Total
2419 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-27749 | 2026-03-05 | N/A | 7.8 HIGH | ||
|
Avira Internet Security contains a deserialization of untrusted data vulnerability in the System Speedup component. The Avira.SystemSpeedup.RealTimeOptimizer.exe process, which runs with SYSTEM privileges, deserializes data from a file located in C:\\ProgramData using .NET BinaryFormatter without implementing input validation or deserialization safeguards. Because the file can be created or modified by a local user in default configurations, an attacker can supply a crafted serialized payload th ...
Show More |
|||||
| CVE-2026-28074 | 2026-03-05 | N/A | 9.8 CRITICAL | ||
|
Deserialization of Untrusted Data vulnerability in ThemeREX Pizza House pizzahouse allows Object Injection.This issue affects Pizza House: from n/a through <= 1.4.0.
|
|||||
| CVE-2026-2113 | 1 Tpadmin Project | 1 Tpadmin | 2026-03-05 | 7.5 HIGH | 7.3 HIGH |
|
A security vulnerability has been detected in yuan1994 tpadmin up to 1.3.12. This affects an unknown part in the library /public/static/admin/lib/webuploader/0.1.5/server/preview.php of the component WebUploader. The manipulation leads to deserialization. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
|
|||||
| CVE-2026-28277 | 2026-03-05 | N/A | 6.8 MEDIUM | ||
|
LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In version 1.0.9 and prior, LangGraph checkpointers can load msgpack-encoded checkpoints that reconstruct Python objects during deserialization. If an attacker can modify checkpoint data in the backing store (for example, after a database compromise or other privileged write access to the persistence layer), they can potentially supply a crafted payload that tri ...
Show More |
|||||
| CVE-2026-20131 | 2026-03-05 | N/A | 10.0 CRITICAL | ||
|
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device.
This vulnerability is due to insecure deserialization of a user-supplied Java byte stream. An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device. A successful exploit could allow t ...
Show More |
|||||
| CVE-2026-27369 | 2026-03-05 | N/A | N/A | ||
|
Deserialization of Untrusted Data vulnerability in BoldThemes Celeste celeste allows Object Injection.This issue affects Celeste: from n/a through <= 1.3.6.
|
|||||
| CVE-2026-23798 | 2026-03-05 | N/A | N/A | ||
|
Deserialization of Untrusted Data vulnerability in blubrry PowerPress Podcasting powerpress allows Object Injection.This issue affects PowerPress Podcasting: from n/a through <= 11.15.10.
|
|||||
| CVE-2026-22471 | 2026-03-05 | N/A | N/A | ||
|
Deserialization of Untrusted Data vulnerability in maximsecudeal Secudeal Payments for Ecommerce secudeal-payments-for-ecommerce allows Object Injection.This issue affects Secudeal Payments for Ecommerce: from n/a through <= 1.1.
|
|||||
| CVE-2026-27439 | 2026-03-05 | N/A | N/A | ||
|
Deserialization of Untrusted Data vulnerability in ThemeREX Dentario dentario allows Object Injection.This issue affects Dentario: from n/a through <= 1.5.
|
|||||
| CVE-2026-24385 | 2026-03-05 | N/A | N/A | ||
|
Deserialization of Untrusted Data vulnerability in gerritvanaaken Podlove Web Player podlove-web-player allows Object Injection.This issue affects Podlove Web Player: from n/a through <= 5.9.1.
|
|||||
| CVE-2026-22473 | 2026-03-05 | N/A | N/A | ||
|
Deserialization of Untrusted Data vulnerability in designthemes Dental Clinic dental allows Object Injection.This issue affects Dental Clinic: from n/a through <= 3.7.
|
|||||
| CVE-2026-27417 | 2026-03-05 | N/A | N/A | ||
|
Deserialization of Untrusted Data vulnerability in SeventhQueen Sweet Date sweetdate allows Object Injection.This issue affects Sweet Date: from n/a through < 4.0.1.
|
|||||
| CVE-2026-27438 | 2026-03-05 | N/A | N/A | ||
|
Deserialization of Untrusted Data vulnerability in ThemeREX Kingler kingler allows Object Injection.This issue affects Kingler: from n/a through <= 1.7.
|
|||||
| CVE-2026-22475 | 2026-03-05 | N/A | N/A | ||
|
Deserialization of Untrusted Data vulnerability in axiomthemes Estate estate allows Object Injection.This issue affects Estate: from n/a through <= 1.3.4.
|
|||||
| CVE-2026-27098 | 2026-03-05 | N/A | N/A | ||
|
Deserialization of Untrusted Data vulnerability in axiomthemes Au Pair Agency - Babysitting & Nanny Theme au-pair-agency allows Object Injection.This issue affects Au Pair Agency - Babysitting & Nanny Theme: from n/a through <= 1.2.2.
|
|||||
| CVE-2026-22454 | 2026-03-05 | N/A | N/A | ||
|
Deserialization of Untrusted Data vulnerability in ThemeREX Solaris solaris allows Object Injection.This issue affects Solaris: from n/a through <= 2.5.
|
|||||
| CVE-2026-27379 | 2026-03-05 | N/A | N/A | ||
|
Deserialization of Untrusted Data vulnerability in NextScripts NextScripts social-networks-auto-poster-facebook-twitter-g allows Object Injection.This issue affects NextScripts: from n/a through <= 4.4.7.
|
|||||
| CVE-2026-27437 | 2026-03-05 | N/A | N/A | ||
|
Deserialization of Untrusted Data vulnerability in ThemeREX Tennis Club tennis-sportclub allows Object Injection.This issue affects Tennis Club: from n/a through <= 1.2.3.
|
|||||
| CVE-2026-22497 | 2026-03-05 | N/A | N/A | ||
|
Deserialization of Untrusted Data vulnerability in AncoraThemes Jardi jardi allows Object Injection.This issue affects Jardi: from n/a through <= 1.7.2.
|
|||||
| CVE-2026-22451 | 2026-03-05 | N/A | N/A | ||
|
Deserialization of Untrusted Data vulnerability in AncoraThemes Handyman handyman-services allows Object Injection.This issue affects Handyman: from n/a through <= 1.4.
|
|||||
| CVE-2026-22474 | 2026-03-05 | N/A | N/A | ||
|
Deserialization of Untrusted Data vulnerability in ThemeREX Equestrian Centre equestrian-centre allows Object Injection.This issue affects Equestrian Centre: from n/a through <= 1.5.
|
|||||
| CVE-2025-54001 | 2026-03-05 | N/A | 9.8 CRITICAL | ||
|
Deserialization of Untrusted Data vulnerability in ThemeREX Classter classter allows Object Injection.This issue affects Classter: from n/a through <= 2.5.
|
|||||
| CVE-2026-27338 | 2026-03-05 | N/A | N/A | ||
|
Deserialization of Untrusted Data vulnerability in AivahThemes Car Zone carzone allows Object Injection.This issue affects Car Zone: from n/a through <= 3.7.
|
|||||
| CVE-2026-22501 | 2026-03-05 | N/A | N/A | ||
|
Deserialization of Untrusted Data vulnerability in axiomthemes Mounthood mounthood allows Object Injection.This issue affects Mounthood: from n/a through <= 1.3.2.
|
|||||
| CVE-2026-22417 | 2026-03-05 | N/A | N/A | ||
|
Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Wedding grandwedding allows Object Injection.This issue affects Grand Wedding: from n/a through <= 3.1.0.
|
|||||
| CVE-2026-22453 | 2026-03-05 | N/A | N/A | ||
|
Deserialization of Untrusted Data vulnerability in ThemeREX Pets Club petclub allows Object Injection.This issue affects Pets Club: from n/a through <= 2.3.
|
|||||
| CVE-2026-28105 | 2026-03-05 | N/A | 9.8 CRITICAL | ||
|
Deserialization of Untrusted Data vulnerability in ThemeREX Good Energy goodenergy allows Object Injection.This issue affects Good Energy: from n/a through <= 1.7.7.
|
|||||
| CVE-2026-2599 | 2026-03-05 | N/A | 9.8 CRITICAL | ||
|
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.7 via deserialization of untrusted input in the 'download_csv' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP ...
Show More |
|||||
| CVE-2026-27971 | 1 Qwik | 1 Qwik | 2026-03-05 | N/A | 9.8 CRITICAL |
|
Qwik is a performance focused javascript framework. qwik <=1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the server$ RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. Affects any deployment where require() is available at runtime. This vulnerability is fixed in 1.19.1.
|
|||||
| CVE-2026-3452 | 1 Concretecms | 1 Concrete Cms | 2026-03-04 | N/A | 7.2 HIGH |
|
Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are later passed to unserialize() without class restrictions or integrity checks. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.9 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/ ...
Show More |
|||||
| CVE-2025-50198 | 1 Chamilo | 1 Chamilo Lms | 2026-03-03 | N/A | 4.9 MEDIUM |
|
Chamilo is a learning management system. Prior to version 1.11.30, Chamilo is vulnerable to deserialization of untrusted data in /plugin/vchamilo/views/import.php via POST configuration_file; POST course_path; POST home_path parameters. This issue has been patched in version 1.11.30.
|
|||||
| CVE-2024-47886 | 1 Chamilo | 1 Chamilo Lms | 2026-03-03 | N/A | 7.2 HIGH |
|
Chamilo is a learning management system. Chamillo is affected by a post-authentication phar unserialize which leads to a remote code execution (RCE) within versions 1.11.12 to 1.11.26. By abusing multiple supported features from the virtualization plugin vchamilo, the vulnerability allows an administrator to execute arbitrary code on the server. This issue has been patched in version 1.11.26.
|
|||||
| CVE-2025-52998 | 1 Chamilo | 1 Chamilo Lms | 2026-03-03 | N/A | 9.8 CRITICAL |
|
Chamilo is a learning management system. Prior to version 1.11.30, in the application, deserialization of data is performed, the data can be spoofed. An attacker can create objects of arbitrary classes, as well as fully control their properties, and thus modify the logic of the web application's operation. This issue has been patched in version 1.11.30.
|
|||||
| CVE-2026-24765 | 2 Debian, Phpunit Project | 2 Debian Linux, Phpunit | 2026-03-03 | N/A | 7.8 HIGH |
|
PHPUnit is a testing framework for PHP. A vulnerability has been discovered in versions prior to 12.5.8, 11.5.50, 10.5.62, 9.6.33, and 8.5.52 involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the `cleanupForCoverage()` method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious `.coverage` files are present prior to the execution of the PHPT test. The vulnerability occurs when ...
Show More |
|||||
| CVE-2026-2970 | 1 Datapizza | 1 Datapizza Ai | 2026-03-03 | 4.0 MEDIUM | 4.6 MEDIUM |
|
A vulnerability has been found in datapizza-labs datapizza-ai 0.0.2. Affected by this vulnerability is the function RedisCache of the file datapizza-ai-cache/redis/datapizza/cache/redis/cache.py. Such manipulation leads to deserialization. The attack requires being on the local network. A high complexity level is associated with this attack. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure ...
Show More |
|||||
| CVE-2026-1691 | 1 Adlered | 1 Bolo-solo | 2026-03-03 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability has been found in bolo-solo up to 2.6.4. This impacts the function importMarkdownsSync of the file src/main/java/org/b3log/solo/bolo/prop/BackupService.java of the component SnakeYAML. Such manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2026-2471 | 2026-03-02 | N/A | 7.5 HIGH | ||
|
The WP Mail Logging plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.15.0 via deserialization of untrusted input from the email log message field. This is due to the `BaseModel` class constructor calling `maybe_unserialize()` on all properties retrieved from the database without validation. This makes it possible for unauthenticated attackers to inject a PHP Object by submitting a double-serialized payload through any public-facing form that send ...
Show More |
|||||
| CVE-2026-1542 | 2026-03-02 | N/A | 6.5 MEDIUM | ||
|
The Super Stage WP WordPress plugin through 1.0.1 unserializes user input via REQUEST, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.
|
|||||
| CVE-2026-21619 | 2026-03-02 | N/A | N/A | ||
|
Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_api modules), erlang rebar3 (r3_hex_api modules) allows Object Injection, Excessive Allocation. This vulnerability is associated with program files src/hex_api.erl, src/mix_hex_api.erl, apps/rebar/src/vendored/r3_hex_api.erl and program routines hex_core:request/4, mix_hex_api:request/4, r3_hex_api:request/4.
This issue affects hex_core: from 0.1.0 before 0. ...
Show More |
|||||
| CVE-2026-3422 | 2026-03-02 | N/A | 9.8 CRITICAL | ||
|
U-Office Force developed by e-Excellence has a Insecure Deserialization vulnerability, allowing unauthenticated remote attackers to execute arbitrary code on the server by sending maliciously crafted serialized content.
|
|||||