Cyber Posture

CVE-2026-32502

CriticalRCE

Published: 25 March 2026

Published
25 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0006 18.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32502 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
preventrecover

Requires timely identification, reporting, and patching of the deserialization flaw in vulnerable Borgholm theme versions prior to 1.6, directly eliminating the vulnerability.

RA-5 Vulnerability Monitoring and Scanning good match
detect

Mandates vulnerability scanning to identify installations running vulnerable Borgholm theme versions, enabling prompt remediation.

SI-10 Information Input Validation partial match
prevent

Enforces validation of untrusted inputs, including serialized data, to block malicious payloads targeting the deserialization vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Unauthenticated remote deserialization/RCE in public-facing WordPress theme directly enables T1190 exploitation and Unix/PHP command execution via T1059.004.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Deserialization of Untrusted Data vulnerability in Select-Themes Borgholm borgholm-marketing-agency-theme allows Object Injection.This issue affects Borgholm: from n/a through < 1.6.

Deeper analysisAI

CVE-2026-32502 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the Borgholm marketing agency WordPress theme developed by Select-Themes. The flaw enables Object Injection and affects all versions of the Borgholm theme from its initial release (n/a) through versions prior to 1.6. Published on March 25, 2026, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for severe impacts across confidentiality, integrity, and availability.

An unauthenticated attacker can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By supplying malicious serialized data, the attacker can trigger Object Injection, potentially leading to arbitrary code execution, data manipulation, or denial of service, depending on the injected objects and server environment.

The Patchstack advisory recommends updating the Borgholm theme to version 1.6 or later, where the vulnerability is addressed. Security practitioners should scan WordPress installations for vulnerable theme versions and apply the patch promptly, as no workarounds are specified in available references.

Details

CWE(s)
CWE-502

CVEs Like This One

CVE-2026-25358Shared CWE-502
CVE-2026-24989Shared CWE-502
CVE-2025-30773Shared CWE-502
CVE-2026-25316Shared CWE-502
CVE-2025-69002Shared CWE-502
CVE-2026-29109Shared CWE-502
CVE-2025-69036Shared CWE-502
CVE-2025-26885Shared CWE-502
CVE-2026-25400Shared CWE-502
CVE-2025-1913Shared CWE-502

References