Total
2419 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-10173 | 2 Oracle, Xstream | 10 Banking Platform, Business Activity Monitoring, Communications Billing And Revenue Management Elastic Charging Engine and 7 more | 2025-05-14 | 7.5 HIGH | 9.8 CRITICAL |
|
It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)
|
|||||
| CVE-2025-30378 | 1 Microsoft | 1 Sharepoint Server | 2025-05-14 | N/A | 7.0 HIGH |
|
Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code locally.
|
|||||
| CVE-2025-0734 | 1 Ruoyi | 1 Ruoyi | 2025-05-13 | 5.8 MEDIUM | 4.7 MEDIUM |
|
A vulnerability has been found in y_project RuoYi up to 4.8.0 and classified as critical. This vulnerability affects the function getBeanName of the component Whitelist. The manipulation leads to deserialization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2020-15842 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-05-13 | 6.8 MEDIUM | 8.1 HIGH |
|
Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, because of insecure deserialization.
|
|||||
| CVE-2022-3291 | 1 Gitlab | 1 Gitlab | 2025-05-13 | N/A | 6.5 MEDIUM |
|
Serialization of sensitive data in GitLab EE affecting all versions from 14.9 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 can leak sensitive information via cache
|
|||||
| CVE-2022-40889 | 1 Phpok | 1 Phpok | 2025-05-13 | N/A | 9.8 CRITICAL |
|
Phpok 6.1 has a deserialization vulnerability via framework/phpok_call.php.
|
|||||
| CVE-2022-39198 | 1 Apache | 1 Dubbo | 2025-05-13 | N/A | 9.8 CRITICAL |
|
A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.17 and prior versions; Apache Dubbo 3.0.x version 3.0.11 and prior versions; Apache Dubbo 3.1.x version 3.1.0 and prior versions.
|
|||||
| CVE-2025-31103 | 1 Appleple | 1 A-blog Cms | 2025-05-13 | N/A | 7.5 HIGH |
|
Untrusted data deserialization vulnerability exists in a-blog cms. Processing a specially crafted request may store arbitrary files on the server where the product is running. This can be leveraged to execute an arbitrary script on the server.
|
|||||
| CVE-2024-2721 | 1 Sygnoos | 1 Social Media Share Buttons | 2025-05-13 | N/A | 8.2 HIGH |
|
Deserialization of Untrusted Data vulnerability in Social Media Share Buttons By Sygnoos Social Media Share Buttons.This issue affects Social Media Share Buttons: from n/a through 2.1.0.
|
|||||
| CVE-2025-47629 | 1 Wp-crm | 1 Wp-crm System | 2025-05-12 | N/A | 7.2 HIGH |
|
Deserialization of Untrusted Data vulnerability in Mario Peshev WP-CRM System allows Object Injection. This issue affects WP-CRM System: from n/a through 3.4.1.
|
|||||
| CVE-2025-46738 | 2025-05-12 | N/A | 6.6 MEDIUM | ||
|
An authenticated attacker can maliciously modify layout data files in the SEL-5033 installation directory to execute arbitrary code.
|
|||||
| CVE-2023-1650 | 1 Quantumcloud | 1 Wpbot | 2025-05-12 | N/A | 9.8 CRITICAL |
|
The AI ChatBot WordPress plugin before 4.4.7 unserializes user input from cookies via an AJAX action available to unauthenticated users, which could allow them to perform PHP Object Injection when a suitable gadget is present on the blog
|
|||||
| CVE-2024-22309 | 1 Quantumcloud | 1 Wpbot | 2025-05-12 | N/A | 8.7 HIGH |
|
Deserialization of Untrusted Data vulnerability in QuantumCloud ChatBot with AI.This issue affects ChatBot with AI: from n/a through 5.1.0.
|
|||||
| CVE-2020-8165 | 3 Debian, Opensuse, Rubyonrails | 3 Debian Linux, Leap, Rails | 2025-05-09 | 7.5 HIGH | 9.8 CRITICAL |
|
A deserialization of untrusted data vulnernerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.
|
|||||
| CVE-2022-3335 | 1 Kadencewp | 1 Kadence Woocommerce Email Designer | 2025-05-09 | N/A | 7.2 HIGH |
|
The Kadence WooCommerce Email Designer WordPress plugin before 1.5.7 unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.
|
|||||
| CVE-2022-23734 | 1 Github | 1 Enterprise Server | 2025-05-09 | N/A | 8.8 HIGH |
|
A deserialization of untrusted data vulnerability was identified in GitHub Enterprise Server that could potentially lead to remote code execution on the SVNBridge. To exploit this vulnerability, an attacker would need to gain access via a server-side request forgery (SSRF) that would let an attacker control the data being deserialized. This vulnerability affected all versions of GitHub Enterprise Server prior to v3.6 and was fixed in versions 3.5.3, 3.4.6, 3.3.11, and 3.2.16. This vulnerability ...
Show More |
|||||
| CVE-2024-3591 | 1 Infinitumform | 1 Geo Controller | 2025-05-08 | N/A | 6.5 MEDIUM |
|
The Geo Controller WordPress plugin before 8.6.5 unserializes user input via some of its AJAX actions and REST API routes, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.
|
|||||
| CVE-2022-38108 | 1 Solarwinds | 1 Orion Platform | 2025-05-08 | N/A | 7.2 HIGH |
|
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
|
|||||
| CVE-2025-47683 | 2025-05-08 | N/A | 7.2 HIGH | ||
|
Deserialization of Untrusted Data vulnerability in Florent Maillefaud WP Maintenance allows Object Injection. This issue affects WP Maintenance: from n/a through 6.1.9.7.
|
|||||
| CVE-2024-23759 | 1 Gambio | 1 Gambio | 2025-05-07 | N/A | 9.8 CRITICAL |
|
Deserialization of Untrusted Data in Gambio through 4.9.2.0 allows attackers to run arbitrary code via "search" parameter of the Parcelshopfinder/AddAddressBookEntry" function.
|
|||||
| CVE-2025-31175 | 1 Huawei | 2 Emui, Harmonyos | 2025-05-07 | N/A | 8.4 HIGH |
|
Deserialization mismatch vulnerability in the DSoftBus module
Impact: Successful exploitation of this vulnerability may affect service integrity.
|
|||||
| CVE-2022-39944 | 1 Apache | 1 Linkis | 2025-05-07 | N/A | 8.8 HIGH |
|
In Apache Linkis <=1.2.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures a JDBC EC with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. Versions of Apache Linkis <= 1.2.0 will be affected, We recommend users to update to 1.3.0.
|
|||||
| CVE-2024-34433 | 1 Ocdi | 1 One Click Demo Import | 2025-05-07 | N/A | 4.4 MEDIUM |
|
Deserialization of Untrusted Data vulnerability in OCDI One Click Demo Import.This issue affects One Click Demo Import: from n/a through 3.2.0.
|
|||||
| CVE-2024-26580 | 1 Apache | 1 Inlong | 2025-05-07 | N/A | 9.1 CRITICAL |
|
Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.8.0 through 1.10.0, the attackers can
use the specific payload to read from an arbitrary file. Users are advised to upgrade to Apache InLong's 1.11.0 or cherry-pick [1] to solve it.
[1] https://github.com/apache/inlong/pull/9673
|
|||||
| CVE-2024-28213 | 1 Naver | 1 Ngrinder | 2025-05-07 | N/A | 9.8 CRITICAL |
|
nGrinder before 3.5.9 allows to accept serialized Java objects from unauthenticated users, which could allow remote attacker to execute arbitrary code via unsafe Java objects deserialization.
|
|||||
| CVE-2024-28212 | 1 Naver | 1 Ngrinder | 2025-05-07 | N/A | 9.8 CRITICAL |
|
nGrinder before 3.5.9 uses old version of SnakeYAML, which could allow remote attacker to execute arbitrary code via unsafe deserialization.
|
|||||
| CVE-2024-28211 | 1 Naver | 1 Ngrinder | 2025-05-07 | N/A | 9.8 CRITICAL |
|
nGrinder before 3.5.9 allows connection to malicious JMX/RMI server by default, which could be the cause of executing arbitrary code via RMI registry by remote attacker.
|
|||||
| CVE-2022-40238 | 1 Cert | 1 Vince | 2025-05-07 | N/A | 8.8 HIGH |
|
A Remote Code Injection vulnerability exists in CERT software prior to version 1.50.5. An authenticated attacker can inject arbitrary pickle object as part of a user's profile. This can lead to code execution on the server when the user's profile is accessed.
|
|||||
| CVE-2025-0855 | 2025-05-07 | N/A | 9.8 CRITICAL | ||
|
The PGS Core plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.8.0 via deserialization of untrusted input in the 'import_header' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or ex ...
Show More |
|||||
| CVE-2024-29433 | 1 Alldata | 1 Alldata | 2025-05-07 | N/A | 9.8 CRITICAL |
|
A deserialization vulnerability in the FASTJSON component of Alldata v0.4.6 allows attackers to execute arbitrary commands via supplying crafted data.
|
|||||
| CVE-2022-3380 | 1 Wpbeaverbuilder | 1 Customizer Export\/import | 2025-05-06 | N/A | 7.2 HIGH |
|
The Customizer Export/Import WordPress plugin before 0.9.5 unserializes the content of an imported file, which could lead to PHP object injection issues when an admin imports (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.
|
|||||
| CVE-2022-3374 | 1 Oceanwp | 1 Ocean Extra | 2025-05-06 | N/A | 7.2 HIGH |
|
The Ocean Extra WordPress plugin before 2.0.5 unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import (intentionally or not) a malicious Customizer Styling file and a suitable gadget chain is present on the blog.
|
|||||
| CVE-2022-3366 | 1 Publishpress | 1 Capabilities | 2025-05-06 | N/A | 7.2 HIGH |
|
The PublishPress Capabilities WordPress plugin before 2.5.2, PublishPress Capabilities Pro WordPress plugin before 2.5.2 unserializes the content of imported files, which could lead to PHP object injection attacks by administrators, on multisite WordPress configurations. Successful exploitation in this case requires other plugins with a suitable gadget chain to be present on the site.
|
|||||
| CVE-2022-3360 | 1 Thimpress | 1 Learnpress | 2025-05-06 | N/A | 8.1 HIGH |
|
The LearnPress WordPress plugin before 4.1.7.2 unserialises user input in a REST API endpoint available to unauthenticated users, which could lead to PHP Object Injection when a suitable gadget is present, leadint to remote code execution (RCE). To successfully exploit this vulnerability attackers must have knowledge of the site secrets, allowing them to generate a valid hash via the wp_hash() function.
|
|||||
| CVE-2022-3357 | 1 Nextendweb | 1 Smart Slider 3 | 2025-05-06 | N/A | 8.8 HIGH |
|
The Smart Slider 3 WordPress plugin before 3.5.1.11 unserialises the content of an imported file, which could lead to PHP object injection issues when a user import (intentionally or not) a malicious file, and a suitable gadget chain is present on the site.
|
|||||
| CVE-2025-2855 | 1 Eladmin | 1 Eladmin | 2025-05-06 | 5.8 MEDIUM | 4.7 MEDIUM |
|
A vulnerability, which was classified as problematic, has been found in elunez eladmin up to 2.7. Affected by this issue is the function checkFile of the file /api/deploy/upload. The manipulation of the argument servers leads to deserialization. The attack may be launched remotely.
|
|||||
| CVE-2025-2105 | 1 Artbees | 1 Jupiter X Core | 2025-05-06 | N/A | 8.1 HIGH |
|
The Jupiter X Core plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.8.11 via deserialization of untrusted input from the 'file' parameter of the 'raven_download_file' function. This makes it possible for attackers to inject a PHP Object through a PHAR file. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP ...
Show More |
|||||
| CVE-2022-3334 | 1 Wp-ecommerce | 1 Easy Wp Smtp | 2025-05-06 | N/A | 7.2 HIGH |
|
The Easy WP SMTP WordPress plugin before 1.5.0 unserialises the content of an imported file, which could lead to PHP object injection issue when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.
|
|||||
| CVE-2018-6331 | 1 Facebook | 1 Buck | 2025-05-06 | 7.5 HIGH | 9.8 CRITICAL |
|
Buck parser-cache command loads/saves state using Java serialized object. If the state information is maliciously crafted, deserializing it could lead to code execution. This issue affects Buck versions prior to v2018.06.25.01.
|
|||||
| CVE-2018-15965 | 1 Adobe | 1 Coldfusion | 2025-05-06 | 10.0 HIGH | 9.8 CRITICAL |
|
Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution.
|
|||||