CVE-2026-32401

Name: Websites susceptible to CVE-2026-32401
Creator: WebTechSurvey

CVE-2026-32401

WordPress Client Invoicing by Sprout Invoices plugin <= 20.8.9 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows PHP Local File Inclusion.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.9.

We have discovered 368 live websites that are affected by CVE-2026-32401.

Run a Free Instant Scan

Affected Software


Product	Sprout Invoices
Category	Wordpress Plugins
Vulnerable Domains	368 live websites (86% of Sprout Invoices install base)
Vulnerable Versions	from 0 through 20.8.9
Vulnerable Versions Count	41 versions ( 95% of all versions)

Available Reports

Website List

Details

Published - Mar 13, 2026
Updated - Apr 1, 2026

Credits

daroo | Patchstack Bug Bounty Program (finder)

CVE References

Website Distribution by Country

Number of websites using CVE-2026-32401

United States	215 websites

GB	36 websites
France	19 websites
Canada	13 websites
Cyprus	8 websites
Australia	8 websites
Germany	8 websites
Switzerland	8 websites
South Africa	5 websites

Website Distribution by TLD

Number of websites using CVE-2026-32401

.com	247 websites
.co.uk	14 websites
.net	13 websites
.fr	7 websites
.ca	7 websites
.com.au	6 websites
.org	6 websites
.ch	4 websites
.se	2 websites
.cz	2 websites

Vulnerable Versions

Vulnerable versions are highlighted in red

Websites affected by CVE-2026-32401

Top websites that are affected by CVE-2026-32401. Please click on the "Contact us" link to get more information.

Domain	Country	Rank
********.com	United States	,**
*****.**.es	Spain	,*
************.com	United States	*,*
******************.com	United States	*,*
*******.com	United States	*,*
**********.com	United States	*,*
*******************.com	United States	*,*
******.eu	Germany	*,*
*************.com	United States	*,*
******.io	United States	*,*

See full domain list

FAQ

A total of 368 websites have been identified as vulnerable to CVE-2026-32401, based on global website indexing conducted by WebTechSurvey.

The Sprout Invoices is affected by the CVE-2026-32401 vulnerability.

Sprout Invoices versions up to and including 20.8.9 are vulnerable to CVE-2026-32401.

References

https://patchstack.com/database/Wordpress/Plugin/sprout-invoices/vulnerability/wordpress-client-invoicing-by-sprout-invoices-plugin-20-8-9-local-file-inclusion-vulnerability?_s_id=cve

CVE-2026-32401

Affected Software

Available Reports

Details

Credits

CVE References

Website Distribution by Country

Website Distribution by TLD

Vulnerable Versions

Websites affected by CVE-2026-32401

How many websites are affected by the CVE-2026-32401 vulnerability?

Which technology is affected by CVE-2026-32401?

Which versions of Sprout Invoices are vulnerable to CVE-2026-32401?

References