What the vulnerability does
01Description
Deserialization of Untrusted Data vulnerability in TieLabs Jannah jannah allows Object Injection.This issue affects Jannah: from n/a through <= 7.6.0.
CVE-2025-64206
CRITICAL
CVE-2025-64206: WordPress Jannah theme <= 7.6.0 - PHP Object Injection vulnerability
CVSS base score
9.8/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Explanation of Vulnerability in Simple Terms
02Summary
Jannah versions up to 7.6.0 contain a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary code on the site without user interaction. The vulnerability stems from unsafe handling of serialized data, enabling remote code execution through network requests. All installations should update immediately.
What an attacker can do
03Attacker Capabilities
Run their own code on the site and take full control of it.
Potential impact on your site
04Site Impact
Complete site compromise, including data theft, malware injection, and loss of availability.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
December 18, 2025
CVE published
April 28, 2026
Record updated
External resources
07References
Related vulnerabilities
08Related CVE
CVE-2025-23914 WordPress Muzaara Google Ads Report Plugin <= 3.1 - PHP Object Injection vulnerability
CVE-2026-32506 WordPress Archicon theme < 1.7 - Arbitrary Object Instantiation vulnerability
CVE-2025-4260 zhangyanbo2007 youkefu TemplateController.java impsave deserialization
CVE-2025-10965 LazyAGI LazyLLM server.py lazyllm_call deserialization
CVE-2026-39550 WordPress Aperitif theme <= 1.6 - PHP Object Injection vulnerability
