How is CVE-2026-39558 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so the attacker must be able to send HTTP requests to the web server hosting the Malmö theme. Authentication (not-required): No account or session credential of any kind is needed to trigger the file inclusion. Victim interaction (not-required): The attacker sends a crafted request directly to the server; no user action or social engineering is involved. Attack complexity (info): Exploitation is rated High complexity, meaning reliable triggering depends on specific environmental conditions such as particular server configurations, file layout assumptions, or timing factors that the attacker cannot fully control.

What is the impact of CVE-2026-39558?

Reads arbitrary files from the server filesystem, including WordPress configuration files that contain database credentials and secret keys. Reads sensitive operating-system files such as /etc/passwd, application logs, and private key material accessible to the web server process. Enables code execution on the server through log-poisoning or other file-inclusion chaining techniques, giving the attacker full control of the WordPress host. Modifies or destroys application data if the attacker leverages gained credentials or code execution to interact with the underlying database.

Back to search

HIGHCVE-2026-39558Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-39558: WordPress Malmö theme <= 2.2 - Local File Inclusion vulnerability

Q: What is CVE-2026-39558?

A local file inclusion vulnerability affects the Malmö WordPress theme at version 2.2 and below. The flaw is reachable over the network without any authentication, allowing an attacker to force the web server to load arbitrary files from the local filesystem. Successful exploitation gives an attacker the ability to read sensitive files, execute server-side code through log poisoning or similar techniques, and fully compromise the host. No fix has been published yet; HarborGuard tracks the advisory and will surface a patched rebuild the moment upstream ships a remediated version.

Q: Is CVE-2026-39558 patched?

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Elated-Themes releases a remediated version of the Malmö theme. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention as soon as a fix version is confirmed.

Unauthenticated Local File Inclusion in Malmö <= 2.2 versions.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A local file inclusion vulnerability affects the Malmö WordPress theme at version 2.2 and below. The flaw is reachable over the network without any authentication, allowing an attacker to force the web server to load arbitrary files from the local filesystem. Successful exploitation gives an attacker the ability to read sensitive files, execute server-side code through log poisoning or similar techniques, and fully compromise the host. No fix has been published yet; HarborGuard tracks the advisory and will surface a patched rebuild the moment upstream ships a remediated version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built WordPress images that bundle the Malmö theme. Any image containing an affected version of the theme is flagged immediately in the scan report.

Available

Triage

HarborGuard scores this finding at CVSS 8.1 (HIGH) and weights it further against each customer environment's compliance policy, escalating findings in production-facing registries ahead of those in development pipelines. Triage alerts are routed to the team inbox configured in each customer org's notification settings.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Elated-Themes releases a remediated version of the Malmö theme. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention as soon as a fix version is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so the attacker must be able to send HTTP requests to the web server hosting the Malmö theme.
AuthenticationNot required
No account or session credential of any kind is needed to trigger the file inclusion.
Victim interactionNot required
The attacker sends a crafted request directly to the server; no user action or social engineering is involved.
Attack complexityDetail
Exploitation is rated High complexity, meaning reliable triggering depends on specific environmental conditions such as particular server configurations, file layout assumptions, or timing factors that the attacker cannot fully control.

Blast Radius

Reads arbitrary files from the server filesystem, including WordPress configuration files that contain database credentials and secret keys.
Reads sensitive operating-system files such as /etc/passwd, application logs, and private key material accessible to the web server process.
Enables code execution on the server through log-poisoning or other file-inclusion chaining techniques, giving the attacker full control of the WordPress host.
Modifies or destroys application data if the attacker leverages gained credentials or code execution to interact with the underlying database.

How HarborGuard Handles This

Available on HarborGuard: any image containing Malmö theme version 2.2 or below is flagged automatically within minutes of the CVE entering upstream feeds, with no manual scan trigger required. Because no upstream fix exists at this time, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available the moment Elated-Themes publishes a remediated release. For customers with auto-remediation enabled, the rebuild and regression run will fire automatically and a PR will be opened against affected workloads without waiting for a manual request. In the interim, compensating controls worth considering include network-policy rules that restrict inbound HTTP access to the WordPress host to known trusted origins, egress filtering to prevent the web server process from reading and returning files outside the webroot, and disabling or replacing the Malmö theme entirely if it is not actively needed in production.

See how HarborGuard automates this

Affected packages

Elated-Themes / Malmö
≤ 2.2

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified