CVE Catalog
CVE-2025-68064
HighCVSS 7.5Summary
Local File Inclusion (LFI) vulnerability in Goya Core plugin versions prior to 1.0.9.4 allows a contributor to read arbitrary files on the server.
Risk Assessment
An attacker with contributor privileges can access sensitive configuration files, user data, or source code, potentially leading to privilege escalation or data leakage.
Recommendation
Immediately update the Goya Core plugin to version 1.0.9.4 or later and restrict contributor privileges to the minimum necessary for their work.
Original NVD description (English source)
Contributor Local File Inclusion in Goya Core < 1.0.9.4 versions.

