PHP Local File Inclusion in Blueprint Code Supply

CVE-2026-39552 is a PHP Local File Inclusion (LFI) vulnerability in Code Supply Co.'s Blueprint, affecting versions before 1.1.5. This CWE-98 weakness—improper control of filenames in include/require statements—allows attackers to manipulate file paths and access arbitrary local files on the server. Organizations using Blueprint for code management or deployment automation are at risk, particularly in environments where user input influences file inclusion operations. An attacker exploiting this vulnerability could read sensitive files like configuration files containing credentials, source code, or system information, potentially leading to further compromise of the application or infrastructure.

While this CVE lacks explicit MITRE ATT&CK mapping, Casky.ai's 754 mapped security skills would detect the attack patterns associated with this vulnerability through reconnaissance and credential access techniques. Practitioners analyzing Blueprint deployments would observe security findings related to improper input validation, unsanitized file path parameters, and suspicious file access patterns—particularly attempts to include files outside intended directories using path traversal sequences (../, ..\, or encoded variants). Extended reasoning through Claude AI would correlate these indicators with CWE-98 patterns, helping security teams identify both vulnerable code patterns during development and exploitation attempts in runtime logs, enabling rapid patching and threat hunting before attackers escalate from file disclosure to system compromise.