What is the CVSS score of CVE-2026-32507?

CVE-2026-32507 has a CVSS 3.1 base score of 5.4 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L. EPSS exploitation probability: 0.0%.

Which versions of Leroux are affected by CVE-2026-32507?

Organizations using Deserialization of Untrusted Data vulnerability in Elated-Themes Leroux leroux should be aware of moderate risk from CVE-2026-32507, a insecure deserialization vulnerability rated…. A patch is available.

Leroux CVE-2026-32507

Q: How to fix or mitigate CVE-2026-32507?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

EUVD-2026-15861 MEDIUM

Deserialization of Untrusted Data (CWE-502)

2026-03-25 Patchstack

GHSA-x46f-v56p-c92m

Deserialization Leroux

5.4

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

5.4 MEDIUM

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

Low

Lifecycle Timeline

Patch available

Apr 16, 2026 - 05:29 EUVD

1.4

EUVD ID Assigned

Mar 25, 2026 - 16:47 euvd

EUVD-2026-15861

Analysis Generated

Mar 25, 2026 - 16:47 vuln.today

CVE Published

Mar 25, 2026 - 16:15 nvd

MEDIUM 5.4

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in Elated-Themes Leroux leroux allows Object Injection.This issue affects Leroux: from n/a through < 1.4.

AnalysisAI

A deserialization of untrusted data vulnerability exists in Elated-Themes Leroux WordPress theme versions prior to 1.4, allowing unauthenticated attackers to perform arbitrary object instantiation through object injection attacks. An attacker can exploit this vulnerability to instantiate arbitrary PHP objects, potentially leading to remote code execution or information disclosure depending on available gadget chains in the WordPress environment. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	The practical risk of this vulnerability is elevated despite the absence of a CVSS score or EPSS rating. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker crafts a serialized PHP object payload containing a gadget chain that executes arbitrary code when instantiated. This payload is sent to the vulnerable Leroux theme endpoint that performs insecure deserialization (likely via an AJAX handler, REST API endpoint, or form submission). …
Remediation	Immediately upgrade the Leroux theme to version 1.4 or later, which contains the fix for this object instantiation vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-32507 vulnerability details – vuln.today

Back