit Public-Facing Application, emphasizing the need for comprehensive application security hardening and regular vulnerability assessments to prevent successful exploitation attempts.