CVE-2026-28086 in Run Gran Plugin
Summary
by MITRE • 03/05/2026
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Run Gran run-gran allows PHP Local File Inclusion.This issue affects Run Gran: from n/a through <= 2.0.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/07/2026
The vulnerability identified as CVE-2026-28086 represents a critical PHP Remote File Inclusion flaw that manifests through improper control of filename parameters in include/require statements. This weakness exists within the ThemeREX Run Gran plugin, specifically affecting versions from the initial release through version 2.0. The vulnerability stems from insufficient input validation and sanitization mechanisms that allow malicious actors to manipulate file inclusion directives, potentially leading to unauthorized code execution and system compromise.
This security flaw operates at the intersection of CWE-98 and CWE-89, representing improper control of filename for include/require operations and improper neutralization of special elements used in SQL commands, respectively. The vulnerability enables attackers to exploit the plugin's file inclusion mechanisms by crafting malicious payloads that can execute arbitrary PHP code on the target system. The issue specifically impacts the plugin's handling of user-supplied input that gets directly incorporated into include/require statements without adequate sanitization or validation.
The operational impact of this vulnerability extends beyond simple code execution to encompass complete system compromise and data breach potential. Attackers can leverage this flaw to execute malicious code, access sensitive files, escalate privileges, and potentially establish persistent backdoors within the affected environment. The vulnerability affects not only the immediate system but also poses risks to the broader network infrastructure, as compromised systems often serve as launching points for lateral movement and extended attacks. According to ATT&CK framework, this vulnerability maps to T1190 (Exploit Public-Facing Application) and T1059 (Command and Scripting Interpreter) tactics, enabling adversaries to gain initial access and execute malicious commands.
Mitigation strategies for this vulnerability require immediate action including updating to the latest version of the ThemeREX Run Gran plugin where the issue has been addressed. Organizations should implement proper input validation and sanitization techniques, employ secure coding practices that avoid direct user input in include/require statements, and deploy web application firewalls to monitor and block suspicious file inclusion attempts. The fix typically involves implementing strict parameter validation, using allowlists for acceptable file paths, and ensuring that all user-supplied inputs undergo comprehensive sanitization before being processed in file inclusion contexts. Additionally, system administrators should conduct thorough security assessments and maintain updated threat intelligence to identify and remediate similar vulnerabilities across their entire software ecosystem.