Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2019-5434

Summary
Assigner-hackerone
Assigner Org ID-36234546-b8fa-4601-9d6f-f4e334aa8ea1
Published At-06 May, 2019 | 16:53
Updated At-04 Aug, 2024 | 19:54
Rejected At-
Credits

An attacker could send a specifically crafted payload to the XML-RPC invocation script and trigger the unserialize() call on the "what" parameter in the "openads.spc" RPC method. Such vulnerability could be used to perform various types of attacks, e.g. exploit serialize-related PHP vulnerabilities or PHP object injection. It is possible, although unconfirmed, that the vulnerability has been used by some attackers in order to gain access to some Revive Adserver instances and deliver malware through them to third party websites. This vulnerability was addressed in version 4.2.0.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:hackerone
Assigner Org ID:36234546-b8fa-4601-9d6f-f4e334aa8ea1
Published At:06 May, 2019 | 16:53
Updated At:04 Aug, 2024 | 19:54
Rejected At:
▼CVE Numbering Authority (CNA)

An attacker could send a specifically crafted payload to the XML-RPC invocation script and trigger the unserialize() call on the "what" parameter in the "openads.spc" RPC method. Such vulnerability could be used to perform various types of attacks, e.g. exploit serialize-related PHP vulnerabilities or PHP object injection. It is possible, although unconfirmed, that the vulnerability has been used by some attackers in order to gain access to some Revive Adserver instances and deliver malware through them to third party websites. This vulnerability was addressed in version 4.2.0.

Affected Products
Vendor
n/a
Product
Revive Adserver
Versions
Affected
  • Fixed version v4.2.0
Problem Types
TypeCWE IDDescription
CWECWE-502Deserialization of Untrusted Data (CWE-502)
Type: CWE
CWE ID: CWE-502
Description: Deserialization of Untrusted Data (CWE-502)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://hackerone.com/reports/512076
x_refsource_MISC
https://hackerone.com/reports/542670
x_refsource_MISC
https://www.revive-adserver.com/security/revive-sa-2019-001/
x_refsource_MISC
http://packetstormsecurity.com/files/155559/Revive-Adserver-4.2-Remote-Code-Execution.html
x_refsource_MISC
Hyperlink: https://hackerone.com/reports/512076
Resource:
x_refsource_MISC
Hyperlink: https://hackerone.com/reports/542670
Resource:
x_refsource_MISC
Hyperlink: https://www.revive-adserver.com/security/revive-sa-2019-001/
Resource:
x_refsource_MISC
Hyperlink: http://packetstormsecurity.com/files/155559/Revive-Adserver-4.2-Remote-Code-Execution.html
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://hackerone.com/reports/512076
x_refsource_MISC
x_transferred
https://hackerone.com/reports/542670
x_refsource_MISC
x_transferred
https://www.revive-adserver.com/security/revive-sa-2019-001/
x_refsource_MISC
x_transferred
http://packetstormsecurity.com/files/155559/Revive-Adserver-4.2-Remote-Code-Execution.html
x_refsource_MISC
x_transferred
Hyperlink: https://hackerone.com/reports/512076
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://hackerone.com/reports/542670
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://www.revive-adserver.com/security/revive-sa-2019-001/
Resource:
x_refsource_MISC
x_transferred
Hyperlink: http://packetstormsecurity.com/files/155559/Revive-Adserver-4.2-Remote-Code-Execution.html
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:support@hackerone.com
Published At:06 May, 2019 | 17:29
Updated At:09 Oct, 2019 | 23:50

An attacker could send a specifically crafted payload to the XML-RPC invocation script and trigger the unserialize() call on the "what" parameter in the "openads.spc" RPC method. Such vulnerability could be used to perform various types of attacks, e.g. exploit serialize-related PHP vulnerabilities or PHP object injection. It is possible, although unconfirmed, that the vulnerability has been used by some attackers in order to gain access to some Revive Adserver instances and deliver malware through them to third party websites. This vulnerability was addressed in version 4.2.0.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.09.8CRITICAL
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary2.07.5HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
Type: Primary
Version: 3.0
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 7.5
Base severity: HIGH
Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
CPE Matches

revive-sas
revive-sas
>>revive_adserver>>Versions before 4.2.0(exclusive)
cpe:2.3:a:revive-sas:revive_adserver:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-502Primarynvd@nist.gov
CWE-502Secondarysupport@hackerone.com
CWE ID: CWE-502
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-502
Type: Secondary
Source: support@hackerone.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
http://packetstormsecurity.com/files/155559/Revive-Adserver-4.2-Remote-Code-Execution.htmlsupport@hackerone.com
N/A
https://hackerone.com/reports/512076support@hackerone.com
Third Party Advisory
https://hackerone.com/reports/542670support@hackerone.com
Third Party Advisory
https://www.revive-adserver.com/security/revive-sa-2019-001/support@hackerone.com
Vendor Advisory
Hyperlink: http://packetstormsecurity.com/files/155559/Revive-Adserver-4.2-Remote-Code-Execution.html
Source: support@hackerone.com
Resource: N/A
Hyperlink: https://hackerone.com/reports/512076
Source: support@hackerone.com
Resource:
Third Party Advisory
Hyperlink: https://hackerone.com/reports/542670
Source: support@hackerone.com
Resource:
Third Party Advisory
Hyperlink: https://www.revive-adserver.com/security/revive-sa-2019-001/
Source: support@hackerone.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

365Records found

CVE-2021-24384
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-9.8||CRITICAL
EPSS-4.12% / 88.17%
||
7 Day CHG~0.00%
Published-06 Jul, 2021 | 11:03
Updated-03 Aug, 2024 | 19:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
JoomSport < 5.1.8 - Unauthenticated PHP Object Injection

The joomsport_md_load AJAX action of the JoomSport WordPress plugin before 5.1.8, registered for both unauthenticated and unauthenticated users, unserialised user input from the shattr POST parameter, leading to a PHP Object Injection issue. Even though the plugin does not have a suitable gadget chain to exploit this, other installed plugins could, which might lead to more severe issues such as RCE

Action-Not Available
Vendor-beardevUnknown
Product-joomsportJoomSport – for Sports: Team & League, Football, Hockey & more
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-22855
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-9.8||CRITICAL
EPSS-0.78% / 72.75%
||
7 Day CHG~0.00%
Published-17 Feb, 2021 | 13:30
Updated-16 Sep, 2024 | 20:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Soar Cloud System Co., Ltd. HR Portal - Arbitrary Code Execution

The specific function of HR Portal of Soar Cloud System accepts any type of object to be deserialized. Attackers can send malicious serialized objects to execute arbitrary commands.

Action-Not Available
Vendor-hr_portal_projectSoar Cloud System Co., Ltd.
Product-hr_portalHR Portal
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2018-2628
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-9.8||CRITICAL
EPSS-94.41% / 99.97%
||
7 Day CHG~0.00%
Published-19 Apr, 2018 | 02:00
Updated-30 Jul, 2025 | 01:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-09-29||Apply updates per vendor instructions.

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Action-Not Available
Vendor-Oracle Corporation
Product-weblogic_serverWebLogic ServerWebLogic Server
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-21243
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-10||CRITICAL
EPSS-2.51% / 84.77%
||
7 Day CHG~0.00%
Published-15 Jan, 2021 | 20:05
Updated-03 Aug, 2024 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Pre-Auth Unsafe Deserialization on KubernetesResource

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, a Kubernetes REST endpoint exposes two methods that deserialize untrusted data from the request body. These endpoints do not enforce any authentication or authorization checks. This issue may lead to pre-auth RCE. This issue was fixed in 4.0.3 by not using deserialization at KubernetesResource side.

Action-Not Available
Vendor-onedev_projecttheonedev
Product-onedevonedev
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2018-21234
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-25.25% / 95.98%
||
7 Day CHG~0.00%
Published-21 May, 2020 | 22:15
Updated-05 Aug, 2024 | 12:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jodd before 5.0.4 performs Deserialization of Untrusted JSON Data when setClassMetadataName is set.

Action-Not Available
Vendor-joddn/aThe Apache Software Foundation
Product-joddhiven/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-21426
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.40% / 60.20%
||
7 Day CHG~0.00%
Published-21 Apr, 2021 | 20:15
Updated-03 Aug, 2024 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Fixes a bug in Zend Framework's Stream HTTP Wrapper

Magento-lts is a long-term support alternative to Magento Community Edition (CE). In magento-lts versions 19.4.12 and prior and 20.0.8 and prior, there is a vulnerability caused by the unsecured deserialization of an object. A patch in versions 19.4.13 and 20.0.9 was back ported from Zend Framework 3. The vulnerability was assigned CVE-2021-3007 in Zend Framework.

Action-Not Available
Vendor-openmageOpenMage
Product-magentomagento-lts
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-21741
Matching Score-4
Assigner-ZTE Corporation
ShareView Details
Matching Score-4
Assigner-ZTE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.35% / 79.31%
||
7 Day CHG~0.00%
Published-30 Aug, 2021 | 00:00
Updated-03 Aug, 2024 | 18:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

There is a command execution vulnerability in a ZTE conference management system. As some services are enabled by default, the attacker could exploit this vulnerability to execute arbitrary commands by sending specific serialization command.

Action-Not Available
Vendor-n/aZTE Corporation
Product-zxv10_m910zxv10_m910_firmwareZXV10 M910
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-5499
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.07% / 20.42%
||
7 Day CHG~0.00%
Published-03 Jun, 2025 | 13:31
Updated-04 Jun, 2025 | 14:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
slackero phpwcms image_resized.php getimagesize deserialization

A vulnerability classified as critical has been found in slackero phpwcms up to 1.9.45/1.10.8. Affected is the function is_file/getimagesize of the file image_resized.php. The manipulation of the argument imgfile leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.9.46 and 1.10.9 is able to address this issue. It is recommended to upgrade the affected component.

Action-Not Available
Vendor-slackero
Product-phpwcms
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-21524
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-9.8||CRITICAL
EPSS-4.60% / 88.83%
||
7 Day CHG~0.00%
Published-12 Apr, 2021 | 19:50
Updated-16 Sep, 2024 | 16:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell SRM versions prior to 4.5.0.1 and Dell SMR versions prior to 4.5.0.1 contain an Untrusted Deserialization Vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to arbitrary privileged code execution on the vulnerable application. The severity is Critical as this may lead to system compromise by unauthenticated attackers.

Action-Not Available
Vendor-Dell Inc.
Product-storage_monitoring_and_reportingstorage_resource_managerDell EMC Storage Monitoring and Reporting
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-21346
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.1||MEDIUM
EPSS-2.96% / 85.97%
||
7 Day CHG~0.00%
Published-22 Mar, 2021 | 23:40
Updated-23 May, 2025 | 17:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XStream is vulnerable to an Arbitrary Code Execution attack

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Action-Not Available
Vendor-xstreamx-streamNetApp, Inc.Oracle CorporationFedora ProjectThe Apache Software FoundationDebian GNU/Linux
Product-xstreamcommunications_unified_inventory_managementcommunications_billing_and_revenue_management_elastic_charging_enginewebcenter_portaloncommand_insightbanking_virtual_account_managementbanking_enterprise_default_managementjmetercommunications_policy_managementactivemqretail_xstore_point_of_servicedebian_linuxbi_publisherfedorabanking_platformbusiness_activity_monitoringxstream
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-21350
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-5.73% / 90.10%
||
7 Day CHG~0.00%
Published-22 Mar, 2021 | 23:45
Updated-23 May, 2025 | 17:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XStream is vulnerable to an Arbitrary Code Execution attack

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Action-Not Available
Vendor-xstreamx-streamNetApp, Inc.Oracle CorporationFedora ProjectThe Apache Software FoundationDebian GNU/Linux
Product-xstreamcommunications_unified_inventory_managementweblogic_servercommunications_billing_and_revenue_management_elastic_charging_enginewebcenter_portaloncommand_insightbanking_virtual_account_managementjmetercommunications_policy_managementactivemqretail_xstore_point_of_servicedebian_linuxbanking_enterprise_default_managementfedorabanking_platformbusiness_activity_monitoringxstream
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2018-20718
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-9.39% / 92.47%
||
7 Day CHG~0.00%
Published-15 Jan, 2019 | 16:00
Updated-05 Aug, 2024 | 12:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Pydio before 8.2.2, an attack is possible via PHP Object Injection because a user is allowed to use the $phpserial$a:0:{} syntax to store a preference. An attacker either needs a "public link" of a file, or access to any unprivileged user account for creation of such a link.

Action-Not Available
Vendor-pydion/a
Product-pydion/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2018-20148
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-46.04% / 97.55%
||
7 Day CHG~0.00%
Published-14 Dec, 2018 | 20:00
Updated-05 Aug, 2024 | 11:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php.

Action-Not Available
Vendor-n/aDebian GNU/LinuxWordPress.org
Product-wordpressdebian_linuxn/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-21344
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-22.69% / 95.65%
||
7 Day CHG~0.00%
Published-22 Mar, 2021 | 23:40
Updated-23 May, 2025 | 17:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XStream is vulnerable to an Arbitrary Code Execution attack

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Action-Not Available
Vendor-xstreamx-streamNetApp, Inc.Oracle CorporationFedora ProjectThe Apache Software FoundationDebian GNU/Linux
Product-xstreamcommunications_unified_inventory_managementcommunications_billing_and_revenue_management_elastic_charging_enginewebcenter_portaloncommand_insightmysql_serverbanking_virtual_account_managementjmetercommunications_policy_managementactivemqretail_xstore_point_of_servicedebian_linuxbanking_enterprise_default_managementfedorabanking_platformbusiness_activity_monitoringxstream
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-21347
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.1||MEDIUM
EPSS-2.20% / 83.75%
||
7 Day CHG~0.00%
Published-22 Mar, 2021 | 23:40
Updated-23 May, 2025 | 17:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XStream is vulnerable to an Arbitrary Code Execution attack

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Action-Not Available
Vendor-xstreamx-streamNetApp, Inc.Oracle CorporationFedora ProjectThe Apache Software FoundationDebian GNU/Linux
Product-xstreamcommunications_unified_inventory_managementweblogic_servercommunications_billing_and_revenue_management_elastic_charging_enginewebcenter_portaloncommand_insightbanking_virtual_account_managementjmetercommunications_policy_managementactivemqretail_xstore_point_of_servicedebian_linuxbanking_enterprise_default_managementfedorabanking_platformbusiness_activity_monitoringxstream
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2018-19361
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.06% / 88.09%
||
7 Day CHG~0.00%
Published-02 Jan, 2019 | 18:00
Updated-05 Aug, 2024 | 11:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.

Action-Not Available
Vendor-n/aRed Hat, Inc.Oracle CorporationFasterXML, LLC.Debian GNU/Linux
Product-primavera_p6_enterprise_project_portfolio_managementdebian_linuxprimavera_unifierjackson-databindautomation_managerjboss_bpm_suiteopenshift_container_platformjboss_brmsretail_workforce_management_softwarewebcenter_portaldecision_managerbusiness_process_management_suiten/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2018-18628
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.38% / 88.56%
||
7 Day CHG~0.00%
Published-23 Oct, 2018 | 20:00
Updated-16 Sep, 2024 | 20:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Pippo 1.11.0. The function SerializationSessionDataTranscoder.decode() calls ObjectInputStream.readObject() to deserialize a SessionData object without checking the object types. An attacker can create a malicious object, base64 encode it, and place it in the PIPPO_SESSION field of a cookie. Sending this cookie may lead to remote code execution.

Action-Not Available
Vendor-pippon/a
Product-pippon/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2018-1904
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-8.1||HIGH
EPSS-0.83% / 73.56%
||
7 Day CHG~0.00%
Published-11 Dec, 2018 | 16:00
Updated-17 Sep, 2024 | 02:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow remote attackers to execute arbitrary Java code through an administrative client class with a serialized object from untrusted sources. IBM X-Force ID: 152533.

Action-Not Available
Vendor-IBM Corporation
Product-websphere_application_serverWebSphere Application Server
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2018-8013
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-0.98% / 75.86%
||
7 Day CHG~0.00%
Published-24 May, 2018 | 16:00
Updated-16 Sep, 2024 | 23:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.

Action-Not Available
Vendor-Canonical Ltd.The Apache Software FoundationDebian GNU/LinuxOracle Corporation
Product-communications_diameter_signaling_routerubuntu_linuxcommunications_metasolv_solutionretail_central_officeenterprise_repositoryretail_back_officebusiness_intelligenceretail_integration_busretail_returns_managementbatikretail_point-of-servicecommunications_webrtc_session_controllerdebian_linuxinsurance_policy_administration_j2eeretail_order_brokerfinancial_services_analytical_applications_infrastructureinstantis_enterprisetrackfusion_middleware_mapviewerinsurance_calculation_enginejd_edwards_enterpriseone_toolsdata_integratorApache Batik
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2018-1851
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.3||HIGH
EPSS-5.29% / 89.64%
||
7 Day CHG~0.00%
Published-31 Oct, 2018 | 13:00
Updated-16 Sep, 2024 | 20:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM WebSphere Application Server Liberty OpenID Connect could allow a remote attacker to execute arbitrary code on the system, caused by improper deserialization. By sending a specially-crafted request to the RP service, an attacker could exploit this vulnerability to execute arbitrary code. IBM X-Force ID: 150999.

Action-Not Available
Vendor-IBM Corporation
Product-websphere_application_serverWebSphere Application Server
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2018-8018
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-5.51% / 89.86%
||
7 Day CHG~0.00%
Published-19 Jul, 2018 | 18:00
Updated-17 Sep, 2024 | 04:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Apache Ignite before 2.4.8 and 2.5.x before 2.5.3, the serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3-rd party vulnerable classes are present in Ignite classpath. The vulnerability can be exploited if the one sends a specially prepared form of a serialized object to GridClientJdkMarshaller deserialization endpoint.

Action-Not Available
Vendor-The Apache Software Foundation
Product-igniteApache Ignite
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2018-8021
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-78.27% / 98.98%
||
7 Day CHG~0.00%
Published-07 Nov, 2018 | 14:00
Updated-05 Aug, 2024 | 06:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Versions of Superset prior to 0.23 used an unsafe load method from the pickle library to deserialize data leading to possible remote code execution. Note Superset 0.23 was released prior to any Superset release under the Apache Software Foundation.

Action-Not Available
Vendor-unspecifiedThe Apache Software Foundation
Product-supersetSuperset
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2016-1114
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-9.8||CRITICAL
EPSS-2.34% / 84.25%
||
7 Day CHG~0.00%
Published-11 May, 2016 | 01:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Adobe ColdFusion 10 before Update 19, 11 before Update 8, and 2016 before Update 1 allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library.

Action-Not Available
Vendor-n/aAdobe Inc.
Product-coldfusionn/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2018-18240
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.71% / 85.33%
||
7 Day CHG~0.00%
Published-11 Oct, 2018 | 07:00
Updated-16 Sep, 2024 | 19:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Pippo through 1.11.0 allows remote code execution via a command to java.lang.ProcessBuilder because the XstreamEngine component does not use XStream's available protection mechanisms to restrict unmarshalling.

Action-Not Available
Vendor-pippon/a
Product-pippon/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2018-14719
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.53% / 87.19%
||
7 Day CHG~0.00%
Published-02 Jan, 2019 | 18:00
Updated-05 Aug, 2024 | 09:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.

Action-Not Available
Vendor-n/aDebian GNU/LinuxOracle CorporationFasterXML, LLC.NetApp, Inc.Red Hat, Inc.
Product-global_lifecycle_management_opatchprimavera_unifiercommunications_billing_and_revenue_managemententerprise_manager_for_virtualizationopenshift_container_platformenterprise_linuxbanking_platformdatabase_serveroncommand_workflow_automationretail_merchandising_systemsnapcenterclusterwaresteelstore_cloud_integrated_storageprimavera_p6_enterprise_project_portfolio_managementdebian_linuxjackson-databindfinancial_services_analytical_applications_infrastructurejdeveloperretail_workforce_management_softwarewebcenter_portalbusiness_process_management_suiten/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2018-15890
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.78% / 72.78%
||
7 Day CHG~0.00%
Published-20 Jun, 2019 | 17:00
Updated-05 Aug, 2024 | 10:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in EthereumJ 1.8.2. There is Unsafe Deserialization in ois.readObject in mine/Ethash.java and decoder.readObject in crypto/ECKey.java. When a node syncs and mines a new block, arbitrary OS commands can be run on the server.

Action-Not Available
Vendor-ethereumn/a
Product-ethereumjn/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2018-3784
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-9.8||CRITICAL
EPSS-0.61% / 68.66%
||
7 Day CHG~0.00%
Published-17 Aug, 2018 | 13:00
Updated-05 Aug, 2024 | 04:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A code injection in cryo 0.0.6 allows an attacker to arbitrarily execute code due to insecure implementation of deserialization.

Action-Not Available
Vendor-cryo_projecthttps://github.com/hunterloftis
Product-cryocryo
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2018-3972
Matching Score-4
Assigner-Talos
ShareView Details
Matching Score-4
Assigner-Talos
CVSS Score-10||CRITICAL
EPSS-0.94% / 75.30%
||
7 Day CHG~0.00%
Published-26 Sep, 2018 | 13:00
Updated-17 Sep, 2024 | 00:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An exploitable code execution vulnerability exists in the Levin deserialization functionality of the Epee library, as used in Monero 'Lithium Luna' (v0.12.2.0-master-ffab6700) and other cryptocurrencies. A specially crafted network packet can cause a logic flaw, resulting in code execution. An attacker can send a packet to trigger this vulnerability.

Action-Not Available
Vendor-getmonerohttps://github.com/sabelnikov
Product-moneroEpee
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-4450
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-9.8||CRITICAL
EPSS-76.78% / 98.91%
||
7 Day CHG~0.00%
Published-05 Jun, 2020 | 12:55
Updated-16 Sep, 2024 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects. IBM X-Force ID: 181231.

Action-Not Available
Vendor-IBM Corporation
Product-websphere_application_serverWebSphere Application Server
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2016-1000027
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-49.42% / 97.72%
||
7 Day CHG~0.00%
Published-02 Jan, 2020 | 00:00
Updated-06 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.

Action-Not Available
Vendor-n/aVMware (Broadcom Inc.)
Product-spring_frameworkn/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2018-15959
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-9.8||CRITICAL
EPSS-40.11% / 97.24%
||
7 Day CHG-1.53%
Published-25 Sep, 2018 | 13:00
Updated-06 May, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution.

Action-Not Available
Vendor-Adobe Inc.
Product-coldfusionColdFusion
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2018-20732
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.28% / 88.40%
||
7 Day CHG~0.00%
Published-17 Jan, 2019 | 01:00
Updated-05 Aug, 2024 | 12:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAS Web Infrastructure Platform before 9.4M6 allows remote attackers to execute arbitrary code via a Java deserialization variant.

Action-Not Available
Vendor-sasn/aHewlett Packard Enterprise (HPE)Oracle CorporationMicrosoft CorporationIBM CorporationLinux Kernel Organization, Inc
Product-hp-ux_ipfiltersolarislinux_kernelwindowsaixweb_infrastructure_platformn/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-12044
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-9.8||CRITICAL
EPSS-0.86% / 74.08%
||
7 Day CHG+0.07%
Published-20 Mar, 2025 | 10:10
Updated-20 Mar, 2025 | 14:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Remote Code Execution by Pickle Deserialization in open-mmlab/mmdetection

A remote code execution vulnerability exists in open-mmlab/mmdetection version v3.3.0. The vulnerability is due to the use of the `pickle.loads()` function in the `all_reduce_dict()` distributed training API without proper sanitization. This allows an attacker to execute arbitrary code by broadcasting a malicious payload to the distributed training network.

Action-Not Available
Vendor-open-mmlab
Product-open-mmlab/mmdetection
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-12433
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-9.8||CRITICAL
EPSS-1.08% / 76.98%
||
7 Day CHG+0.35%
Published-20 Mar, 2025 | 10:10
Updated-14 Jul, 2025 | 17:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Remote Code Execution in infiniflow/ragflow

A vulnerability in infiniflow/ragflow versions v0.12.0 allows for remote code execution. The RPC server in RagFlow uses a hard-coded AuthKey 'authkey=b'infiniflow-token4kevinhu'' which can be easily fetched by attackers to join the group communication without restrictions. Additionally, the server processes incoming data using pickle deserialization via `pickle.loads()` on `connection.recv()`, making it vulnerable to remote code execution. This issue is fixed in version 0.14.0.

Action-Not Available
Vendor-infiniflowinfiniflow
Product-ragflowinfiniflow/ragflow
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2016-0360
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.96% / 75.59%
||
7 Day CHG~0.00%
Published-15 Feb, 2017 | 19:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Websphere MQ JMS 7.0.1, 7.1, 7.5, 8.0, and 9.0 client provides classes that deserialize objects from untrusted sources which could allow a malicious user to execute arbitrary Java code by adding vulnerable classes to the classpath. IBM Reference #: 1983457.

Action-Not Available
Vendor-IBM Corporation
Product-websphere_mq_jmsWebSphere MQ
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2018-3245
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-9.8||CRITICAL
EPSS-91.47% / 99.66%
||
7 Day CHG~0.00%
Published-17 Oct, 2018 | 01:00
Updated-02 Oct, 2024 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Action-Not Available
Vendor-Oracle Corporation
Product-weblogic_serverWebLogic Server
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2016-0779
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-9.8||CRITICAL
EPSS-9.01% / 92.29%
||
7 Day CHG~0.00%
Published-11 Apr, 2017 | 16:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The EjbObjectInputStream class in Apache TomEE before 1.7.4 and 7.x before 7.0.0-M3 allows remote attackers to execute arbitrary code via a crafted serialized object.

Action-Not Available
Vendor-n/aThe Apache Software Foundation
Product-tomeen/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-12029
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-9.8||CRITICAL
EPSS-43.06% / 97.40%
||
7 Day CHG~0.00%
Published-20 Mar, 2025 | 10:08
Updated-20 Mar, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Remote Code Execution via Model Deserialization in invoke-ai/invokeai

A remote code execution vulnerability exists in invoke-ai/invokeai versions 5.3.1 through 5.4.2 via the /api/v2/models/install API. The vulnerability arises from unsafe deserialization of model files using torch.load without proper validation. Attackers can exploit this by embedding malicious code in model files, which is executed upon loading. This issue is fixed in version 5.4.3.

Action-Not Available
Vendor-invoke-ai
Product-invoke-ai/invokeai
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-1225
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-7.3||HIGH
EPSS-0.14% / 34.02%
||
7 Day CHG~0.00%
Published-05 Feb, 2024 | 13:00
Updated-15 May, 2025 | 19:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QiboSoft QiboCMS X1 Pay.php rmb_pay deserialization

A vulnerability classified as critical was found in QiboSoft QiboCMS X1 up to 1.0.6. Affected by this vulnerability is the function rmb_pay of the file /application/index/controller/Pay.php. The manipulation of the argument callback_class leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252847. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-qibosoftQiboSoft
Product-qibocms_x1QiboCMS X1
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2018-19362
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-6.78% / 90.93%
||
7 Day CHG~0.00%
Published-02 Jan, 2019 | 18:00
Updated-05 Aug, 2024 | 11:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.

Action-Not Available
Vendor-n/aRed Hat, Inc.Oracle CorporationFasterXML, LLC.Debian GNU/Linux
Product-primavera_p6_enterprise_project_portfolio_managementdebian_linuxprimavera_unifierjackson-databindautomation_managerjboss_bpm_suiteopenshift_container_platformjboss_brmsretail_workforce_management_softwarewebcenter_portaldecision_managerbusiness_process_management_suiten/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-11041
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-9.8||CRITICAL
EPSS-0.56% / 67.13%
||
7 Day CHG+0.05%
Published-20 Mar, 2025 | 10:10
Updated-31 Jul, 2025 | 14:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Remote Code Execution in vllm-project/vllm

vllm-project vllm version v0.6.2 contains a vulnerability in the MessageQueue.dequeue() API function. The function uses pickle.loads to parse received sockets directly, leading to a remote code execution vulnerability. An attacker can exploit this by sending a malicious payload to the MessageQueue, causing the victim's machine to execute arbitrary code.

Action-Not Available
Vendor-vllmvllm-project
Product-vllmvllm-project/vllm
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2018-19360
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-6.78% / 90.93%
||
7 Day CHG~0.00%
Published-02 Jan, 2019 | 18:00
Updated-05 Aug, 2024 | 11:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.

Action-Not Available
Vendor-n/aRed Hat, Inc.Oracle CorporationFasterXML, LLC.Debian GNU/Linux
Product-primavera_p6_enterprise_project_portfolio_managementdebian_linuxprimavera_unifierjackson-databindautomation_managerjboss_bpm_suiteopenshift_container_platformjboss_brmsretail_workforce_management_softwarewebcenter_portaldecision_managerbusiness_process_management_suiten/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-4043
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-1.57% / 80.80%
||
7 Day CHG~0.00%
Published-10 Jun, 2020 | 19:40
Updated-04 Aug, 2024 | 07:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Phar unserialization vulnerability in phpMussel

phpMussel from versions 1.0.0 and less than 1.6.0 has an unserialization vulnerability in PHP's phar wrapper. Uploading a specially crafted file to an affected version allows arbitrary code execution (discovered, tested, and confirmed by myself), so the risk factor should be regarded as very high. Newer phpMussel versions don't use PHP's phar wrapper, and are therefore unaffected. This has been fixed in version 1.6.0.

Action-Not Available
Vendor-phpmussel_projectphpMussel
Product-phpmusselphpMussel
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-10553
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-9.8||CRITICAL
EPSS-2.54% / 84.91%
||
7 Day CHG+0.81%
Published-20 Mar, 2025 | 10:09
Updated-14 Jul, 2025 | 13:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Jdbc Deserialization in h2oai/h2o-3

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitrary code via deserialization of untrusted data. The vulnerability exists in the endpoints POST /99/ImportSQLTable and POST /3/SaveToHiveTable, where user-controlled JDBC URLs are passed to DriverManager.getConnection, leading to deserialization if a MySQL or PostgreSQL driver is available in the classpath. This issue is fixed in version 3.47.0.

Action-Not Available
Vendor-h2oh2oai
Product-h2oh2oai/h2o-3
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2018-15381
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-9.8||CRITICAL
EPSS-58.75% / 98.14%
||
7 Day CHG-0.38%
Published-08 Nov, 2018 | 17:00
Updated-26 Nov, 2024 | 14:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Unity Express Arbitrary Command Execution Vulnerability

A Java deserialization vulnerability in Cisco Unity Express (CUE) could allow an unauthenticated, remote attacker to execute arbitrary shell commands with the privileges of the root user. The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a malicious serialized Java object to the listening Java Remote Method Invocation (RMI) service. A successful exploit could allow the attacker to execute arbitrary commands on the device with root privileges.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-unity_expressCisco Unity Express
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-0603
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-7.3||HIGH
EPSS-0.20% / 41.95%
||
7 Day CHG~0.00%
Published-16 Jan, 2024 | 22:00
Updated-02 Jun, 2025 | 15:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ZhiCms giftcontroller.php deserialization

A vulnerability classified as critical has been found in ZhiCms up to 4.0. This affects an unknown part of the file app/plug/controller/giftcontroller.php. The manipulation of the argument mylike leads to deserialization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-250839.

Action-Not Available
Vendor-zhicmsn/a
Product-zhicmsZhiCms
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2018-1567
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.71% / 71.37%
||
7 Day CHG~0.00%
Published-07 Sep, 2018 | 16:00
Updated-16 Sep, 2024 | 22:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow remote attackers to execute arbitrary Java code through the SOAP connector with a serialized object from untrusted sources. IBM X-Force ID: 143024.

Action-Not Available
Vendor-IBM Corporation
Product-websphere_application_serverWebSphere Application Server
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2018-15616
Matching Score-4
Assigner-Avaya, Inc.
ShareView Details
Matching Score-4
Assigner-Avaya, Inc.
CVSS Score-9||CRITICAL
EPSS-4.36% / 88.51%
||
7 Day CHG~0.00%
Published-17 Oct, 2018 | 19:00
Updated-05 Aug, 2024 | 10:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
System Platform Web UI Deserialization

A vulnerability in the Web UI component of Avaya Aura System Platform could allow a remote, unauthenticated user to perform a targeted deserialization attack that could result in remote code execution. Affected versions of System Platform includes 6.3.0 through 6.3.9 and 6.4.0 through 6.4.2.

Action-Not Available
Vendor-Avaya LLC
Product-avaya_aura_system_platformAvaya Aura® System Platform
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2018-14720
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.41% / 86.98%
||
7 Day CHG~0.00%
Published-02 Jan, 2019 | 18:00
Updated-05 Aug, 2024 | 09:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

Action-Not Available
Vendor-n/aRed Hat, Inc.Oracle CorporationFasterXML, LLC.Debian GNU/Linux
Product-debian_linuxprimavera_unifiercommunications_billing_and_revenue_managementjackson-databindenterprise_manager_for_virtualizationfinancial_services_analytical_applications_infrastructureopenshift_container_platformjdeveloperbanking_platformjboss_enterprise_application_platformretail_merchandising_systemwebcenter_portaln/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-9664
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-9.8||CRITICAL
EPSS-12.56% / 93.70%
||
7 Day CHG~0.00%
Published-22 Jul, 2020 | 19:23
Updated-04 Aug, 2024 | 10:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Magento versions 1.14.4.5 and earlier, and 1.9.4.5 and earlier have a php object injection vulnerability. Successful exploitation could lead to arbitrary code execution.

Action-Not Available
Vendor-magentoAdobe Inc.
Product-magentoMagento
CWE ID-CWE-502
Deserialization of Untrusted Data
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 7
  • 8
  • Next
Details not found