Total
2419 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-60455 | 1 Modular | 1 Max | 2026-01-08 | N/A | 8.4 HIGH |
|
Unsafe Deserialization vulnerability in Modular Max Serve before 25.6, specifically when the "--experimental-enable-kvcache-agent" feature is used allowing attackers to execute arbitrary code.
|
|||||
| CVE-2025-66524 | 1 Apache | 1 Nifi | 2026-01-08 | N/A | 8.8 HIGH |
|
Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject Processor, which requires integration with a configurable Distribute Map Cache Client Service for storing and retrieving state information. The GetAsanaObject Processor used generic Java Object serialization and deserialization without filtering. Unfiltered Java object deserialization does not provide protection against crafted state information stored in the cache server configured for GetAsanaObject. Exploitation requires an Apache Ni ...
Show More |
|||||
| CVE-2025-65213 | 1 Mthreads | 1 Torch Musa | 2026-01-07 | N/A | 9.8 CRITICAL |
|
MooreThreads torch_musa through all versions contains an unsafe deserialization vulnerability in torch_musa.utils.compare_tool. The compare_for_single_op() and nan_inf_track_for_single_op() functions use pickle.load() on user-controlled file paths without validation, allowing arbitrary code execution. An attacker can craft a malicious pickle file that executes arbitrary Python code when loaded, enabling remote code execution with the privileges of the victim process.
|
|||||
| CVE-2025-15276 | 1 Fontforge | 1 Fontforge | 2026-01-07 | N/A | 7.8 HIGH |
|
FontForge SFD File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of SFD files. The issue results from the lack of proper validation of user-supplied data, which can result in deseri ...
Show More |
|||||
| CVE-2017-20207 | 1 Dancoulter | 1 Flickr Gallery | 2026-01-05 | N/A | 9.8 CRITICAL |
|
The Flickr Gallery plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.5.2 via deserialization of untrusted input from the `pager ` parameter. This allows unauthenticated attackers to inject a PHP Object. Attackers were actively exploiting this vulnerability with the WP_Theme() class to create backdoors.
|
|||||
| CVE-2025-34449 | 1 Genymotion | 1 Scrcpy | 2026-01-03 | N/A | 9.1 CRITICAL |
|
Genymobile/scrcpy versions up to and including 3.3.3, prior to commit 3e40b24, contain a buffer overflow vulnerability in the sc_device_msg_deserialize() function. A compromised device can send crafted messages that cause out-of-bounds reads, which may result in memory corruption or a denial-of-service condition. This vulnerability may allow further exploitation on the host system.
|
|||||
| CVE-2024-24551 | 1 Bludit | 1 Bludit | 2026-01-02 | N/A | 8.8 HIGH |
|
A security vulnerability has been identified in Bludit, allowing authenticated attackers to execute arbitrary code through the Image API. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files.
|
|||||
| CVE-2024-24550 | 1 Bludit | 1 Bludit | 2026-01-02 | N/A | 8.1 HIGH |
|
A security vulnerability has been identified in Bludit, allowing attackers with knowledge of the API token to upload arbitrary files through the File API which leads to arbitrary code execution on the server. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files.
|
|||||
| CVE-2024-31211 | 1 Wordpress | 1 Wordpress | 2026-01-02 | N/A | 5.5 MEDIUM |
|
WordPress is an open publishing platform for the Web. Unserialization of instances of the `WP_HTML_Token` class allows for code execution via its `__destruct()` magic method. This issue was fixed in WordPress 6.4.2 on December 6th, 2023. Versions prior to 6.4.0 are not affected.
|
|||||
| CVE-2025-11157 | 2026-01-02 | N/A | 7.8 HIGH | ||
|
A high-severity remote code execution vulnerability exists in feast-dev/feast version 0.53.0, specifically in the Kubernetes materializer job located at `feast/sdk/python/feast/infra/compute_engines/kubernetes/main.py`. The vulnerability arises from the use of `yaml.load(..., Loader=yaml.Loader)` to deserialize `/var/feast/feature_store.yaml` and `/var/feast/materialization_config.yaml`. This method allows for the instantiation of arbitrary Python objects, enabling an attacker with the ability t ...
Show More |
|||||
| CVE-2025-67747 | 1 Trailofbits | 1 Fickling | 2026-01-02 | N/A | 7.8 HIGH |
|
Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 are missing `marshal` and `types` from the block list of unsafe module imports. Fickling started blocking both modules to address this issue. This allows an attacker to craft a malicious pickle file that can bypass fickling since it misses detections for `types.FunctionType` and `marshal.loads`. A user who deserializes such a file, believing it to be safe, would inadvertently execute arbitrary code on their sys ...
Show More |
|||||
| CVE-2025-67748 | 1 Trailofbits | 1 Fickling | 2026-01-02 | N/A | 7.8 HIGH |
|
Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 had a bypass caused by `pty` missing from the block list of unsafe module imports. This led to unsafe pickles based on `pty.spawn()` being incorrectly flagged as `LIKELY_SAFE`, and was fixed in version 0.1.6. This impacted any user or system that used Fickling to vet pickle files for security issues.
|
|||||
| CVE-2025-67729 | 1 Internlm | 1 Lmdeploy | 2025-12-31 | N/A | 8.8 HIGH |
|
LMDeploy is a toolkit for compressing, deploying, and serving LLMs. Prior to version 0.11.1, an insecure deserialization vulnerability exists in lmdeploy where torch.load() is called without the weights_only=True parameter when loading model checkpoint files. This allows an attacker to execute arbitrary code on the victim's machine when they load a malicious .bin or .pt model file. This issue has been patched in version 0.11.1.
|
|||||
| CVE-2025-15222 | 2025-12-31 | 4.6 MEDIUM | 5.0 MEDIUM | ||
|
A vulnerability has been found in Dromara Sa-Token up to 1.44.0. This issue affects the function ObjectInputStream.readObject of the file SaSerializerTemplateForJdkUseBase64.java. Such manipulation leads to deserialization. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way ...
Show More |
|||||
| CVE-2025-63950 | 1 Tomaszdunia | 1 Twittodon | 2025-12-31 | N/A | 7.5 HIGH |
|
An insecure deserialization vulnerability exists in the download.php script of the to3k Twittodon application through commit b1c58a7d1dc664b38deb486ca290779621342c0b (2023-02-28). The 'obj' parameter receives base64-encoded data that is passed directly to the unserialize() function without validation. This allows a remote, unauthenticated attacker to inject arbitrary PHP objects, leading to a denial of service.
|
|||||
| CVE-2025-63951 | 1 Sourcefabric | 1 Phoniebox | 2025-12-31 | N/A | 7.5 HIGH |
|
An insecure deserialization vulnerability exists in the rss-mp3.php script of the MiczFlor RPi-Jukebox-RFID project through commit 4b2334f0ae0e87c0568876fc41c48c38aa9a7014 (2025-10-07). The 'rss' GET parameter receives data that is passed directly to the unserialize() function without validation. This allows a remote, unauthenticated attacker to inject arbitrary PHP objects, causing the application to process them and leading to errors or a denial of service.
|
|||||
| CVE-2025-62703 | 1 Fugue-project | 1 Fugue | 2025-12-30 | N/A | 8.8 HIGH |
|
Fugue is a unified interface for distributed computing that lets users execute Python, Pandas, and SQL code on Spark, Dask, and Ray with minimal rewrites. In version 0.9.2 and prior, there is a remote code execution vulnerability by pickle deserialization via FlaskRPCServer. The Fugue framework implements an RPC server system for distributed computing operations. In the core functionality of the RPC server implementation, I found that the _decode() function in fugue/rpc/flask.py directly uses cl ...
Show More |
|||||
| CVE-2024-1432 | 1 Iperov | 1 Deepfacelab | 2025-12-30 | 5.1 MEDIUM | 5.0 MEDIUM |
|
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in DeepFaceLab pretrained DF.wf.288res.384.92.72.22 and classified as problematic. This issue affects the function apply_xseg of the file main.py. The manipulation leads to deserialization. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-253391. NO ...
Show More |
|||||
| CVE-2025-26866 | 1 Apache | 1 Hugegraph | 2025-12-29 | N/A | 8.8 HIGH |
|
A remote code execution vulnerability exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store. The fix enforces IP-based authentication to restrict cluster membership and implements a strict class whitelist to harden the Hessian serialization process against object injection attacks.
Users are recommended to upgrade to version 1.7.0, which fixes the issue.
|
|||||
| CVE-2025-13716 | 2025-12-29 | N/A | 7.8 HIGH | ||
|
Tencent MimicMotion create_pipeline Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent MimicMotion. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the create_pipeline function. The issue results from the lack of proper validation of user-supplied data, whi ...
Show More |
|||||
| CVE-2025-13707 | 2025-12-29 | N/A | 7.8 HIGH | ||
|
Tencent HunyuanDiT model_resume Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent HunyuanDiT. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the model_resume function. The issue results from the lack of proper validation of user-supplied data, which can r ...
Show More |
|||||
| CVE-2025-13710 | 2025-12-29 | N/A | 7.8 HIGH | ||
|
Tencent HunyuanVideo load_vae Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent HunyuanVideo. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the load_vae function.The issue results from the lack of proper validation of user-supplied data, which can result ...
Show More |
|||||
| CVE-2025-13706 | 2025-12-29 | N/A | 7.8 HIGH | ||
|
Tencent PatrickStar merge_checkpoint Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent PatrickStar. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the merge_checkpoint endpoint. The issue results from the lack of proper validation of user-supplied data, w ...
Show More |
|||||
| CVE-2025-13712 | 2025-12-29 | N/A | 7.8 HIGH | ||
|
Tencent HunyuanDiT merge Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent HunyuanDiT. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the merge endpoint. The issue results from the lack of proper validation of user-supplied data, which can result in deser ...
Show More |
|||||
| CVE-2025-14925 | 2025-12-29 | N/A | 7.8 HIGH | ||
|
Hugging Face Accelerate Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Accelerate. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of checkpoints. The issue results from the lack of proper validation of user-supplied data, which can res ...
Show More |
|||||
| CVE-2025-14922 | 2025-12-29 | N/A | 7.8 HIGH | ||
|
Hugging Face Diffusers CogView4 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Diffusers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of checkpoints. The issue results from the lack of proper validation of user-supplied data, which ...
Show More |
|||||
| CVE-2025-14931 | 2025-12-29 | N/A | 10.0 CRITICAL | ||
|
Hugging Face smolagents Remote Python Executor Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face smolagents. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the parsing of pickle data. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An at ...
Show More |
|||||
| CVE-2025-13714 | 2025-12-29 | N/A | 7.8 HIGH | ||
|
Tencent MedicalNet generate_model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent MedicalNet. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the generate_model function. The issue results from the lack of proper validation of user-supplied data, which c ...
Show More |
|||||
| CVE-2025-13713 | 2025-12-29 | N/A | 7.8 HIGH | ||
|
Tencent Hunyuan3D-1 load_pretrained Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent Hunyuan3D-1. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the load_pretrained function. The issue results from the lack of proper validation of user-supplied data, whi ...
Show More |
|||||
| CVE-2025-13708 | 2025-12-29 | N/A | 7.8 HIGH | ||
|
Tencent NeuralNLP-NeuralClassifier _load_checkpoint Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent NeuralNLP-NeuralClassifier. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the _load_checkpoint function. The issue results from the lack of proper valid ...
Show More |
|||||
| CVE-2025-13715 | 2025-12-29 | N/A | 7.8 HIGH | ||
|
Tencent FaceDetection-DSFD resnet Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent FaceDetection-DSFD. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the resnet endpoint. The issue results from the lack of proper validation of user-supplied data, which c ...
Show More |
|||||
| CVE-2025-15117 | 2025-12-29 | 2.1 LOW | 3.1 LOW | ||
|
A weakness has been identified in Dromara Sa-Token up to 1.44.0. This affects the function ObjectInputStream.readObject of the file SaJdkSerializer.java. Executing manipulation can lead to deserialization. The attack may be launched remotely. This attack is characterized by high complexity. It is indicated that the exploitability is difficult. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-13467 | 2025-12-23 | N/A | 5.5 MEDIUM | ||
|
A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.
|
|||||
| CVE-2025-9083 | 1 Ninjaforms | 1 Ninja Forms | 2025-12-23 | N/A | 9.8 CRITICAL |
|
The Ninja Forms WordPress plugin before 3.11.1 unserializes user input via form field, which could allow Unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.
|
|||||
| CVE-2017-20206 | 1 Wpmudev | 1 Appointments | 2025-12-23 | N/A | 9.8 CRITICAL |
|
The Appointments plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.2.1 via deserialization of untrusted input from the `wpmudev_appointments` cookie. This allows unauthenticated attackers to inject a PHP Object. Attackers were actively exploiting this vulnerability with the WP_Theme() class to create backdoors.
|
|||||
| CVE-2025-34394 | 1 Barracuda | 1 Rmm | 2025-12-23 | N/A | 9.8 CRITICAL |
|
Barracuda Service Center, as implemented in the RMM solution, in versions prior to 2025.1.1, exposes a .NET Remoting service that is insufficiently protected against deserialization of arbitrary types. This can lead to remote code execution.
|
|||||
| CVE-2017-20208 | 1 Metagauss | 1 Registrationmagic | 2025-12-19 | N/A | 9.8 CRITICAL |
|
The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to PHP Object Injection in all versions up to 3.7.9.3 (exclusive) via deserialization of untrusted input from the is_expired_by_date() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to fetch a remote file and install it on the site.
|
|||||
| CVE-2019-10068 | 1 Kentico | 1 Xperience | 2025-12-19 | 7.5 HIGH | 9.8 CRITICAL |
|
An issue was discovered in Kentico 12.0.x before 12.0.15, 11.0.x before 11.0.48, 10.0.x before 10.0.52, and 9.x versions. Due to a failure to validate security headers, it was possible for a specially crafted request to the staging service to bypass the initial authentication and proceed to deserialize user-controlled .NET object input. This deserialization then led to unauthenticated remote code execution on the server where the Kentico instance was hosted.
|
|||||
| CVE-2025-65035 | 2025-12-19 | N/A | 6.4 MEDIUM | ||
|
pluginsGLPI's Database Inventory Plugin "manages" the Teclib' inventory agents in order to perform an inventory of the databases present on the workstation. Prior to version 1.1.2, in certain conditions (database write access must first be obtained through another vulnerability or misconfiguration), user-controlled data is stored insecurely in the database via computergroup, and is later unserialized on every page load, allowing arbitrary PHP object instantiation. Version 1.1.2 fixes the issue.
|
|||||
| CVE-2025-55232 | 1 Microsoft | 1 Hpc Pack | 2025-12-19 | N/A | 9.8 CRITICAL |
|
Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an unauthorized attacker to execute code over a network.
|
|||||