CVE-2026-54194 ThemeFusion CVE debrief

Who should care

Administrators and users of Fusion Builder versions up to 3.15.4 should be aware of this critical vulnerability and take immediate action to mitigate it. This vulnerability can be exploited by unauthenticated attackers, making it a high-risk issue.

Technical summary

CVE-2026-54194 is a PHP object injection vulnerability in Fusion Builder versions up to 3.15.4. This vulnerability allows attackers to inject malicious PHP objects, which can lead to arbitrary code execution. The vulnerability has a CVSS score of 9.8 and is considered critical. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating that the vulnerability can be exploited over the network with low attack complexity and no privileges required.

Defensive priority

high

Recommended defensive actions

• Update Fusion Builder to version 3.15.5 or later
• Restrict access to the Fusion Builder plugin
• Monitor for suspicious activity
• Implement a web application firewall (WAF)
• Use secure coding practices
• Regularly update and patch plugins and software
• Perform security audits and vulnerability assessments

Evidence notes

The vulnerability was reported by Patchstack and is documented in the CVE record. The CVE record and NVD detail provide additional information about the vulnerability.

Official resources