CVE-2026-27096
Published: 19 March 2026
Summary
CVE-2026-27096 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-27096 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the BuddhaThemes ColorFolio - Freelance Designer WordPress Theme, specifically the colorfolio theme. It enables Object Injection and affects all versions from n/a through 1.3.
The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating exploitation over the network by unauthenticated attackers with no user interaction required, though high attack complexity is needed. Successful exploitation can result in high impacts to confidentiality, integrity, and availability.
Patchstack published an advisory on the issue, available at https://patchstack.com/database/Wordpress/Theme/colorfolio/vulnerability/wordpress-colorfolio-freelance-designer-wordpress-theme-theme-1-3-deserialization-of-untrusted-data-vulnerability?_s_id=cve, covering the deserialization vulnerability in ColorFolio theme version 1.3.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-13053
Vulnerability details
Deserialization of Untrusted Data vulnerability in BuddhaThemes ColorFolio - Freelance Designer WordPress Theme colorfolio allows Object Injection.This issue affects ColorFolio - Freelance Designer WordPress Theme: from n/a through <= 1.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Deserialization/object injection flaw in publicly accessible WordPress theme directly enables unauthenticated remote exploitation of a public-facing web application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation directly patches the deserialization of untrusted data vulnerability in the ColorFolio WordPress theme, preventing exploitation of CVE-2026-27096.
Information input validation ensures untrusted data is checked and sanitized before deserialization, comprehensively blocking object injection in the vulnerable theme.
Vulnerability scanning identifies the presence of the vulnerable ColorFolio theme versions affected by CVE-2026-27096, enabling timely remediation.