Description
Deserialization of Untrusted Data vulnerability in Crocoblock JetEngine jet-engine allows Object Injection.This issue affects JetEngine: from n/a through < 3.8.4.1.
Published: 2026-03-13
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Object Injection leading to potential Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a Deserialization of Untrusted Data flaw that enables an attacker to perform an Object Injection attack. According to the official description, a malicious payload can be injected during deserialization, which may allow the attacker to execute arbitrary code or modify system state. This is categorized as CWE-502.

Affected Systems

Affected product: Crocoblock JetEngine plugin. All releases earlier than 3.8.4.1 are impacted. The affected versions range from the earliest available release up to but not including 3.8.4.1.

Risk and Exploitability

The CVSS score of 8.8 classifies this flaw as High severity. The EPSS score is below 1 %, indicating that exploitation is currently not widespread. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is inferred from the deserialization context; an attacker would need to supply crafted serialized data—typically via a web request or payload—to trigger the injection. Because deserialization occurs in the plugin’s processing flow, remote exploitation is plausible if the plugin is accessible over the web. The official description does not mention specific prerequisites, so the attack can be performed by any user with access to the vulnerable endpoint.

Generated by OpenCVE AI on March 17, 2026 at 16:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JetEngine plugin to version 3.8.4.1 or later.
  • If upgrade is not immediately possible, disable the JetEngine plugin or the specific functionality that processes serialized data until a patch is applied.
  • Apply Web Application Firewall rules to block known malicious serialization payloads.
  • Regularly monitor for signs of exploitation, such as unexpected file creations or code execution patterns.

Generated by OpenCVE AI on March 17, 2026 at 16:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Crocoblock
Crocoblock jetengine
Wordpress
Wordpress wordpress
Vendors & Products Crocoblock
Crocoblock jetengine
Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Crocoblock JetEngine jet-engine allows Object Injection.This issue affects JetEngine: from n/a through < 3.8.4.1.
Title WordPress JetEngine plugin < 3.8.4.1 - Deserialization of untrusted data vulnerability
Weaknesses CWE-502
References

Subscriptions

Crocoblock Jetengine
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:57.854Z

Reserved: 2026-03-12T11:10:47.068Z

Link: CVE-2026-32355

cve-icon Vulnrichment

Updated: 2026-03-16T13:57:36.379Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:54:47.730

Modified: 2026-03-16T14:53:46.157

Link: CVE-2026-32355

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:59:01Z

Weaknesses