File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.

This can lead to something as outputting the contents of the file, but depending on the severity, it can also lead to:

• Code execution on the web server
• Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS)
• Denial of Service (DoS)
• Sensitive Information Disclosure

As the main cause is improper input validation, suggestions mainly revolve around sanitizing the input received.

1. Accept only characters and numbers for file names (A-Z 0-9). Blacklist all the special characters which are not of any use in a filename.
2. Limit the API to allow inclusion of files only from one allowed directory so that directory traversal can also be avoided.

• CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N