Skip to main content

Kirki CVE-2026-57724

| EUVDEUVD-2026-43377 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-07-13 Patchstack
9.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from Vendor (Patchstack) · only source for this CVE.

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 10:45 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
CRITICAL 9.8

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in Themeum Kirki kirki allows Object Injection.This issue affects Kirki: from n/a through <= 6.0.12.

AnalysisAI

Object injection in the Themeum Kirki WordPress customizer framework (all versions through 6.0.12) allows attackers to abuse PHP deserialization of untrusted data (CWE-502), potentially leading to arbitrary object instantiation and, given a suitable POP gadget chain, remote code execution or full site compromise. Reported by Patchstack with a maximum CVSS 9.8 rating; no public exploit identified at time of analysis and the flaw is not listed in CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Recommended ActionAI

Within 24 hours, conduct an inventory of all WordPress themes and plugins deployed across your organization to identify which bundle Themeum Kirki through version 6.0.12 using automated scanning tools or manual vendor documentation review. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57724 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy