{"uuid": "70c8b415-5647-492c-903e-a465a6a4f0a5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-51925", "type": "seen", "source": "https://gist.github.com/ZeroBreach-GmbH/09e05b53c3a5e34e9a060860fb2412ba", "content": "##### Description\n\nA Local File Inclusion (LFI) vulnerability exists in the affected web application due to insufficient sanitization of user-supplied input in a file path parameter. Attackers can exploit this flaw to read arbitrary files on the server, including sensitive configuration files, source code or system files.\n\n##### Details\n\n*   **Product:** docuForm FSM Server\n*   **Affected Versions:** 11.11c\n*   **Vulnerability Type:** CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')\n*   **Risk Level:** Medium - CVSS 3.1: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)\n*   **Vendor URL:** www.docuform.de\n*   **Vendor acknowledged vulnerability:** Yes\n*   **CVE:** CVE-2026-51925\n\n##### Impact\n\nSuccessful exploitation of this Local File Inclusion vulnerability allows remote attackers to read arbitrary files on the affected server, potentially exposing sensitive information such as configuration files, user credentials or system data like /etc/passwd.\n\n##### References\n\n*   [National Vulnerability Database CVE-2026-51925](https://nvd.nist.gov/vuln/detail/CVE-2026-51925)\n*   [ZeroBreach GmbH - CVE-2026-51925](https://zerobreach.de/blog/security-advisories/CVE-2026-51925.html)\n\n##### Timeline\n\n*   **2025-10:** Vulnerability reported to the vendor.\n*   **2025-11:** Vendor published a fix for the issue.\n*   **2026-06:** Information about the vulnerability is published.\n\n##### Credits\n\n*   Bastian Recktenwald ([Bastian.Recktenwald@ZeroBreach.de](mailto:Bastian.Recktenwald@ZeroBreach.de))", "creation_timestamp": "2026-07-01T08:34:03.308463Z"}