CVE-2026-39576
Deferred Deferred - Pending Action
BaseFortify

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Unauthenticated PHP Object Injection in SingleMalt <= 1.5 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-39576
EUVD
EUVD-2026-37690
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
patchstack singlemalt to 1.5 (inc)
patchstack singlemalt 1.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how the CVE-2026-39576 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-39576 is a high-priority PHP Object Injection vulnerability found in the WordPress SingleMalt Theme versions 1.5 and below.

This flaw allows unauthenticated attackers to inject malicious PHP objects, which can lead to various attacks such as code injection, SQL injection, path traversal, and denial of service if a suitable POP (Property Oriented Programming) chain exists.

The vulnerability has a CVSS score of 8.1, indicating a high severity and a significant risk of exploitation.

Impact Analysis

If exploited, this vulnerability can allow attackers to execute arbitrary code, perform SQL injection, traverse paths to access unauthorized files, and cause denial of service on affected websites.

Such impacts can lead to website defacement, data breaches, service outages, and potentially full system compromise.

Because the vulnerability is exploitable without authentication and has a high severity score, it poses a significant risk to websites using the vulnerable SingleMalt theme versions.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the WordPress SingleMalt Theme to version 1.6 or later, as this version contains the patch for the PHP Object Injection vulnerability.

Until the update can be applied, it is advised to implement the mitigation rule provided by Patchstack to block attacks targeting this vulnerability.

Detection Guidance

The vulnerability affects WordPress SingleMalt Theme versions 1.5 and below and involves unauthenticated PHP Object Injection. Detection typically involves identifying the presence of the vulnerable theme version on your system.

To detect if your system is vulnerable, you can check the installed theme version by inspecting the WordPress themes directory or using WP-CLI commands.

  • Use WP-CLI to list installed themes and their versions: wp theme list
  • Manually check the theme version in the style.css file located in wp-content/themes/singlemalt/

For network detection, monitoring for exploit attempts can be done by looking for suspicious HTTP requests that attempt PHP Object Injection payloads targeting the SingleMalt theme. Patchstack has provided a mitigation rule to block attacks until the update is applied, which can be used as a reference for detection signatures.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39576. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart