Skip to main content

Armania CVE-2026-39626

| EUVDEUVD-2026-20272 MEDIUM
Basic XSS (CWE-80)
2026-04-08 Patchstack
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 14, 2026 - 15:25 vuln.today
CVSS changed
Apr 14, 2026 - 15:22 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20272
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes Armania armania allows Code Injection.This issue affects Armania: from n/a through <= 1.4.8.

AnalysisAI

Improper neutralization of script-related HTML tags in the Armania WordPress theme (versions up to 1.4.8) allows unauthenticated remote attackers to inject arbitrary code through unvalidated input, resulting in stored XSS and arbitrary shortcode execution. The vulnerability has a low CVSS severity (5.3) with EPSS exploitation probability of 0.03% (8th percentile), but enables integrity compromise through code injection that persists in the application.

Technical ContextAI

The vulnerability resides in the kutethemes Armania WordPress theme, which fails to properly sanitize or escape user-controlled input before rendering it in HTML context. This is a classic CWE-80 (Improper Neutralization of Script-Related HTML Tags) flaw where script-related HTML tags are not filtered, allowing attackers to inject malicious scripts. The theme processes user input (likely through shortcodes or theme settings) without adequate neutralization, permitting arbitrary shortcode execution and stored XSS attacks. WordPress themes are rendered server-side but execute in user browsers, making this a delivery mechanism for persistent client-side code injection.

RemediationAI

Update the Armania theme to a patched version released after 1.4.8. WordPress administrators should navigate to Appearance > Themes in the WordPress dashboard, locate Armania, and apply the latest available update. If an update is not yet available, disable the Armania theme and switch to an alternative theme until a patch is released. For additional security details and vendor advisories, consult the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Theme/armania/vulnerability/wordpress-armania-theme-1-4-8-arbitrary-shortcode-execution-vulnerability and the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-39626.

Share

CVE-2026-39626 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy