CVE-2026-28134
Received Received - Intake
Code Injection in Crocoblock JetEngine Allows Remote Code Inclusion

Publication date: 2026-03-05

Last updated on: 2026-03-05

Assigner: Patchstack

Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Crocoblock JetEngine jet-engine allows Remote Code Inclusion.This issue affects JetEngine: from n/a through <= 3.7.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-05
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28134
EUVD
EUVD-2026-9784
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
crocoblock jetengine From 3.0.0 (inc) to 3.7.2 (inc)
crocoblock jetengine 3.8.1.2
crocoblock jetengine to 3.7.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-28134 is a high-priority Remote Code Execution (RCE) vulnerability in the WordPress JetEngine plugin versions up to and including 3.7.2.

This vulnerability allows a malicious actor to execute arbitrary commands on the target website by exploiting improper control of code generation, specifically a code injection flaw.

To exploit this vulnerability, an attacker needs at least Contributor or Developer privileges on the site.

The issue is classified under the OWASP Top 10 category A3: Injection.

Impact Analysis

This vulnerability can have severe impacts as it allows attackers to execute arbitrary commands remotely on the affected website.

Successful exploitation can lead to attackers gaining backdoor access and full control over the site.

This could result in unauthorized data access, site defacement, data loss, or using the site as a platform for further attacks.

Compliance Impact

I don't know

Detection Guidance

CVE-2026-28134 is a Remote Code Execution vulnerability in the WordPress JetEngine plugin up to version 3.7.2. Detection typically involves monitoring for suspicious activity related to code injection or unauthorized command execution on the affected site.

While no specific detection commands are provided, users can look for unusual HTTP requests targeting the JetEngine plugin endpoints or scan logs for attempts to exploit injection vulnerabilities.

Patchstack offers an automatic mitigation rule that can help block attacks targeting this vulnerability, which may also assist in detection by logging blocked attempts.

Mitigation Strategies

The immediate and recommended mitigation step is to update the WordPress JetEngine plugin to version 3.8.1.2 or later, which contains the patch for this vulnerability.

Until the update can be applied, users of Patchstack can enable the provided automatic mitigation rule to block attacks targeting this vulnerability.

Additionally, enabling auto-updates specifically for vulnerable plugins can help ensure ongoing protection against this and similar vulnerabilities.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28134. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart