CVE-2026-39558EUVD-2026-3767517.06.2026, 13:20Unauthenticated Local File Inclusion in Malmö <= 2.2 versions.PHP Remote File InclusionEnginsightProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVectorNISTPrimary8.1 HIGHNETWORKHIGHNONECVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HAwaiting analysisThis vulnerability is currently awaiting analysis.Base ScoreCVSS 3.xEPSS ScorePercentile: UnknownCommon Weakness EnumerationCWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.Referenceshttps://patchstack.com/database/wordpress/theme/malmo/vulnerability/wordpress-malmoe-theme-2-2-local-file-inclusion-vulnerability?_s_id=cve