Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2017-5878

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-08 Jun, 2017 | 16:00
Updated At-05 Aug, 2024 | 15:11
Rejected At-
Credits

The AMF unmarshallers in Red5 Media Server before 1.0.8 do not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized Java data.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:08 Jun, 2017 | 16:00
Updated At:05 Aug, 2024 | 15:11
Rejected At:
▼CVE Numbering Authority (CNA)

The AMF unmarshallers in Red5 Media Server before 1.0.8 do not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized Java data.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true
x_refsource_MISC
http://www.openwall.com/lists/oss-security/2017/05/22/2
mailing-list
x_refsource_MLIST
Hyperlink: https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true
Resource:
x_refsource_MISC
Hyperlink: http://www.openwall.com/lists/oss-security/2017/05/22/2
Resource:
mailing-list
x_refsource_MLIST
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true
x_refsource_MISC
x_transferred
http://www.openwall.com/lists/oss-security/2017/05/22/2
mailing-list
x_refsource_MLIST
x_transferred
Hyperlink: https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true
Resource:
x_refsource_MISC
x_transferred
Hyperlink: http://www.openwall.com/lists/oss-security/2017/05/22/2
Resource:
mailing-list
x_refsource_MLIST
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:08 Jun, 2017 | 16:29
Updated At:13 May, 2026 | 00:24

The AMF unmarshallers in Red5 Media Server before 1.0.8 do not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized Java data.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary2.07.5HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 7.5
Base severity: HIGH
Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
CPE Matches

red5
red5
>>media_server>>1.0.2
cpe:2.3:o:red5:media_server:1.0.2:-:*:*:*:*:*:*
red5
red5
>>media_server>>1.0.2
cpe:2.3:o:red5:media_server:1.0.2:milestone1:*:*:*:*:*:*
red5
red5
>>media_server>>1.0.3
cpe:2.3:o:red5:media_server:1.0.3:*:*:*:*:*:*:*
red5
red5
>>media_server>>1.0.4
cpe:2.3:o:red5:media_server:1.0.4:*:*:*:*:*:*:*
red5
red5
>>media_server>>1.0.5
cpe:2.3:o:red5:media_server:1.0.5:*:*:*:*:*:*:*
red5
red5
>>media_server>>1.0.6
cpe:2.3:o:red5:media_server:1.0.6:*:*:*:*:*:*:*
red5
red5
>>media_server>>1.0.7
cpe:2.3:o:red5:media_server:1.0.7:-:*:*:*:*:*:*
red5
red5
>>media_server>>1.0.7
cpe:2.3:o:red5:media_server:1.0.7:milestone1:*:*:*:*:*:*
red5
red5
>>media_server>>1.0.7
cpe:2.3:o:red5:media_server:1.0.7:milestone2:*:*:*:*:*:*
red5
red5
>>media_server>>1.0.7
cpe:2.3:o:red5:media_server:1.0.7:milestone3:*:*:*:*:*:*
red5
red5
>>media_server>>1.0.7
cpe:2.3:o:red5:media_server:1.0.7:milestone4:*:*:*:*:*:*
red5
red5
>>media_server>>1.0.7
cpe:2.3:o:red5:media_server:1.0.7:milestone5:*:*:*:*:*:*
red5
red5
>>media_server>>1.0.7
cpe:2.3:o:red5:media_server:1.0.7:milestone6:*:*:*:*:*:*
red5
red5
>>media_server>>1.0.7
cpe:2.3:o:red5:media_server:1.0.7:milestone7:*:*:*:*:*:*
red5
red5
>>media_server>>1.0.8
cpe:2.3:o:red5:media_server:1.0.8:milestone1:*:*:*:*:*:*
red5
red5
>>media_server>>1.0.8
cpe:2.3:o:red5:media_server:1.0.8:milestone10:*:*:*:*:*:*
red5
red5
>>media_server>>1.0.8
cpe:2.3:o:red5:media_server:1.0.8:milestone11:*:*:*:*:*:*
red5
red5
>>media_server>>1.0.8
cpe:2.3:o:red5:media_server:1.0.8:milestone12:*:*:*:*:*:*
red5
red5
>>media_server>>1.0.8
cpe:2.3:o:red5:media_server:1.0.8:milestone13:*:*:*:*:*:*
red5
red5
>>media_server>>1.0.8
cpe:2.3:o:red5:media_server:1.0.8:milestone2:*:*:*:*:*:*
red5
red5
>>media_server>>1.0.8
cpe:2.3:o:red5:media_server:1.0.8:milestone3:*:*:*:*:*:*
red5
red5
>>media_server>>1.0.8
cpe:2.3:o:red5:media_server:1.0.8:milestone4:*:*:*:*:*:*
red5
red5
>>media_server>>1.0.8
cpe:2.3:o:red5:media_server:1.0.8:milestone5:*:*:*:*:*:*
red5
red5
>>media_server>>1.0.8
cpe:2.3:o:red5:media_server:1.0.8:milestone6:*:*:*:*:*:*
red5
red5
>>media_server>>1.0.8
cpe:2.3:o:red5:media_server:1.0.8:milestone7:*:*:*:*:*:*
red5
red5
>>media_server>>1.0.8
cpe:2.3:o:red5:media_server:1.0.8:milestone8:*:*:*:*:*:*
red5
red5
>>media_server>>1.0.8
cpe:2.3:o:red5:media_server:1.0.8:milestone9:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-502Primarynvd@nist.gov
CWE ID: CWE-502
Type: Primary
Source: nvd@nist.gov
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
http://www.openwall.com/lists/oss-security/2017/05/22/2cve@mitre.org
Mailing List
Third Party Advisory
https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=truecve@mitre.org
Third Party Advisory
http://www.openwall.com/lists/oss-security/2017/05/22/2af854a3a-2127-422b-91ae-364da2661108
Mailing List
Third Party Advisory
https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=trueaf854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Hyperlink: http://www.openwall.com/lists/oss-security/2017/05/22/2
Source: cve@mitre.org
Resource:
Mailing List
Third Party Advisory
Hyperlink: https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true
Source: cve@mitre.org
Resource:
Third Party Advisory
Hyperlink: http://www.openwall.com/lists/oss-security/2017/05/22/2
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Mailing List
Third Party Advisory
Hyperlink: https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

1112Records found

CVE-2023-27372
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-99.64% / 99.95%
||
7 Day CHG-0.02%
Published-28 Feb, 2023 | 00:00
Updated-11 Mar, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.

Action-Not Available
Vendor-spipn/aDebian GNU/Linux
Product-debian_linuxspipn/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-60090
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.39% / 30.61%
||
7 Day CHG~0.00%
Published-18 Dec, 2025 | 07:22
Updated-28 Apr, 2026 | 18:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Gravity Forms Insightly plugin <= 1.1.6 - Deserialization of untrusted data vulnerability

Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Insightly gf-insightly allows Object Injection.This issue affects WP Gravity Forms Insightly: from n/a through <= 1.1.6.

Action-Not Available
Vendor-crmperksCRM Perks
Product-wp_gravity_forms_insightlyWP Gravity Forms Insightly
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-60216
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.53% / 40.84%
||
7 Day CHG~0.00%
Published-22 Oct, 2025 | 14:32
Updated-28 Apr, 2026 | 18:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Addison theme < 1.4.8 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in BoldThemes Addison addison allows Object Injection.This issue affects Addison: from n/a through < 1.4.8.

Action-Not Available
Vendor-BoldThemes
Product-Addison
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-28115
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-2.76% / 84.48%
||
7 Day CHG~0.00%
Published-17 Mar, 2023 | 21:15
Updated-25 Feb, 2025 | 14:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Snappy vulnerable to PHAR deserialization, allowing remote code execution

Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.4.2, Snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If a user can control the output file from the `generateFromHtml()` function, it will invoke deserialization. This vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains. It has been fixed in version 1.4.2.

Action-Not Available
Vendor-knplabsKnpLabs
Product-snappysnappy
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-26579
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-1.13% / 62.46%
||
7 Day CHG~0.00%
Published-08 May, 2024 | 15:06
Updated-28 Mar, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Inlong JDBC Vulnerability

Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.7.0 through 1.11.0,  the attackers can bypass using malicious parameters. Users are advised to upgrade to Apache InLong's 1.12.0 or cherry-pick [1], [2] to solve it. [1] https://github.com/apache/inlong/pull/9694 [2]  https://github.com/apache/inlong/pull/9707

Action-Not Available
Vendor-apache_software_foundationThe Apache Software Foundation
Product-inlongApache InLongapache_inlong
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-26234
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.6||MEDIUM
EPSS-0.84% / 53.37%
||
7 Day CHG~0.00%
Published-20 Feb, 2023 | 00:00
Updated-17 Mar, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

JD-GUI 1.6.6 allows deserialization via UIMainWindowPreferencesProvider.singleInstance.

Action-Not Available
Vendor-jd-gui_projectn/a
Product-jd-guin/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-26779
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.43% / 69.70%
||
7 Day CHG~0.00%
Published-03 Mar, 2023 | 00:00
Updated-06 Mar, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CleverStupidDog yf-exam v 1.8.0 is vulnerable to Deserialization which can lead to remote code execution (RCE).

Action-Not Available
Vendor-yf-exam_projectn/a
Product-yf-examn/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-26359
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-9.8||CRITICAL
EPSS-17.94% / 96.82%
||
7 Day CHG~0.00%
Published-23 Mar, 2023 | 00:00
Updated-23 Oct, 2025 | 11:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2023-09-11||Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Adobe ColdFusion Deserialization of Untrusted Data Arbitrary code execution

Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.

Action-Not Available
Vendor-Adobe Inc.
Product-coldfusionColdFusionColdFusion
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-59287
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-9.8||CRITICAL
EPSS-99.96% / 99.98%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 17:01
Updated-26 Feb, 2026 | 16:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2025-11-14||Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Windows Server Update Service (WSUS) Remote Code Execution Vulnerability

Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_server_2022windows_server_2012windows_server_2025windows_server_2022_23h2windows_server_2019windows_server_2016Windows Server 2019 (Server Core installation)Windows Server 2012Windows Server 2019Windows Server 2022Windows Server 2022, 23H2 Edition (Server Core installation)Windows Server 2025Windows Server 2012 (Server Core installation)Windows Server 2016 (Server Core installation)Windows Server 2012 R2Windows Server 2025 (Server Core installation)Windows Server 2016Windows Server 2012 R2 (Server Core installation)Windows
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-26153
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-8.3||HIGH
EPSS-3.24% / 86.77%
||
7 Day CHG~0.00%
Published-06 Oct, 2023 | 05:00
Updated-19 Sep, 2024 | 18:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Versions of the package geokit-rails before 2.5.0 are vulnerable to Command Injection due to unsafe deserialisation of YAML within the 'geo_location' cookie. This issue can be exploited remotely via a malicious cookie value. **Note:** An attacker can use this vulnerability to execute commands on the host system.

Action-Not Available
Vendor-geokitn/a
Product-geokit-railsgeokit-rails
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-60245
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.43% / 34.21%
||
7 Day CHG~0.00%
Published-06 Nov, 2025 | 15:55
Updated-28 Apr, 2026 | 18:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP User Manager plugin <= 2.9.12 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in WP User Manager WP User Manager wp-user-manager allows Object Injection.This issue affects WP User Manager: from n/a through <= 2.9.12.

Action-Not Available
Vendor-WP User Manager
Product-WP User Manager
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-26326
Matching Score-4
Assigner-Tenable Network Security, Inc.
ShareView Details
Matching Score-4
Assigner-Tenable Network Security, Inc.
CVSS Score-9.8||CRITICAL
EPSS-3.82% / 88.79%
||
7 Day CHG~0.00%
Published-23 Feb, 2023 | 00:00
Updated-12 Mar, 2025 | 14:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The BuddyForms WordPress plugin, in versions prior to 2.7.8, was affected by an unauthenticated insecure deserialization issue. An unauthenticated attacker could leverage this issue to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present.

Action-Not Available
Vendor-themekraftn/a
Product-buddyformsBuddyForms WordPress Plugin
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-26512
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-1.03% / 59.65%
||
7 Day CHG~0.00%
Published-17 Jul, 2023 | 07:16
Updated-21 Nov, 2024 | 07:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache EventMesh RabbitMQ-Connector plugin allows RCE through deserialization of untrusted data

CWE-502 Deserialization of Untrusted Data at the rabbitmq-connector plugin module in Apache EventMesh (incubating) V1.7.0\V1.8.0 on windows\linux\mac os e.g. platforms allows attackers to send controlled message and remote code execute via rabbitmq messages. Users can use the code under the master branch in project repo to fix this issue, we will release the new version as soon as possible.

Action-Not Available
Vendor-Apple Inc.Microsoft CorporationThe Apache Software FoundationLinux Kernel Organization, Inc
Product-eventmeshmacoslinux_kernelwindowsApache EventMesh (incubating) RabbitMQ connectoreventmesh
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-60205
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.53% / 40.64%
||
7 Day CHG~0.00%
Published-17 Jun, 2026 | 09:50
Updated-17 Jun, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress ThemeREX Addons plugin <= 2.36.1.1 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in ThemeREX Addons <= 2.36.1.1 versions.

Action-Not Available
Vendor-ThemeREX
Product-ThemeREX Addons
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-60214
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.54% / 41.47%
||
7 Day CHG~0.00%
Published-22 Oct, 2025 | 14:32
Updated-28 Apr, 2026 | 18:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Goldenblatt theme < 1.3.0 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in BoldThemes Goldenblatt goldenblatt allows Object Injection.This issue affects Goldenblatt: from n/a through < 1.3.0.

Action-Not Available
Vendor-BoldThemes
Product-Goldenblatt
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-60178
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.39% / 30.61%
||
7 Day CHG~0.00%
Published-18 Dec, 2025 | 07:22
Updated-28 Apr, 2026 | 18:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Gravity Forms HubSpot plugin <= 1.2.6 - Deserialization of untrusted data vulnerability

Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms HubSpot gf-hubspot allows Object Injection.This issue affects WP Gravity Forms HubSpot: from n/a through <= 1.2.6.

Action-Not Available
Vendor-crmperksCRM Perks
Product-wp_gravity_forms_hubspotWP Gravity Forms HubSpot
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-26289
Matching Score-4
Assigner-EU Agency for Cybersecurity (ENISA)
ShareView Details
Matching Score-4
Assigner-EU Agency for Cybersecurity (ENISA)
CVSS Score-9.8||CRITICAL
EPSS-0.61% / 44.81%
||
7 Day CHG~0.00%
Published-27 May, 2024 | 07:01
Updated-04 Apr, 2025 | 16:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Remote Code Inclusion Vulnerability in Multiple PMB Versions

Deserialization of Untrusted Data vulnerability in PMB Services PMB allows Remote Code Inclusion.This issue affects PMB: from 7.5.1 before 7.5.6-2, from 7.4.1 before 7.4.9, from 7.3.1 before 7.3.18.

Action-Not Available
Vendor-sigbPMB Servicespmb_services
Product-pmbPMBpmb
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-52338
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-2.32% / 81.39%
||
7 Day CHG~0.00%
Published-28 Nov, 2024 | 16:31
Updated-15 Jul, 2025 | 16:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Arrow R package: Arbitrary code execution when loading a malicious data file

Deserialization of untrusted data in IPC and Parquet readers in the Apache Arrow R package versions 4.0.0 through 16.1.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example, user-supplied input files). This vulnerability only affects the arrow R package, not other Apache Arrow implementations or bindings unless those bindings are specifically used via the R package (for example, an R application that embeds a Python interpreter and uses PyArrow to read files from untrusted sources is still vulnerable if the arrow R package is an affected version). It is recommended that users of the arrow R package upgrade to 17.0.0 or later. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to arrow 17.0.0 or later. If using an affected version of the package, untrusted data can read into a Table and its internal to_data_frame() method can be used as a workaround (e.g., read_parquet(..., as_data_frame = FALSE)$to_data_frame()). This issue affects the Apache Arrow R package: from 4.0.0 through 16.1.0. Users are recommended to upgrade to version 17.0.0, which fixes the issue.

Action-Not Available
Vendor-apache_software_foundationThe Apache Software Foundation
Product-arrowApache Arrow R packageapache_arrow_r_package
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-8751
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.41% / 32.81%
||
7 Day CHG~0.00%
Published-17 May, 2026 | 11:30
Updated-18 May, 2026 | 14:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
h2oai h2o-3 JAR Model.java importBinaryModel deserialization

A security flaw has been discovered in h2oai h2o-3 up to 7402. This affects the function importBinaryModel of the file h2o-core/src/main/java/hex/Model.java of the component JAR Handler. Performing a manipulation results in deserialization. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-h2oai
Product-h2o-3
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-60230
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.43% / 34.28%
||
7 Day CHG~0.00%
Published-17 Jun, 2026 | 13:15
Updated-17 Jun, 2026 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress The Barber Shop theme <= 1.9 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in Themeton The Barber Shop allows Object Injection. This issue affects The Barber Shop: from n/a through 1.9.

Action-Not Available
Vendor-Themeton
Product-The Barber Shop
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-60238
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.53% / 40.84%
||
7 Day CHG~0.00%
Published-22 Oct, 2025 | 14:32
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress UNIVERSAM plugin <= 9.04.02 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in universam UNIVERSAM universam-demo allows Object Injection.This issue affects UNIVERSAM: from n/a through <= 9.04.02.

Action-Not Available
Vendor-universam
Product-UNIVERSAM
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-60091
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.39% / 30.61%
||
7 Day CHG~0.00%
Published-18 Dec, 2025 | 07:22
Updated-28 Apr, 2026 | 18:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Gravity Forms Zoho CRM and Bigin plugin <= 1.2.9 - Deserialization of untrusted data vulnerability

Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Zoho CRM and Bigin gf-zoho allows Object Injection.This issue affects WP Gravity Forms Zoho CRM and Bigin: from n/a through <= 1.2.9.

Action-Not Available
Vendor-crmperksCRM Perks
Product-wp_gravity_forms_zoho_crm_and_biginWP Gravity Forms Zoho CRM and Bigin
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-25100
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-10||CRITICAL
EPSS-0.77% / 51.01%
||
7 Day CHG~0.00%
Published-12 Feb, 2024 | 07:04
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Coupon Referral Program plugin < 1.8.4 - Unauthenticated PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in WP Swings Coupon Referral Program allows Object Injection.This issue affects Coupon Referral Program: from n/a before 1.8.4.

Action-Not Available
Vendor-wpswingsWP Swingswpswings
Product-coupon_referral_programCoupon Referral Programcoupon_referral_program
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-60231
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.31% / 23.16%
||
7 Day CHG~0.00%
Published-17 Jun, 2026 | 13:46
Updated-17 Jun, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress The Hospital theme <= 1.8.1 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in EMV The Hospital nrghospital allows Object Injection. This issue affects The Hospital: from n/a through 1.8.1.

Action-Not Available
Vendor-EMV
Product-The Hospital
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-60226
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.53% / 40.84%
||
7 Day CHG~0.00%
Published-22 Oct, 2025 | 14:32
Updated-28 Apr, 2026 | 18:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress White Rabbit theme <= 1.5.2 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in axiomthemes White Rabbit whiterabbit allows Object Injection.This issue affects White Rabbit: from n/a through <= 1.5.2.

Action-Not Available
Vendor-axiomthemesaxiomthemes
Product-white_rabbitWhite Rabbit
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-30179
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-4.20% / 89.73%
||
7 Day CHG~0.00%
Published-31 May, 2021 | 07:25
Updated-03 Aug, 2024 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Dubbo Pre-auth RCE via Java deserialization in the Generic filter

Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection API to make the final call. The signature for the $invoke or $invokeAsync methods is Ljava/lang/String;[Ljava/lang/String;[Ljava/lang/Object; where the first argument is the name of the method to invoke, the second one is an array with the parameter types for the method being invoked and the third one is an array with the actual call arguments. In addition, the caller also needs to set an RPC attachment specifying that the call is a generic call and how to decode the arguments. The possible values are: - true - raw.return - nativejava - bean - protobuf-json An attacker can control this RPC attachment and set it to nativejava to force the java deserialization of the byte array located in the third argument.

Action-Not Available
Vendor-The Apache Software Foundation
Product-dubboApache Dubbo
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-24914
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-5.55% / 91.89%
||
7 Day CHG~0.00%
Published-04 Mar, 2021 | 12:33
Updated-04 Aug, 2024 | 15:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A PHP object injection bug in profile.php in qcubed (all versions including 3.1.1) unserializes the untrusted data of the POST-variable "strProfileData" and allows an unauthenticated attacker to execute code via a crafted POST request.

Action-Not Available
Vendor-qcubedn/a
Product-qcubedn/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2018-17057
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-26.17% / 97.74%
||
7 Day CHG~0.00%
Published-14 Sep, 2018 | 20:00
Updated-05 Aug, 2024 | 10:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in TCPDF before 6.2.22. Attackers can trigger deserialization of arbitrary data via the phar:// wrapper.

Action-Not Available
Vendor-tecnicklimesurveyn/a
Product-limesurveytcpdfn/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-24648
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-9.8||CRITICAL
EPSS-10.10% / 95.08%
||
7 Day CHG~0.00%
Published-19 Oct, 2020 | 17:36
Updated-04 Aug, 2024 | 15:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A accessmgrservlet classname deserialization of untrusted data remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

Action-Not Available
Vendor-n/aHP Inc.
Product-intelligent_management_centerHPE Intelligent Management Center (iMC)
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-24162
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.27% / 66.27%
||
7 Day CHG~0.00%
Published-31 Jan, 2023 | 00:00
Updated-27 Mar, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Deserialization vulnerability in Dromara Hutool v5.8.11 allows attacker to execute arbitrary code via the XmlUtil.readObjectFromXml parameter.

Action-Not Available
Vendor-hutooln/a
Product-hutooln/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-7871
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.39% / 30.59%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 19:14
Updated-02 Jul, 2026 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insecure Deserialization in Redis Cache Backend

IBM Langflow OSS 1.0.0 through 1.10.0 allows users with Redis access to execute arbitrary code with full application privileges, compromising all secrets, data, and system integrity.

Action-Not Available
Vendor-langflowIBM Corporation
Product-langflowLangflow OSS
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-25117
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.8||MEDIUM
EPSS-0.93% / 56.33%
||
7 Day CHG~0.00%
Published-21 Feb, 2024 | 16:25
Updated-05 Feb, 2025 | 22:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
php-svg-lib lacks path validation on font through SVG inline styles

php-svg-lib is a scalable vector graphics (SVG) file parsing/rendering library. Prior to version 0.5.2, php-svg-lib fails to validate that font-family doesn't contain a PHAR url, which might leads to RCE on PHP < 8.0, and doesn't validate if external references are allowed. This might leads to bypass of restrictions or RCE on projects that are using it, if they do not strictly revalidate the fontName that is passed by php-svg-lib. The `Style::fromAttributes(`), or the `Style::parseCssStyle()` should check the content of the `font-family` and prevents it to use a PHAR url, to avoid passing an invalid and dangerous `fontName` value to other libraries. The same check as done in the `Style::fromStyleSheets` might be reused. Libraries using this library as a dependency might be vulnerable to some bypass of restrictions, or even remote code execution, if they do not double check the value of the `fontName` that is passed by php-svg-lib. Version 0.5.2 contains a fix for this issue.

Action-Not Available
Vendor-dompdfdompdfdompdfThe PHP Group
Product-php-svg-libphpphp-svg-libphp-svg-lib
CWE ID-CWE-73
External Control of File Name or Path
CWE ID-CWE-502
Deserialization of Untrusted Data
CWE ID-CWE-610
Externally Controlled Reference to a Resource in Another Sphere
CVE-2025-60237
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.51% / 39.80%
||
7 Day CHG~0.00%
Published-19 Mar, 2026 | 08:14
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Finag theme <= 1.5.0 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in Themeton Finag allows Object Injection.This issue affects Finag: from n/a through 1.5.0.

Action-Not Available
Vendor-Themeton
Product-Finag
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-60089
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.39% / 30.61%
||
7 Day CHG~0.00%
Published-18 Dec, 2025 | 07:22
Updated-28 Apr, 2026 | 18:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Gravity Forms FreshDesk plugin plugin <= 1.3.5 - Deserialization of untrusted data vulnerability

Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms FreshDesk Plugin gf-freshdesk allows Object Injection.This issue affects WP Gravity Forms FreshDesk Plugin: from n/a through <= 1.3.5.

Action-Not Available
Vendor-crmperksCRM Perks
Product-wp_gravity_forms_freshdesk_pluginWP Gravity Forms FreshDesk Plugin
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-8024
Matching Score-4
Assigner-CERT@VDE
ShareView Details
Matching Score-4
Assigner-CERT@VDE
CVSS Score-9.3||CRITICAL
EPSS-0.55% / 42.14%
||
7 Day CHG~0.00%
Published-18 Jun, 2026 | 09:43
Updated-18 Jun, 2026 | 14:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Deserialization vulnerability in ibaPDA and ibaDatCoordinator

A remote, unauthenticated attacker may exploit a deserialization of untrusted data vulnerability in ibaPDA or ibaDatCoordinator to gain full access to the affected systems.

Action-Not Available
Vendor-iba
Product-ibaPDAibaDatCoordinator
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-7304
Matching Score-4
Assigner-CERT/CC
ShareView Details
Matching Score-4
Assigner-CERT/CC
CVSS Score-9.8||CRITICAL
EPSS-0.58% / 43.69%
||
7 Day CHG~0.00%
Published-18 May, 2026 | 10:39
Updated-19 May, 2026 | 13:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CVE-2026-7304

SGLangs multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled, as Python objects loaded via dill.loads() will be deserialized without validation.

Action-Not Available
Vendor-lmsysSGLang
Product-sglangSGLang
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2018-1567
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.76% / 88.58%
||
7 Day CHG-0.48%
Published-07 Sep, 2018 | 16:00
Updated-16 Sep, 2024 | 22:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow remote attackers to execute arbitrary Java code through the SOAP connector with a serialized object from untrusted sources. IBM X-Force ID: 143024.

Action-Not Available
Vendor-IBM Corporation
Product-websphere_application_serverWebSphere Application Server
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-7301
Matching Score-4
Assigner-CERT/CC
ShareView Details
Matching Score-4
Assigner-CERT/CC
CVSS Score-9.8||CRITICAL
EPSS-0.40% / 31.95%
||
7 Day CHG~0.00%
Published-18 May, 2026 | 10:38
Updated-19 May, 2026 | 13:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CVE-2026-7301

SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads() on incoming messages, enabling RCE when exposed to the internet.

Action-Not Available
Vendor-lmsysSGLang
Product-sglangSGLang
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-24797
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.65% / 46.47%
||
7 Day CHG~0.00%
Published-12 Feb, 2024 | 07:19
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress ERE Recently Viewed Plugin <= 1.3 is vulnerable to PHP Object Injection

Deserialization of Untrusted Data vulnerability in G5Theme ERE Recently Viewed – Essential Real Estate Add-On.This issue affects ERE Recently Viewed – Essential Real Estate Add-On: from n/a through 1.3.

Action-Not Available
Vendor-g5plusG5Themeg5theme
Product-ere_recently_viewedERE Recently Viewed – Essential Real Estate Add-Onessential_real_estate
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-60210
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.46% / 36.60%
||
7 Day CHG~0.00%
Published-22 Oct, 2025 | 14:32
Updated-28 Apr, 2026 | 18:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Everest Forms - Frontend Listing plugin <= 1.0.5 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in wpeverest Everest Forms - Frontend Listing everest-forms-frontend-listing allows Object Injection.This issue affects Everest Forms - Frontend Listing: from n/a through <= 1.0.5.

Action-Not Available
Vendor-wpeverestwpeverest
Product-everest_forms_frontend_listingEverest Forms - Frontend Listing
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-60180
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.39% / 30.61%
||
7 Day CHG~0.00%
Published-18 Dec, 2025 | 07:22
Updated-28 Apr, 2026 | 18:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Gravity Forms Salesforce plugin <= 1.5.1 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Salesforce gf-salesforce-crmperks allows Object Injection.This issue affects WP Gravity Forms Salesforce: from n/a through <= 1.5.1.

Action-Not Available
Vendor-crmperksCRM Perks
Product-wp_gravity_forms_salesforceWP Gravity Forms Salesforce
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-7637
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-0.57% / 43.13%
||
7 Day CHG~0.00%
Published-20 May, 2026 | 02:27
Updated-20 May, 2026 | 12:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Boost <= 2.0.3 - Unauthenticated PHP Object Injection via STYXKEY-BOOST_USER_LOCATION Cookie

The Boost plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.0.3 via deserialization of untrusted input in the STYXKEY-BOOST_USER_LOCATION cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.

Action-Not Available
Vendor-PixelYourSite
Product-Boost
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-60209
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.53% / 40.84%
||
7 Day CHG~0.00%
Published-22 Oct, 2025 | 14:32
Updated-28 Apr, 2026 | 18:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Connector for Gravity Forms and Google Sheets plugin <= 1.2.6 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in CRM Perks Connector for Gravity Forms and Google Sheets wp-gravity-forms-spreadsheets allows Object Injection.This issue affects Connector for Gravity Forms and Google Sheets: from n/a through <= 1.2.6.

Action-Not Available
Vendor-CRM Perks
Product-Connector for Gravity Forms and Google Sheets
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-3160
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.67% / 90.65%
||
7 Day CHG~0.00%
Published-28 Jan, 2021 | 19:37
Updated-03 Aug, 2024 | 16:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Deserialization of untrusted data in the login page of ASSUWEB 359.3 build 1 subcomponent of ACA ASSUREX RENTES product allows a remote attacker to inject unsecure serialized Java object using a specially crafted HTTP request, resulting in an unauthenticated remote code execution on the server.

Action-Not Available
Vendor-acan/a
Product-assuwebn/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-60213
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.53% / 40.84%
||
7 Day CHG~0.00%
Published-22 Oct, 2025 | 14:32
Updated-28 Apr, 2026 | 18:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Scape theme <= 1.5.13 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in Whitebox-Studio Scape scape allows Object Injection.This issue affects Scape: from n/a through <= 1.5.13.

Action-Not Available
Vendor-Whitebox-Studio
Product-Scape
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-7858
Matching Score-4
Assigner-Dassault Systèmes
ShareView Details
Matching Score-4
Assigner-Dassault Systèmes
CVSS Score-9.8||CRITICAL
EPSS-0.54% / 41.61%
||
7 Day CHG~0.00%
Published-01 Jun, 2026 | 07:45
Updated-01 Jun, 2026 | 17:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Deserialization of Untrusted Data vulnerability affecting Teamwork Cloud from No Magic Release 2022x through No Magic Release 2026x and Magic Collaboration Studio from CATIA Magic Release 2022x through CATIA Magic Release 2026x

A Deserialization of Untrusted Data vulnerability affecting Teamwork Cloud from No Magic Release 2022x through No Magic Release 2026x and Magic Collaboration Studio from CATIA Magic Release 2022x through CATIA Magic Release 2026x could lead to an unauthenticated remote code execution.

Action-Not Available
Vendor-Dassault Systèmes S.E. (3DS)
Product-Magic Collaboration StudioTeamwork Cloud - Enterprise EditionTeamwork Cloud - Business EditionTeamwork Cloud - Business Pro EditionTeamwork Cloud - Standard Edition
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-60039
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.51% / 39.99%
||
7 Day CHG~0.00%
Published-22 Oct, 2025 | 14:32
Updated-28 Apr, 2026 | 18:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Noisa theme <= 2.6.0 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in rascals Noisa noisa allows Object Injection.This issue affects Noisa: from n/a through <= 2.6.0.

Action-Not Available
Vendor-rascals
Product-Noisa
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2018-15691
Matching Score-4
Assigner-CA Technologies - A Broadcom Company
ShareView Details
Matching Score-4
Assigner-CA Technologies - A Broadcom Company
CVSS Score-9.8||CRITICAL
EPSS-16.76% / 96.65%
||
7 Day CHG~0.00%
Published-30 Aug, 2018 | 14:00
Updated-16 Sep, 2024 | 17:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insecure deserialization of a specially crafted serialized object, in CA Release Automation 6.5 and earlier, allows attackers to potentially execute arbitrary code.

Action-Not Available
Vendor-Broadcom Inc.
Product-release_automationRelease Automation
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2018-14720
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-7.52% / 93.75%
||
7 Day CHG~0.00%
Published-02 Jan, 2019 | 18:00
Updated-05 Aug, 2024 | 09:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

Action-Not Available
Vendor-n/aRed Hat, Inc.Oracle CorporationFasterXML, LLC.Debian GNU/Linux
Product-debian_linuxprimavera_unifiercommunications_billing_and_revenue_managementjackson-databindenterprise_manager_for_virtualizationfinancial_services_analytical_applications_infrastructureopenshift_container_platformjdeveloperbanking_platformjboss_enterprise_application_platformretail_merchandising_systemwebcenter_portaln/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-24302
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.93% / 56.39%
||
7 Day CHG~0.00%
Published-03 Mar, 2024 | 00:00
Updated-15 May, 2025 | 21:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Tunis Soft "Product Designer" (productdesigner) module for PrestaShop before version 1.178.36, allows remote attackers to execute arbitrary code, escalate privileges, and obtain sensitive information via the postProcess() method.

Action-Not Available
Vendor-prestalifen/aprestashopmodules
Product-product_designern/aproductdesigner
CWE ID-CWE-502
Deserialization of Untrusted Data
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 22
  • 23
  • Next
Details not found