Home / Vulnerability Intelligence / CVE-2026-39440

CVE-2026-39440 - Vulnerability Analysis

CriticalCVSS: 9.9

Last Updated: April 23, 2026

Funnelforms LLC FunnelFormsPro - Remote Code Inclusion

Published: April 23, 2026Updated: April 23, 2026Remote Exploitable

Overview

Funnelforms LLC FunnelFormsPro <= 3.8.1 contains a remote code inclusion caused by improper control of code generation, letting remote attackers include and execute arbitrary code, exploit requires no special privileges.

Severity & Score

Severity: Critical

CVSS Score: 9.9

EPSS Score: 1.7%(Probability of exploitation in next 30 days)

Impact

Remote attackers can include and execute arbitrary code, potentially leading to full system compromise.

Mitigation

Update to the latest version beyond 3.8.1.

References

https://patchstack.com/database/wordpress/plugin/funnelforms-pro/vulnerability/wordpress-funnelformspro-plugin-3-8-1-remote-code-execution-rce-vulnerability?_s_id=cve

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 23, 2026

🔴 CVE-2026-39440 - Critical (9.9) Improper Control of Generation of Code ('Code Injection') vulnerability in Funnelforms LLC FunnelFormsPro allows Remote Code Inclusion.This issue affects FunnelFormsPro: from n/a through 3.8.1. 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-39440/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-39440
Severity: Critical
CVSS Score: 9.9
Type: file_inclusion
Status: rejected
EPSS: 1.7%
Social Posts: 1

CWE

CWE-94

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score

1.7%Probability of exploitation in the next 30 days