CVE-2026-39440
Funnelforms LLC · FunnelFormsPro
FunnelFormsPro is vulnerable to remote code inclusion via improper control of code generation, allowing unauthenticated attackers to execute arbitrary code on the host server.
Executive summary
A critical remote code inclusion vulnerability in FunnelFormsPro allows unauthenticated attackers to execute arbitrary code, potentially leading to a full system compromise.
Vulnerability
This is a code injection vulnerability where the application fails to sanitize input properly, leading to Remote Code Inclusion (RCI). The flaw can be triggered by an unauthenticated attacker, granting them the ability to execute malicious scripts within the context of the web server.
Business impact
With a CVSS score of 9.9, this vulnerability represents a maximum-severity risk. Successful exploitation allows for complete unauthorized control over the server environment, leading to data exfiltration, service disruption, and the potential for lateral movement within the corporate network.
Remediation
Immediate Action: Update FunnelFormsPro to the latest available version that patches the code inclusion vulnerability.
Proactive Monitoring: Monitor server logs for execution of unexpected system commands or unusual file creation in the web root directory.
Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to detect and block common code injection patterns and suspicious remote file inclusion attempts.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
This vulnerability must be addressed with the highest level of urgency. Organizations should verify their current version of FunnelFormsPro and apply the necessary updates immediately to prevent remote code execution attacks against their infrastructure.