Total
2419 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-7504 | 1 Redhat | 1 Jboss Enterprise Application Platform | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
HTTPServerILServlet.java in JMS over HTTP Invocation Layer of the JbossMQ implementation, which is enabled by default in Red Hat Jboss Application Server <= Jboss 4.X does not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized data.
|
|||||
| CVE-2017-2295 | 2 Debian, Puppet | 2 Debian Linux, Puppet | 2025-04-20 | 6.0 MEDIUM | 8.2 HIGH |
|
Versions of Puppet prior to 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change constrains the format of data on the wire to PSON or safely decoded YAML.
|
|||||
| CVE-2017-17672 | 1 Vbulletin | 1 Vbulletin | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
In vBulletin through 5.3.x, there is an unauthenticated deserialization vulnerability that leads to arbitrary file deletion and, under certain circumstances, code execution, because of unsafe usage of PHP's unserialize() in vB_Library_Template's cacheTemplates() function, which is a publicly exposed API. This is exploited with the templateidlist parameter to ajax/api/template/cacheTemplates.
|
|||||
| CVE-2017-1000208 | 1 Swagger | 2 Swagger-codegen, Swagger-parser | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
A vulnerability in Swagger-Parser's (version <= 1.0.30) yaml parsing functionality results in arbitrary code being executed when a maliciously crafted yaml Open-API specification is parsed. This in particular, affects the 'generate' and 'validate' command in swagger-codegen (<= 2.2.2) and can lead to arbitrary code being executed when these commands are used on a well-crafted yaml specification.
|
|||||
| CVE-2017-9363 | 1 Soffid | 1 Iam | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
Untrusted Java serialization in Soffid IAM console before 1.7.5 allows remote attackers to achieve arbitrary remote code execution via a crafted authentication request.
|
|||||
| CVE-2017-5641 | 2 Apache, Hp | 2 Flex Blazeds, Xp Command View Advanced Edition | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
Previous versions of Apache Flex BlazeDS (4.7.2 and earlier) did not restrict which types were allowed for AMF(X) object deserialization by default. During the deserialization process code is executed that for several known types has undesired side-effects. Other, unknown types may also exhibit such behaviors. One vector in the Java standard library exists that allows an attacker to trigger possibly further exploitable Java deserialization of untrusted data. Other known vectors in third party li ...
Show More |
|||||
| CVE-2017-14702 | 1 Branaghgroup | 1 Ers Data System | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
ERS Data System 1.8.1.0 allows remote attackers to execute arbitrary code, related to "com.branaghgroup.ecers.update.UpdateRequest" object deserialization.
|
|||||
| CVE-2017-11143 | 1 Php | 1 Php | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
|
In PHP before 5.6.31, an invalid free in the WDDX deserialization of boolean parameters could be used by attackers able to inject XML for deserialization to crash the PHP interpreter, related to an invalid free for an empty boolean element in ext/wddx/wddx.c.
|
|||||
| CVE-2017-5983 | 1 Atlassian | 1 Jira | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object.
|
|||||
| CVE-2017-8804 | 1 Gnu | 1 Glibc | 2025-04-20 | 7.8 HIGH | 7.5 HIGH |
|
The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or libc6) 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service (virtual memory allocation, or memory consumption if an overcommit setting is not used) via a crafted UDP packet to port 111, a related issue to CVE-2017-8779. NOTE: [Information provided from upstream and references
|
|||||
| CVE-2017-0806 | 1 Google | 1 Android | 2025-04-20 | 9.3 HIGH | 7.8 HIGH |
|
An elevation of privilege vulnerability in the Android framework (gatekeeperresponse). Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-62998805.
|
|||||
| CVE-2016-5003 | 1 Apache | 1 Ws-xmlrpc | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an <ex:serializable> element.
|
|||||
| CVE-2016-0779 | 1 Apache | 1 Tomee | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
The EjbObjectInputStream class in Apache TomEE before 1.7.4 and 7.x before 7.0.0-M3 allows remote attackers to execute arbitrary code via a crafted serialized object.
|
|||||
| CVE-2014-9515 | 1 Dozer Project | 1 Dozer | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
Dozer improperly uses a reflection-based approach to type conversion, which might allow remote attackers to execute arbitrary code via a crafted serialized object.
|
|||||
| CVE-2017-1000053 | 1 Plug Project | 1 Plug | 2025-04-20 | 6.8 MEDIUM | 8.1 HIGH |
|
Elixir Plug before v1.0.4, v1.1.7, v1.2.3 and v1.3.2 is vulnerable to arbitrary code execution in the deserialization functions of Plug.Session.
|
|||||
| CVE-2017-12628 | 1 Apache | 1 James Server | 2025-04-20 | 7.2 HIGH | 7.8 HIGH |
|
The JMX server embedded in Apache James, also used by the command line client is exposed to a java de-serialization issue, and thus can be used to execute arbitrary commands. As James exposes JMX socket by default only on local-host, this vulnerability can only be used for privilege escalation. Release 3.0.1 upgrades the incriminated library.
|
|||||
| CVE-2016-8749 | 1 Apache | 1 Camel | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks.
|
|||||
| CVE-2017-0903 | 4 Canonical, Debian, Redhat and 1 more | 9 Ubuntu Linux, Debian Linux, Enterprise Linux Desktop and 6 more | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.
|
|||||
| CVE-2017-12612 | 1 Apache | 1 Spark | 2025-04-20 | 7.2 HIGH | 7.8 HIGH |
|
In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution by an attacker with access to any user account on the local machine. It does not affect apps run by spark-submit or spark-shell. The attacker would be able to execute code as the user that ran the Spark application. Users are encouraged to update to version 2. ...
Show More |
|||||
| CVE-2017-9424 | 1 Ideablade | 1 Breeze.server.net | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
IdeaBlade Breeze Breeze.Server.NET before 1.6.5 allows remote attackers to execute arbitrary code, related to use of TypeNameHandling in JSON deserialization.
|
|||||
| CVE-2017-10803 | 1 Odoo | 1 Odoo | 2025-04-20 | 8.5 HIGH | 6.5 MEDIUM |
|
In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, insecure handling of anonymization data in the Database Anonymization module allows remote authenticated privileged users to execute arbitrary Python code, because unpickle is used.
|
|||||
| CVE-2016-0360 | 1 Ibm | 1 Websphere Mq Jms | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
IBM Websphere MQ JMS 7.0.1, 7.1, 7.5, 8.0, and 9.0 client provides classes that deserialize objects from untrusted sources which could allow a malicious user to execute arbitrary Java code by adding vulnerable classes to the classpath. IBM Reference #: 1983457.
|
|||||
| CVE-2024-1685 | 1 Sygnoos | 1 Social Media Share Buttons | 2025-04-18 | N/A | 8.8 HIGH |
|
The Social Media Share Buttons plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.1.0 via deserialization of untrusted input through the attachmentUrl parameter. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacke ...
Show More |
|||||
| CVE-2025-27287 | 2025-04-17 | N/A | 9.8 CRITICAL | ||
|
Deserialization of Untrusted Data vulnerability in ssvadim SS Quiz allows Object Injection. This issue affects SS Quiz: from n/a through 2.0.5.
|
|||||
| CVE-2025-27286 | 2025-04-17 | N/A | 9.8 CRITICAL | ||
|
Deserialization of Untrusted Data vulnerability in saoshyant1994 Saoshyant Slider allows Object Injection. This issue affects Saoshyant Slider: from n/a through 3.0.
|
|||||
| CVE-2025-39588 | 2025-04-17 | N/A | 9.8 CRITICAL | ||
|
Deserialization of Untrusted Data vulnerability in bdthemes Ultimate Store Kit Elementor Addons allows Object Injection. This issue affects Ultimate Store Kit Elementor Addons: from n/a through 2.4.0.
|
|||||
| CVE-2025-32686 | 2025-04-17 | N/A | 8.8 HIGH | ||
|
Deserialization of Untrusted Data vulnerability in WP Speedo Team Members allows Object Injection. This issue affects Team Members: from n/a through 3.4.0.
|
|||||
| CVE-2025-32572 | 2025-04-17 | N/A | 9.8 CRITICAL | ||
|
Deserialization of Untrusted Data vulnerability in Climax Themes Kata Plus allows Object Injection. This issue affects Kata Plus: from n/a through 1.5.2.
|
|||||
| CVE-2025-39527 | 2025-04-17 | N/A | 8.8 HIGH | ||
|
Deserialization of Untrusted Data vulnerability in bestwebsoft Rating by BestWebSoft allows Object Injection. This issue affects Rating by BestWebSoft: from n/a through 1.7.
|
|||||
| CVE-2025-32658 | 2025-04-17 | N/A | 9.8 CRITICAL | ||
|
Deserialization of Untrusted Data vulnerability in wpWax HelpGent allows Object Injection. This issue affects HelpGent: from n/a through 2.2.4.
|
|||||
| CVE-2025-39550 | 2025-04-17 | N/A | 9.8 CRITICAL | ||
|
Deserialization of Untrusted Data vulnerability in Shahjahan Jewel FluentCommunity allows Object Injection. This issue affects FluentCommunity: from n/a through 1.2.15.
|
|||||
| CVE-2025-32647 | 2025-04-17 | N/A | 8.8 HIGH | ||
|
Deserialization of Untrusted Data vulnerability in PickPlugins Question Answer allows Object Injection. This issue affects Question Answer: from n/a through 1.2.70.
|
|||||
| CVE-2025-32662 | 2025-04-17 | N/A | 8.8 HIGH | ||
|
Deserialization of Untrusted Data vulnerability in Stylemix uListing allows Object Injection. This issue affects uListing: from n/a through 2.2.0.
|
|||||
| CVE-2025-32571 | 2025-04-17 | N/A | 8.8 HIGH | ||
|
Deserialization of Untrusted Data vulnerability in turitop TuriTop Booking System allows Object Injection. This issue affects TuriTop Booking System: from n/a through 1.0.10.
|
|||||
| CVE-2025-39551 | 2025-04-17 | N/A | 9.8 CRITICAL | ||
|
Deserialization of Untrusted Data vulnerability in Mahmudul Hasan Arif FluentBoards allows Object Injection. This issue affects FluentBoards: from n/a through 1.47.
|
|||||
| CVE-2023-49442 | 1 Jeecg | 1 Jeecg | 2025-04-17 | N/A | 9.8 CRITICAL |
|
Deserialization of Untrusted Data in jeecgFormDemoController in JEECG 4.0 and earlier allows attackers to run arbitrary code via crafted POST request.
|
|||||
| CVE-2022-41596 | 1 Huawei | 2 Emui, Harmonyos | 2025-04-16 | N/A | 7.5 HIGH |
|
The system tool has inconsistent serialization and deserialization. Successful exploitation of this vulnerability will cause unauthorized startup of components.
|
|||||
| CVE-2025-3677 | 2025-04-16 | 4.3 MEDIUM | 5.3 MEDIUM | ||
|
A vulnerability classified as critical was found in lm-sys fastchat up to 0.2.36. This vulnerability affects the function split_files/apply_delta_low_cpu_mem of the file fastchat/model/apply_delta.py. The manipulation leads to deserialization. An attack has to be approached locally.
|
|||||
| CVE-2025-31935 | 2025-04-15 | N/A | 6.2 MEDIUM | ||
|
Subnet Solutions
PowerSYSTEM Center is affected by a mishandling of exceptional conditions vulnerability. Crafted data that is passed to the API may trigger an exception, resulting in a denial-of-service condition.
|
|||||
| CVE-2025-3622 | 2025-04-15 | 5.2 MEDIUM | 5.5 MEDIUM | ||
|
A vulnerability, which was classified as critical, has been found in Xorbits Inference up to 1.4.1. This issue affects the function load of the file xinference/thirdparty/cosyvoice/cli/model.py. The manipulation leads to deserialization.
|
|||||