LFI

Local File Inclusion (LFI) is a vulnerability that allows an attacker to include files from the server's local filesystem through a web application, often by manipulating a file path parameter. This can expose sensitive files like /etc/passwd, configuration files with credentials, or application source code. In some cases LFI can escalate to RCE via log poisoning. Prevention requires strict input validation and avoiding user-controlled paths in file operations.

Why it matters for your website

• 1Listed in the OWASP Top 10 — one of the most critical web risks
• 2Can lead to data exfiltration, account takeover, or full system compromise
• 3Required to fix before passing security reviews for enterprise customers