CVE-2026-32401

Name of the Vulnerable Software and Affected Versions BoldGrid Client Invoicing by Sprout Invoices versions through 20.8.9

Description The software suffers from improper control of filename handling for include/require statements in a PHP program, leading to a PHP Local File Inclusion issue. This allows for the inclusion of local PHP files. The vulnerable component is related to the handling of file inclusion, potentially through functions like include() or require(). The filename parameter, or a similar variable controlling file paths, is not adequately sanitized, allowing an attacker to manipulate the included file.

Recommendations Versions prior to and including 20.8.9 should be updated. As a temporary workaround, restrict access to the file inclusion functionality or sanitize all file paths before using them in include() or require() statements.