PHP remote file inclusion vulnerability in 404.php in open-medium.CMS 0.25 allows remote attackers to execute arbitrary PHP code via a URL in the REDSYS[MYPATH][TEMPLATES] parameter.