CVE-2026-57799 in Nuss Plugin
Summary
by MITRE • 07/13/2026
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in uxper Nuss nuss allows PHP Local File Inclusion.This issue affects Nuss: from n/a through <= 1.3.6.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/13/2026
The vulnerability described represents a critical improper control of filename for include/require statement in PHP applications, commonly known as PHP Remote File Inclusion or PHP Local File Inclusion. This flaw occurs when user-supplied input is directly incorporated into PHP include or require statements without proper validation or sanitization. The uxper Nuss nuss application suffers from this weakness, allowing attackers to manipulate the filename parameter passed to include/require functions, potentially leading to arbitrary code execution or unauthorized file access.
This vulnerability falls under CWE-98 which specifically addresses Improper Control of Filename for Include/Require Statement. The flaw exists in the application's handling of user input where filenames are directly concatenated into include statements without adequate sanitization measures. When an attacker can control the filename parameter, they can potentially load malicious files from remote servers or local system files that should not be accessible through normal application operations.
The operational impact of this vulnerability is severe as it allows for complete system compromise when exploited properly. An attacker could leverage this weakness to execute arbitrary PHP code on the target server, gain access to sensitive data, escalate privileges, or establish persistent backdoors. The vulnerability affects Nuss versions from n/a through 1.3.6, indicating that multiple iterations of the software contain this critical flaw. This represents a significant security risk for organizations using affected versions as it provides attackers with a straightforward path to system compromise.
The attack surface is particularly dangerous because PHP's include/require functions can execute code from remote URLs when allow_url_include is enabled in php.ini configuration, or they can access local files when the application lacks proper input validation. This vulnerability maps directly to ATT&CK technique T1505.003 which covers Server Software Component compromise through web shell deployment. Organizations should immediately implement mitigations including disabling allow_url_include, validating all user inputs, implementing proper input sanitization, and restricting file access permissions to prevent unauthorized code execution.
Mitigation strategies should include immediate patching of affected Nuss versions to 1.3.7 or higher where the vulnerability has been addressed. Additionally, administrators must ensure that allow_url_include is disabled in php.ini configuration files, implement strict input validation for all parameters used in include/require statements, and employ proper file access controls. Regular security audits should verify that no user-controllable variables are directly passed to PHP include functions without adequate sanitization. The application should also implement a whitelist approach for file inclusion, where only pre-approved filenames are allowed, rather than accepting arbitrary input values.
Implementation of proper input validation and sanitization techniques can prevent this vulnerability from being exploited. This includes using allowlist-based validation methods, implementing proper error handling to avoid information disclosure, and conducting regular penetration testing to identify similar weaknesses in the codebase. Organizations should also consider implementing web application firewalls to detect and block suspicious include/require parameter values that may indicate exploitation attempts.
The root cause of this vulnerability demonstrates a fundamental flaw in secure coding practices within the Nuss application development lifecycle. This weakness highlights the importance of following security best practices such as input validation, output encoding, and principle of least privilege when developing web applications. The vulnerability serves as a reminder that even seemingly simple functions like file inclusion can become critical attack vectors when proper security controls are not implemented. Regular security training for developers and implementation of automated code review processes should be prioritized to prevent similar issues in future software releases.
Organizations relying on Nuss versions through 1.3.6 must urgently assess their exposure to this vulnerability and implement comprehensive remediation measures. The potential for remote code execution makes this a critical priority that cannot be ignored, particularly when considering the wide range of possible attack scenarios that could lead to complete system compromise. Immediate action should include patching the application, reviewing all input handling mechanisms, and conducting thorough security assessments to ensure no other similar vulnerabilities exist within the software ecosystem.