PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-39537 Mikado-Themes CVE debrief

CVE-2026-39537 is an unauthenticated local file inclusion vulnerability in Mikado Core versions <= 1.6. The vulnerability has a CVSS score of 8.1 and is rated HIGH. The CVSS vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. Users of Mikado Core versions <= 1.6 should prioritize patching this vulnerability to prevent potential exploitation. The vulnerability's operational impact is likely significant, but the exact scope and severity are limited by the available evidence.

Vendor
Mikado-Themes
Product
Mikado Core
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-06-17
Advisory published
2026-06-17
Advisory updated
2026-06-17

Who should care

Users of Mikado Core versions <= 1.6, operators of affected systems, and security teams responsible for vulnerability management should prioritize patching this vulnerability to prevent potential exploitation. The vulnerability's impact on affected systems is likely significant, and defenders should review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.

Technical summary

CVE-2026-39537 is an unauthenticated local file inclusion vulnerability in Mikado Core versions <= 1.6. The vulnerability has a CVSS score of 8.1 and is rated HIGH. The CVSS vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability's technical impact is significant, and defenders should focus on patching affected systems. The available evidence suggests that the vulnerability is exploitable, but the exact technical details are limited.

Defensive priority

High priority should be given to patching this vulnerability due to its high CVSS score and potential for exploitation.

Recommended defensive actions

  • Apply patches or updates to Mikado Core versions <= 1.6
  • Review and update inventory of affected systems
  • Monitor for potential exploitation attempts
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review

Evidence notes

The vulnerability was reported by [email protected] and is referenced in the NVD entry for CVE-2026-39537. The evidence is limited, and defenders should verify the affected scope and severity with the vendor or other trusted sources. The CVE record was published on 2026-06-17T13:20:19.210Z and has not been modified since then. Additional verification is required to confirm the vulnerability's impact.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T13:20:19.210Z and has not been modified since then.