{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27369", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-19T09:51:54.220Z", "datePublished": "2026-03-05T05:53:55.756Z", "dateUpdated": "2026-04-28T16:15:02.417Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "celeste", "product": "Celeste", "vendor": "BoldThemes", "versions": [{"lessThanOrEqual": "1.3.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:19.002Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in BoldThemes Celeste celeste allows Object Injection.<p>This issue affects Celeste: from n/a through <= 1.3.6.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in BoldThemes Celeste celeste allows Object Injection.This issue affects Celeste: from n/a through <= 1.3.6."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:02.417Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/celeste/vulnerability/wordpress-celeste-theme-1-3-6-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Celeste theme <= 1.3.6 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T18:03:20.542069Z", "id": "CVE-2026-27369", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T16:02:34.963Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27369", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-19T09:51:54.220Z", "datePublished": "2026-03-05T05:53:55.756Z", "dateUpdated": "2026-04-28T16:02:34.963Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "celeste", "product": "Celeste", "vendor": "BoldThemes", "versions": [{"lessThanOrEqual": "1.3.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:27:14.132Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in BoldThemes Celeste celeste allows Object Injection.<p>This issue affects Celeste: from n/a through <= 1.3.6.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in BoldThemes Celeste celeste allows Object Injection.This issue affects Celeste: from n/a through <= 1.3.6."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:51.816Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/celeste/vulnerability/wordpress-celeste-theme-1-3-6-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Celeste theme <= 1.3.6 - PHP Object Injection vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27369", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T18:03:20.542069Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T18:02:46.344Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in BoldThemes Celeste celeste allows Object Injection.This issue affects Celeste: from n/a through <= 1.3.6."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en BoldThemes Celeste celeste permite la inyecci\u00f3n de objetos. Este problema afecta a Celeste: desde n/a hasta &lt;= 1.3.6."}], "id": "CVE-2026-27369", "lastModified": "2026-04-22T21:26:58.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:26.490", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/celeste/vulnerability/wordpress-celeste-theme-1-3-6-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.3.6]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "celeste", "vendor": "boldthemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T05:11:38.133553+00:00", "value": {"mitigation_remediation": ["Upgrade to an available Celeste theme version newer than 1.3.6, which should address the unsafe deserialization.", "If an update is unavailable, deactivate or uninstall the Celeste theme and replace it with a trusted alternative that does not deserialize user input.", "Audit the WordPress installation for other plugins or themes that perform unserialize on untrusted data, and apply updates or configuration changes to mitigate similar risks."], "summary": {"action": "Immediate Patch", "impact": "Object Injection leading to possible remote code execution"}, "threat_synthesis": {"affected_systems": "The affected product is the BoldThemes Celeste WordPress theme, versions from the earliest release through 1.3.6. Users running these versions are directly exposed until they upgrade or remove the theme.", "description_and_impact": "This vulnerability permits the deserialization of untrusted data within the BoldThemes Celeste WordPress theme, allowing PHP object injection. The flaw can enable an attacker to inject malicious objects that are processed by PHP\u2019s unserialize function, potentially leading to arbitrary code execution or unauthorized actions within the WordPress site. The weakness corresponds to CWE\u2011502, which focuses on unsafe deserialization.", "risk_and_exploitability": "The CVSS score of 8.1 indicates a high severity. The EPSS score of less than 1% suggests a low probability of widespread exploitation, and the vulnerability is not currently listed in CISA\u2019s KEV catalog. However, the attack vector is likely remote, as attackers can supply crafted data via web requests or uploads to trigger deserialization. Successful exploitation can lead to full control of the hosting environment, compromising site integrity, confidentiality, and availability."}}}}, "created": "2026-03-06T15:12:19.191545+00:00", "updated": "2026-04-16T05:15:25.478330+00:00", "vendors": ["boldthemes", "boldthemes$PRODUCT$celeste", "wordpress", "wordpress$PRODUCT$wordpress"]}