PatchSiren cyber security CVE debrief
CVE-2026-39434 WebAppick CVE debrief
A high-severity vulnerability, CVE-2026-39434, was discovered in the CTX Feed plugin, affecting versions up to 6.6.26. This vulnerability allows shop managers to inject PHP objects, potentially leading to code execution, data breaches, or other malicious activities. The CVSS score for this vulnerability is 7.2, indicating a high level of severity.
- Vendor
- WebAppick
- Product
- CTX Feed
- CVSS
- HIGH 7.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of the CTX Feed plugin, specifically those with shop manager privileges, should be aware of this vulnerability and take immediate action to mitigate the risk.
Technical summary
The vulnerability is caused by a PHP object injection issue in the CTX Feed plugin. This occurs when user-supplied input is not properly sanitized, allowing an attacker to inject malicious PHP objects. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.
Defensive priority
High
Recommended defensive actions
- Update the CTX Feed plugin to a version that is not vulnerable (if available).
- Restrict access to the plugin's functionality to trusted users only.
- Monitor the plugin's logs for suspicious activity.
Evidence notes
The CVE was published on 2026-06-15T21:16:42.460Z and last modified on 2026-06-15T21:24:32.790Z. The vulnerability was reported by Patchstack.
Official resources
-
CVE-2026-39434 CVE record
CVE.org
-
CVE-2026-39434 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
CVE-2026-39434 was published on 2026-06-15T21:16:42.460Z.