What is the CVSS score of CVE-2026-32355?

CVE-2026-32355 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Jetengine are affected by CVE-2026-32355?

Crocoblock JetEngine versions before 3.8.4.1 contain a critical deserialization flaw that allows authenticated users with standard website access to execute arbitrary code and take control of…. A patch is available.

How to fix or mitigate CVE-2026-32355?

Within 24 hours: Identify all WordPress instances running Crocoblock JetEngine and document current versions via wp-cli or admin dashboard. Within 7 days: Update all JetEngine installations to version 3.8.4.1 or later via WordPress plugin manager or manual upload; test on staging environment first. Within 30 days: Audit user access logs for JetEngine-related activity post-update; review user role assignments and revoke unnecessary authenticated access.

Jetengine CVE-2026-32355

EUVD-2026-11844 HIGH

Deserialization of Untrusted Data (CWE-502)

2026-03-13 Patchstack

Deserialization Jetengine

8.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 22, 2026 - 21:37 vuln.today

cvss_changed

Analysis Updated

Apr 16, 2026 - 06:22 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

3.8.4.1

EUVD ID Assigned

Mar 13, 2026 - 16:57 euvd

EUVD-2026-11844

Analysis Generated

Mar 13, 2026 - 16:57 vuln.today

CVE Published

Mar 13, 2026 - 11:42 nvd

HIGH 8.8

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in Crocoblock JetEngine jet-engine allows Object Injection.This issue affects JetEngine: from n/a through < 3.8.4.1.

AnalysisAI

Crocoblock JetEngine versions below 3.8.4.1 are vulnerable to unsafe deserialization of untrusted data, enabling authenticated attackers to inject malicious objects and achieve arbitrary code execution. An attacker with user-level access can exploit this vulnerability without user interaction to fully compromise the affected system. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate as WordPress user

Delivery

Send crafted serialized object payload

Exploit

Trigger unsafe deserialization in JetEngine

Execution

Inject malicious object

Impact

Execute arbitrary code

Access

Authenticate as WordPress user

Delivery

Send crafted serialized object payload

Exploit

Trigger unsafe deserialization in JetEngine

Execution

Inject malicious object

Impact

Execute arbitrary code

Vulnerability AssessmentAI

Exploitation	JetEngine plugin version < 3.8.4.1 installed and active on WordPress. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Remote code execution, denial of service, or authentication bypass through manipulation of serialized object state. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker modifies a serialized object (e.g., in a cookie or API parameter) to include malicious payloads that execute during the deserialization process.
Remediation	Avoid deserializing untrusted data. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all WordPress instances running Crocoblock JetEngine and document current versions via wp-cli or admin dashboard. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49075 CRITICAL Act Now

9.8 Jun 17

PHP Object Injection in the JetEngine WordPress plugin (versions through 3.8.9.1) allows authenticated users with the Co

CVE-2026-52706 CRITICAL Act Now

9.8 Jun 17

Unauthenticated PHP Object Injection in Crocoblock JetEngine WordPress plugin versions 3.8.10 and earlier allows remote

CVE-2026-49076 CRITICAL Act Now

9.3 Jun 17

Unauthenticated SQL injection in the JetEngine WordPress plugin (versions up to and including 3.8.9.1) allows remote att

CVE-2026-49084 CRITICAL Act Now

9.3 Jun 17

Unauthenticated SQL injection in the JetEngine WordPress plugin versions prior to 3.8.9.1 allows remote attackers to inj

CVE-2026-54187 CRITICAL Act Now

9.3 Jun 17

Unauthenticated SQL injection in the JetEngine WordPress plugin versions 3.8.10.1 and earlier allows remote attackers to

CVE-2026-32355 vulnerability details – vuln.today

Back

Jetengine CVE-2026-32355

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code