{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32506", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:07.664Z", "datePublished": "2026-03-25T16:15:03.602Z", "dateUpdated": "2026-03-25T16:15:03.602Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "archicon", "product": "Archicon", "vendor": "Edge-Themes", "versions": [{"changes": [{"at": "1.7", "status": "unaffected"}], "lessThanOrEqual": "< 1.7", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Denver Jackson | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:33.471Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in Edge-Themes Archicon archicon allows Object Injection.<p>This issue affects Archicon: from n/a through < 1.7.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in Edge-Themes Archicon archicon allows Object Injection.This issue affects Archicon: from n/a through < 1.7."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:15:03.602Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/archicon/vulnerability/wordpress-archicon-theme-1-7-arbitrary-object-instantiation-vulnerability?_s_id=cve"}], "title": "WordPress Archicon theme < 1.7 - Arbitrary Object Instantiation vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Edge-Themes Archicon archicon allows Object Injection.This issue affects Archicon: from n/a through < 1.7."}], "id": "CVE-2026-32506", "lastModified": "2026-03-25T17:17:02.750", "metrics": {}, "published": "2026-03-25T17:17:02.750", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/archicon/vulnerability/wordpress-archicon-theme-1-7-arbitrary-object-instantiation-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:31:15.510199+00:00", "value": {"mitigation_remediation": ["Update the Archicon theme to version 1.7 or later. ", "If updating is not immediately possible, disable or remove the Archicon theme from the WordPress installation. ", "Apply any additional vendor\u2011issued patches or workarounds as suggested by the manufacturer. ", "Monitor site logs and traffic for signs of suspicious activity or exploitation attempts."], "summary": {"action": "Patch Theme", "impact": "Arbitrary Object Instantiation enabling code execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Edge\u2011Themes Archicon WordPress theme on all versions older than 1.7, including any initial release prior to the first stable version. Users who have not upgraded to 1.7 or later are exposed.", "description_and_impact": "Deserialization of untrusted data within the Archicon theme allows an attacker to instantiate arbitrary objects, which can lead to the execution of malicious code on the web server. This type of object injection can compromise the confidentiality, integrity, or availability of the site, potentially allowing full server takeover.", "risk_and_exploitability": "The CVSS score is not disclosed, but the nature of the flaw suggests a high severity. The exploit probability is unknown due to missing EPSS data, and it is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers could potentially trigger the vulnerable deserialization routine by supplying crafted data that is processed by the theme, making exploitation feasible over the public web if the theme is active."}}}}, "created": "2026-03-25T21:47:33.787202+00:00", "updated": "2026-03-25T21:47:33.787233+00:00", "vendors": []}