CVE-2026-27439
Published: 05 March 2026
Summary
CVE-2026-27439 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-27439 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the ThemeREX Dentario WordPress theme, enabling Object Injection. Published on 2026-03-05, it affects Dentario versions from n/a through 1.5.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating a critical severity. Unauthenticated remote attackers can exploit it over the network with low attack complexity and no user interaction required, potentially achieving high impacts on confidentiality, integrity, and availability through arbitrary object injection.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/dentario/vulnerability/wordpress-dentario-theme-1-5-php-object-injection-vulnerability?_s_id=cve.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9650
Vulnerability details
Deserialization of Untrusted Data vulnerability in ThemeREX Dentario dentario allows Object Injection.This issue affects Dentario: from n/a through <= 1.5.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated PHP object injection (deserialization) in public-facing WordPress theme directly enables T1190 Exploit Public-Facing Application with full C/I/A impact.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires identification, reporting, and correction of the deserialization flaw in the Dentario WordPress theme, eliminating the vulnerability through patching.
Implements input validation and error handling to block untrusted data from being deserialized, preventing object injection exploits.
Provides vulnerability scanning to identify the deserialization vulnerability in the Dentario theme, enabling timely remediation.