CVE-2026-27041 Studio Keren Aga LTD. CVE debrief

Who should care

Administrators and users of the Unlimited Elements for Elementor (Premium) plugin, version 2.0.6 and earlier, should be aware of this critical vulnerability. Immediate action is required to prevent potential exploitation.

Technical summary

The CVE-2026-27041 vulnerability is a critical arbitrary file upload issue in the Unlimited Elements for Elementor (Premium) plugin. This vulnerability, with a CVSS score of 9.9, allows contributors to upload files without proper restrictions, potentially leading to code execution. The vulnerability is characterized by CWE-434. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating a high severity level.

Defensive priority

High

Recommended defensive actions

• Apply patches or updates to the Unlimited Elements for Elementor (Premium) plugin immediately.
• Restrict file uploads to only trusted users.
• Monitor plugin usage and file uploads for suspicious activity.
• Implement additional security measures, such as web application firewalls (WAFs).
• Regularly update and patch all plugins and software.
• Consider replacing the plugin if no patch is available.

Evidence notes

The vulnerability was reported by Patchstack and is listed in the NVD database. The CVE record was created on June 17, 2026. The vendor, Unknown Vendor, has not provided a canonical source. The vulnerability has not been linked to any ransomware campaigns.

Official resources