Skip to main content

Dukamarket CVE-2026-39628

| EUVDEUVD-2026-20276 MEDIUM
Basic XSS (CWE-80)
2026-04-08 Patchstack GHSA-36hh-hpjf-wc4x
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 14, 2026 - 15:25 vuln.today
CVSS changed
Apr 14, 2026 - 15:22 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20276
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes DukaMarket dukamarket allows Code Injection.This issue affects DukaMarket: from n/a through <= 1.3.0.

AnalysisAI

Improper neutralization of script-related HTML tags in kutethemes DukaMarket WordPress theme version 1.3.0 and earlier allows unauthenticated remote attackers to inject malicious code via XSS, resulting in integrity compromise. The vulnerability has an EPSS score of 0.03% (percentile 8%), indicating very low real-world exploitation probability despite the moderate CVSS 5.3 rating. No evidence of active exploitation or public proof-of-concept code has been identified.

Technical ContextAI

The vulnerability is classified as CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page), a foundational cross-site scripting (XSS) flaw. This occurs when user-supplied input is rendered in HTML context without proper sanitization or encoding of script tags and event handlers. In the context of kutethemes DukaMarket (a WordPress e-commerce theme), the root cause involves inadequate input validation and output encoding in shortcode or template processing functionality, allowing attackers to inject arbitrary HTML and JavaScript code that executes in the context of affected web pages. The affected product is identified by CPE cpe:2.3:a:kutethemes:dukamarket:*:*:*:*:*:*:*:*, covering all versions through 1.3.0.

RemediationAI

Update kutethemes DukaMarket to the latest patched version immediately available from the vendor. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/dukamarket/vulnerability/wordpress-dukamarket-theme-1-3-0-arbitrary-shortcode-execution-vulnerability for the specific fixed version number. As interim mitigations, implement strict Content Security Policy (CSP) headers to prevent inline script execution, validate and sanitize all user input before rendering in templates, and apply output encoding to all dynamic content. For WordPress environments, consider temporarily disabling or restricting access to the affected theme functionality if immediate patching is not feasible.

Share

CVE-2026-39628 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy