CVE-2026-28507: Idno Vulnerable to Remote Code Execution via Chained Import File Write and Template Path Traversal

March 2, 2026 (updated March 6, 2026)

Two separate vulnerabilities in Idno can be chained to achieve RCE from a web application admin account. A web application admin can cause the server to fetch an attacker-controlled URL during WordPress import processing, writing a PHP file to the server’s temp directory. The admin or a separate, lower-privileged authenticated user can then trigger inclusion of that file via an unsanitized template name parameter, executing arbitrary operating system commands as the web server user.

References

github.com/advisories/GHSA-37j7-56xc-c468
github.com/idno/idno
github.com/idno/idno/releases/tag/1.6.4
github.com/idno/idno/security/advisories/GHSA-37j7-56xc-c468
nvd.nist.gov/vuln/detail/CVE-2026-28507

Code Behaviors & Features

Detect and mitigate CVE-2026-28507 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →