{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39626", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:36.650Z", "datePublished": "2026-04-08T08:30:27.418Z", "dateUpdated": "2026-04-08T08:30:27.418Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "armania", "product": "Armania", "vendor": "kutethemes", "versions": [{"lessThanOrEqual": "1.4.8", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:33.050Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes Armania armania allows Code Injection.<p>This issue affects Armania: from n/a through <= 1.4.8.</p>"}], "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes Armania armania allows Code Injection.This issue affects Armania: from n/a through <= 1.4.8."}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "Code Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-80", "description": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:27.418Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/armania/vulnerability/wordpress-armania-theme-1-4-8-arbitrary-shortcode-execution-vulnerability?_s_id=cve"}], "title": "WordPress Armania theme <= 1.4.8 - Arbitrary Shortcode Execution vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes Armania armania allows Code Injection.This issue affects Armania: from n/a through <= 1.4.8."}], "id": "CVE-2026-39626", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:32.937", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/armania/vulnerability/wordpress-armania-theme-1-4-8-arbitrary-shortcode-execution-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-80"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.4.8]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Armania", "source": "cna", "vendor": "kutethemes"}, "product": "armania", "vendor": "kutethemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:13:00.327528+00:00", "value": {"mitigation_remediation": ["Upgrade the Armania theme to any version newer than 1.4.8 once a patch is released.", "If an update is not immediately possible, switch the site to a different, trusted theme or disable the current theme.", "As an interim control, restrict or remove the use of shortcodes that allow user input, and ensure that all content is sanitized."], "summary": {"action": "Update Theme", "impact": "Arbitrary code execution via shortcode injection"}, "threat_synthesis": {"affected_systems": "All releases of the Kutethemes Armania theme from the first available version through version 1.4.8 are affected. No other vendors or products have been identified as impacted by this vulnerability.", "description_and_impact": "The vulnerability arises from improper neutralization of script-related HTML tags in the Kutethemes Armania WordPress theme, allowing attackers to insert and execute custom code within shortcodes. When the theme processes content containing these shortcodes, the malicious code can run with the privileges of the WordPress installation. This flaw gives a malicious actor the ability to manipulate page content, inject scripts, or potentially run arbitrary PHP code, compromising the confidentiality, integrity, and availability of the site.", "risk_and_exploitability": "The CVSS score is not provided, but the nature of the flaw indicates a high severity potential. No EPSS score is available and the vulnerability is not listed in the KEV catalog. The likely attack vector is web-based through content submission; an attacker with the ability to add or edit posts or pages can insert a malicious shortcode that the theme will process and execute. Successful exploitation would grant the attacker control over the WordPress site and its data."}}}}, "created": "2026-04-08T19:29:33.160673+00:00", "updated": "2026-04-08T19:41:49.748234+00:00", "vendors": ["kutethemes", "kutethemes$PRODUCT$armania", "wordpress", "wordpress$PRODUCT$wordpress"]}