{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32355", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:10:47.068Z", "datePublished": "2026-03-13T11:42:00.737Z", "dateUpdated": "2026-04-29T09:51:57.881Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://crocoblock.com", "defaultStatus": "unaffected", "packageName": "jet-engine", "product": "JetEngine", "vendor": "Crocoblock", "versions": [{"changes": [{"at": "3.8.4.1", "status": "unaffected"}], "lessThanOrEqual": "3.8.4.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:39.918Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in Crocoblock JetEngine jet-engine allows Object Injection.<p>This issue affects JetEngine: from n/a through < 3.8.4.1.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in Crocoblock JetEngine jet-engine allows Object Injection.This issue affects JetEngine: from n/a through < 3.8.4.1."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:51:57.881Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/jet-engine/vulnerability/wordpress-jetengine-plugin-3-8-4-1-deserialization-of-untrusted-data-vulnerability?_s_id=cve"}], "title": "WordPress JetEngine plugin < 3.8.4.1 - Deserialization of untrusted data vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T13:58:15.435895Z", "id": "CVE-2026-32355", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T13:58:43.691Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32355", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-16T13:58:15.435895Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T13:57:36.379Z"}}], "cna": {"title": "WordPress JetEngine plugin < 3.8.4.1 - Deserialization of untrusted data vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "affected": [{"vendor": "Crocoblock", "product": "JetEngine", "versions": [{"status": "affected", "changes": [{"at": "3.8.4.1", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "< 3.8.4.1"}], "packageName": "jet-engine", "collectionURL": "https://crocoblock.com", "defaultStatus": "unaffected"}], "datePublic": "2026-03-13T12:41:25.615Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/jet-engine/vulnerability/wordpress-jetengine-plugin-3-8-4-1-deserialization-of-untrusted-data-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Crocoblock JetEngine jet-engine allows Object Injection.This issue affects JetEngine: from n/a through < 3.8.4.1.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in Crocoblock JetEngine jet-engine allows Object Injection.<p>This issue affects JetEngine: from n/a through < 3.8.4.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-13T11:42:00.737Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32355", "state": "PUBLISHED", "dateUpdated": "2026-03-16T13:58:43.691Z", "dateReserved": "2026-03-12T11:10:47.068Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-13T11:42:00.737Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Crocoblock JetEngine jet-engine allows Object Injection.This issue affects JetEngine: from n/a through < 3.8.4.1."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en Crocoblock JetEngine jet-engine permite la inyecci\u00f3n de objetos. Este problema afecta a JetEngine: desde n/a hasta &lt; 3.8.4.1."}], "id": "CVE-2026-32355", "lastModified": "2026-04-22T21:30:26.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-13T19:54:47.730", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/jet-engine/vulnerability/wordpress-jetengine-plugin-3-8-4-1-deserialization-of-untrusted-data-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.8.4.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "JetEngine", "source": "cna", "vendor": "Crocoblock"}, "product": "jetengine", "vendor": "crocoblock"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-17T16:14:40.097329+00:00", "value": {"mitigation_remediation": ["Upgrade JetEngine plugin to version 3.8.4.1 or later.", "If upgrade is not immediately possible, disable the JetEngine plugin or the specific functionality that processes serialized data until a patch is applied.", "Apply Web Application Firewall rules to block known malicious serialization payloads.", "Regularly monitor for signs of exploitation, such as unexpected file creations or code execution patterns."], "summary": {"action": "Immediate Patch", "impact": "Object Injection leading to potential Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected product: Crocoblock JetEngine plugin. All releases earlier than 3.8.4.1 are impacted. The affected versions range from the earliest available release up to but not including 3.8.4.1.", "description_and_impact": "The vulnerability is a Deserialization of Untrusted Data flaw that enables an attacker to perform an Object Injection attack. According to the official description, a malicious payload can be injected during deserialization, which may allow the attacker to execute arbitrary code or modify system state. This is categorized as CWE-502.", "risk_and_exploitability": "The CVSS score of 8.8 classifies this flaw as High severity. The EPSS score is below 1\u202f%, indicating that exploitation is currently not widespread. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is inferred from the deserialization context; an attacker would need to supply crafted serialized data\u2014typically via a web request or payload\u2014to trigger the injection. Because deserialization occurs in the plugin\u2019s processing flow, remote exploitation is plausible if the plugin is accessible over the web. The official description does not mention specific prerequisites, so the attack can be performed by any user with access to the vulnerable endpoint."}}}}, "created": "2026-03-16T09:34:51.816257+00:00", "updated": "2026-03-23T09:59:01.594305+00:00", "vendors": ["crocoblock", "crocoblock$PRODUCT$jetengine", "wordpress", "wordpress$PRODUCT$wordpress"]}