{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32508", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:13.805Z", "datePublished": "2026-03-25T16:15:04.028Z", "dateUpdated": "2026-03-25T16:15:04.028Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "halstein", "product": "Halstein", "vendor": "Mikado-Themes", "versions": [{"changes": [{"at": "1.8", "status": "unaffected"}], "lessThanOrEqual": "< 1.8", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Denver Jackson | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:40.347Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in Mikado-Themes Halstein halstein allows Object Injection.<p>This issue affects Halstein: from n/a through < 1.8.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in Mikado-Themes Halstein halstein allows Object Injection.This issue affects Halstein: from n/a through < 1.8."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:15:04.028Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/halstein/vulnerability/wordpress-halstein-theme-1-8-arbitrary-object-instantiation-vulnerability?_s_id=cve"}], "title": "WordPress Halstein theme < 1.8 - Arbitrary Object Instantiation vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Mikado-Themes Halstein halstein allows Object Injection.This issue affects Halstein: from n/a through < 1.8."}], "id": "CVE-2026-32508", "lastModified": "2026-03-25T17:17:03.010", "metrics": {}, "published": "2026-03-25T17:17:03.010", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/halstein/vulnerability/wordpress-halstein-theme-1-8-arbitrary-object-instantiation-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:30:40.569295+00:00", "value": {"mitigation_remediation": ["Verify the currently installed Halstein theme version.", "If the version is older than 1.8, upgrade to 1.8 or later.", "If an upgrade is not possible, deactivate or delete the Halstein theme to eliminate the vulnerability.", "Apply site\u2011wide security best practices such as restricting PHP execution permissions and monitoring for suspicious activity."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary code execution"}, "threat_synthesis": {"affected_systems": "The Mikado\u2011Themes Halstein WordPress theme is affected. All releases earlier than 1.8 are vulnerable. Any site that has the Halstein theme installed and is running a version below 1.8 should be considered at risk.", "description_and_impact": "The vulnerability arises from deserialization of untrusted data in the Halstein theme which allows an attacker to inject arbitrary objects. This can lead to arbitrary code execution on the site, granting attackers full control over the web application and underlying server. The weakness aligns with the common weakness of Deserialization of Untrusted Data.", "risk_and_exploitability": "The CVSS score is not disclosed, but the nature of the flaw suggests a high severity and the potential for remote exploitation. No EPSS score is available and the vulnerability is not listed in the CISA KEV. The attack likely targets the theme\u2019s deserialization routine, and an attacker could supply crafted data through the site\u2019s input interfaces to instantiate malicious objects. If the theme is active, the attacker may achieve full code execution on the server."}}}}, "created": "2026-03-25T21:47:32.015187+00:00", "updated": "2026-03-25T21:47:32.015219+00:00", "vendors": []}