CVE-2026-22521: WordPress Handmade Framework plugin <= 3.9 - Local File Inclusion vulnerability
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in G5Theme Handmade Framework allows PHP Local File Inclusion.This issue affects Handmade Framework: from n/a through 3.9.
Other sources
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in G5Theme Handmade Framework handmade-framework allows PHP Local File Inclusion.This issue affects Handmade Framework: from n/a through <= 3.9.
— MITRE
Affected Software
Event History
Frequently Asked Questions
What is the severity of CVE-2026-22521?
CVE-2026-22521 is considered to be of high severity due to its potential for remote file inclusion vulnerabilities.
How do I fix CVE-2026-22521?
To fix CVE-2026-22521, upgrade the Handmade Framework to version 4.0 or later, which resolves the local file inclusion issue.
What software is affected by CVE-2026-22521?
CVE-2026-22521 affects the Handmade Framework versions from n/a to 3.9.
Can CVE-2026-22521 lead to unauthorized access?
Yes, CVE-2026-22521 can lead to unauthorized access if exploited, allowing attackers to include malicious files.
Is CVE-2026-22521 limited to PHP applications?
Yes, CVE-2026-22521 pertains specifically to PHP applications using the Handmade Framework.