PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-39445 PressLayouts CVE debrief

CVE-2026-39445 is a high-severity vulnerability in Alukas versions prior to 3.0.0, allowing unauthenticated PHP object injection. This vulnerability has a CVSS score of 8.1 and is considered HIGH severity. The vulnerability was published on June 17, 2026, and last modified on the same day. Users of Alukas should update to version 3.0.0 or later to mitigate this vulnerability. The CVE record and NVD detail can be found at [cve-org] and [nvd] respectively. A mitigation reference is available at [ref-4].

Vendor
PressLayouts
Product
Alukas
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-06-17
Advisory published
2026-06-17
Advisory updated
2026-06-17

Who should care

Users of Alukas versions prior to 3.0.0 should be aware of this vulnerability and take necessary actions to mitigate it. This includes updating to version 3.0.0 or later, and following best practices for secure PHP object injection.

Technical summary

CVE-2026-39445 is an unauthenticated PHP object injection vulnerability in Alukas versions prior to 3.0.0. The vulnerability has a CVSS vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a high severity. The CWE associated with this vulnerability is CWE-502.

Defensive priority

High

Recommended defensive actions

  • Update Alukas to version 3.0.0 or later
  • Follow best practices for secure PHP object injection
  • Monitor for suspicious activity
  • Implement additional security measures to prevent exploitation
  • Review and update incident response plans
  • Consider implementing a web application firewall (WAF)
  • Keep software and dependencies up-to-date

Evidence notes

The evidence for this CVE comes from Patchstack, as indicated by the source item [source-item]. The CVE record and NVD detail can be found at [cve-org] and [nvd] respectively. A mitigation reference is available at [ref-4].

Official resources

public