{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39626", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:36.650Z", "datePublished": "2026-04-08T08:30:27.418Z", "dateUpdated": "2026-04-29T09:52:02.725Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "armania", "product": "Armania", "vendor": "kutethemes", "versions": [{"lessThanOrEqual": "1.4.8", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:33.050Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes Armania armania allows Code Injection.<p>This issue affects Armania: from n/a through <= 1.4.8.</p>"}], "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes Armania armania allows Code Injection.This issue affects Armania: from n/a through <= 1.4.8."}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "Code Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-80", "description": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:02.725Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/armania/vulnerability/wordpress-armania-theme-1-4-8-arbitrary-shortcode-execution-vulnerability?_s_id=cve"}], "title": "WordPress Armania theme <= 1.4.8 - Arbitrary Shortcode Execution vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T14:11:43.001394Z", "id": "CVE-2026-39626", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:11:57.651Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39626", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T14:11:43.001394Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:11:54.461Z"}}], "cna": {"title": "WordPress Armania theme <= 1.4.8 - Arbitrary Shortcode Execution vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "Code Injection"}]}], "affected": [{"vendor": "kutethemes", "product": "Armania", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.4.8"}], "packageName": "armania", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:33.050Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/armania/vulnerability/wordpress-armania-theme-1-4-8-arbitrary-shortcode-execution-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes Armania armania allows Code Injection.This issue affects Armania: from n/a through <= 1.4.8.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes Armania armania allows Code Injection.<p>This issue affects Armania: from n/a through <= 1.4.8.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-80", "description": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:27.418Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39626", "state": "PUBLISHED", "dateUpdated": "2026-04-14T14:11:57.651Z", "dateReserved": "2026-04-07T10:57:36.650Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:27.418Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes Armania armania allows Code Injection.This issue affects Armania: from n/a through <= 1.4.8."}], "id": "CVE-2026-39626", "lastModified": "2026-04-29T10:17:32.990", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:32.937", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/armania/vulnerability/wordpress-armania-theme-1-4-8-arbitrary-shortcode-execution-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-80"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.4.8]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Armania", "source": "cna", "vendor": "kutethemes"}, "product": "armania", "vendor": "kutethemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-14T16:41:36.857107+00:00", "value": {"mitigation_remediation": ["Upgrade the Armania theme to a version newer than\u202f1.4.8 or to a patched release from the vendor.", "If an upgrade cannot be performed immediately, remove or disable any shortcodes that could trigger the flaw.", "Keep WordPress core, all plugins, and themes updated to the latest released versions.", "Apply site\u2011wide input sanitization or XSS protection plugins to mitigate similar risks."], "summary": {"action": "Apply Patch", "impact": "Code Injection"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all installations of the Kutethemes Armania WordPress theme up to, and including, version\u202f1.4.8. No specific sub\u2011components are mentioned, so any site running a vulnerable theme version is at risk.", "description_and_impact": "Improper neutralization of script\u2011related HTML tags in the Armania theme enables attackers to inject malicious code via shortcodes. This basic XSS flaw allows the execution of arbitrary JavaScript, which could lead to cross\u2011site scripting attacks against site visitors, session hijacking, content defacement, or credential theft. The weakness is classified as CWE\u201180.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity, and the EPSS score of less than 1\u202f% suggests a low probability of exploitation in the wild. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation would likely involve an attacker crafting a malicious shortcode or input that the theme fails to sanitize, which could be delivered through the content editor or a user\u2011submitted post, giving the attacker the ability to run JavaScript in the context of site users."}}}}, "created": "2026-04-08T19:29:33.160673+00:00", "updated": "2026-04-14T16:43:23.137115+00:00", "vendors": ["kutethemes", "kutethemes$PRODUCT$armania", "wordpress", "wordpress$PRODUCT$wordpress"]}