What is CVE-2025-26757?

A high-severity PHP Local File Inclusion vulnerability in FULL SERVICES FULL Customer could allow unauthorized access to sensitive files. Organizations using affected versions should prioritize patching to mitigate risks.

What is the severity of CVE-2025-26757?

CVE-2025-26757 has a severity rating of HIGH with a CVSS base score of 7.5.

CVE-2025-26757 | High Vulnerability in FULL SERVICES FULL Customer

CVE-2025-26757 is a high-severity vulnerability affecting the FULL SERVICES FULL Customer plugin, allowing for PHP Local File Inclusion due to improper control of filenames in include/require statements. The vulnerability has a CVSS score of 7.5, indicating significant risk to systems that utilize this software. The vulnerability is classified under CWE-98, which pertains to improper control of filenames.

The impact of this vulnerability is substantial, as it allows attackers to potentially access sensitive files within the server. Given that the attack vector is network-based and requires user interaction, the risk to organizations includes unauthorized access to critical data and potential system compromise.

As the vulnerability is currently marked as deferred, organizations should remain vigilant and monitor for updates. Immediate action is recommended for those using versions from n/a through 3.1.26, as these are confirmed to be affected.

Organizations should prioritize patching this vulnerability to mitigate any potential risks associated with exploitation.

Vulnerability Details

The vulnerability allows unauthorized local file inclusion in the FULL SERVICES FULL Customer plugin, which could facilitate unauthorized access to sensitive information stored on the server. The vulnerability affects versions up to and including 3.1.26.

The technical classification of this issue falls under 'Improper Control of Filename for Include/Require Statement in PHP Program' and is characterized as a high-severity vulnerability based on its CVSS score of 7.5.

Technical Analysis

The root cause of this vulnerability lies in the improper handling of filenames within the PHP code, allowing potentially harmful files to be included from insecure sources. The attack vector is network-based, requiring high complexity due to the need for user interaction.

The vulnerability does not require elevated privileges, making it accessible to unauthenticated users. The impacts on confidentiality, integrity, and availability are all rated as high, highlighting the critical nature of this issue.

Risk & Impact Analysis

The real-world deployment risk associated with CVE-2025-26757 is critical for organizations that utilize the FULL SERVICES FULL Customer plugin. The potential blast radius includes unauthorized access to sensitive files and the risk of further exploitation within the network.

Given that the vulnerability is classified as high severity, organizations should address it in their priority patch cycle. The CVSS score of 7.5 indicates a critical nature that could lead to severe consequences if exploited.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The affected versions of the FULL SERVICES FULL Customer plugin include versions from n/a through 3.1.26. Organizations running these versions should consider upgrading as part of their remediation strategy.

Mitigation & Remediation

Organizations should prioritize immediate patching to address CVE-2025-26757. If a patch is unavailable, organizations may consider implementing network controls to limit access to vulnerable components.

For further security measures, organizations can refer to best practices in penetration testing methodology to ensure comprehensive security coverage.

Detection Guidance

Organizations should monitor for any log indicators that suggest unauthorized access or attempts to exploit this vulnerability. Behavioral anomalies in application behavior should also be flagged for further investigation.

AppSecure Threat Intelligence Insight

CVE-2025-26757 highlights the ongoing risks associated with improper filename controls in PHP applications. Security teams should take this as a learning opportunity to improve their security posture against similar vulnerabilities.

For comprehensive vulnerability management, organizations can refer to our guide on vulnerability management programs and best practices.

Additionally, understanding the trends in application security can better equip teams in preventing similar vulnerabilities. For insights into current trends, refer to our blog on vulnerability exposure severity trends.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2025-26757: High Vulnerability in FULL SERVICES FULL Customer