Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes Armania armania allows Code Injection.This issue affects Armania: from n/a through <= 1.4.8.
AnalysisAI
Improper neutralization of script-related HTML tags in the Armania WordPress theme (versions up to 1.4.8) allows unauthenticated remote attackers to inject arbitrary code through unvalidated input, resulting in stored XSS and arbitrary shortcode execution. The vulnerability has a low CVSS severity (5.3) with EPSS exploitation probability of 0.03% (8th percentile), but enables integrity compromise through code injection that persists in the application.
Technical ContextAI
The vulnerability resides in the kutethemes Armania WordPress theme, which fails to properly sanitize or escape user-controlled input before rendering it in HTML context. This is a classic CWE-80 (Improper Neutralization of Script-Related HTML Tags) flaw where script-related HTML tags are not filtered, allowing attackers to inject malicious scripts. The theme processes user input (likely through shortcodes or theme settings) without adequate neutralization, permitting arbitrary shortcode execution and stored XSS attacks. WordPress themes are rendered server-side but execute in user browsers, making this a delivery mechanism for persistent client-side code injection.
RemediationAI
Update the Armania theme to a patched version released after 1.4.8. WordPress administrators should navigate to Appearance > Themes in the WordPress dashboard, locate Armania, and apply the latest available update. If an update is not yet available, disable the Armania theme and switch to an alternative theme until a patch is released. For additional security details and vendor advisories, consult the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Theme/armania/vulnerability/wordpress-armania-theme-1-4-8-arbitrary-shortcode-execution-vulnerability and the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-39626.
Same weakness CWE-80 – Basic XSS
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20272