CVE-2026-39440
published 2026-04-23CVE-2026-39440: Improper Control of Generation of Code ('Code Injection') vulnerability in Funnelforms LLC FunnelFormsPro allows Remote Code Inclusion.This issue affects…
PriorityP265critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.36%
28.3th percentile
Improper Control of Generation of Code ('Code Injection') vulnerability in Funnelforms LLC FunnelFormsPro allows Remote Code Inclusion.This issue affects FunnelFormsPro: from n/a through 3.8.1.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| funnelforms_llc | funnelformspro | n/a – 3.8.1 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-62r3-9jjw-5j78: Improper Control of Generation of Code ('Code Injection') vulnerability in Funnelforms LLC FunnelFormsPro allows Remote Code Inclusion
ghsa_unreviewed·2026-04-23
CVE-2026-39440 [CRITICAL] CWE-94 GHSA-62r3-9jjw-5j78: Improper Control of Generation of Code ('Code Injection') vulnerability in Funnelforms LLC FunnelFormsPro allows Remote Code Inclusion
Improper Control of Generation of Code ('Code Injection') vulnerability in Funnelforms LLC FunnelFormsPro allows Remote Code Inclusion.This issue affects FunnelFormsPro: from n/a through 3.8.1.
VulDB
Funnelforms FunnelFormsPro Plugin up to 3.8.1 on WordPress Inclusion.This code injection (EUVD-2026-25220)
vuldb·2026-04-23·CVSS 9.9
CVE-2026-39440 [CRITICAL] Funnelforms FunnelFormsPro Plugin up to 3.8.1 on WordPress Inclusion.This code injection (EUVD-2026-25220)
A vulnerability described as critical has been identified in Funnelforms FunnelFormsPro Plugin up to 3.8.1 on WordPress. Affected by this issue is the function Inclusion.This. Executing a manipulation can lead to code injection.
This vulnerability is registered as CVE-2026-39440. It is possible to launch the attack remotely. No exploit is available.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-23
Published