PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49084 Jetimpex Inc. CVE debrief

CVE-2026-49084 is a critical vulnerability in the JetEngine plugin for WordPress, allowing unauthenticated SQL injection. With a CVSS score of 9.3, this vulnerability poses a significant risk to affected systems. The vulnerability was published on June 17, 2026, and immediately gained attention due to its severity. Users of JetEngine versions prior to 3.8.9.1 are urged to update to the latest version to mitigate this vulnerability. The CVE record and NVD details provide further information on this vulnerability.

Vendor
Jetimpex Inc.
Product
JetEngine
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-06-17
Advisory published
2026-06-17
Advisory updated
2026-06-17

Who should care

Administrators and users of the JetEngine plugin for WordPress, especially those using versions prior to 3.8.9.1, should be aware of this critical vulnerability and take immediate action to update their installations.

Technical summary

CVE-2026-49084 is an unauthenticated SQL injection vulnerability in the JetEngine plugin for WordPress. The vulnerability has a CVSS score of 9.3 and is classified as critical. It affects JetEngine versions before 3.8.9.1. The vulnerability allows attackers to inject malicious SQL code without authentication, potentially leading to data breaches or system compromise.

Defensive priority

high

Recommended defensive actions

  • Update JetEngine to version 3.8.9.1 or later
  • Review system logs for suspicious SQL activity
  • Implement additional security measures such as web application firewalls
  • Regularly update all plugins and software
  • Monitor for any signs of exploitation
  • Consider using a security scanner to detect potential vulnerabilities
  • Restrict access to sensitive areas of the system

Evidence notes

The information provided is based on data from official sources, including the CVE record and NVD details. The CVE was published on June 17, 2026, and the vendor, Patchstack, has provided mitigation details.

Official resources

public