SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-98 Remote File Inclusion

Coverage: 3 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 3 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.

What this means

SiteShadow flagged inclusion of external/remote resources based on untrusted input. In some stacks this can load and execute attacker-controlled code.

Why it matters

Remote file inclusion can execute attacker-controlled code.

Safer examples

1) Don't include remote resources based on user input

Map user choices to known internal templates/resources.

2) Use allowlists and fixed directories

If inclusion is needed, only include from a fixed, server-controlled directory (see CWE-22/23/36).

3) Harden outbound fetching

If you must fetch remote resources, apply SSRF defenses: allowlist hosts, block private ranges, limit redirects (see CWE-918).

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.