Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-13786

Summary
Assigner-Wordfence
Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At-02 Jul, 2025 | 06:40
Updated At-08 Apr, 2026 | 17:24
Rejected At-
Credits

Education Center | LMS & Online Courses WordPress Theme <= 3.6.10 - PHP Object Injection

The education theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.6.10 via deserialization of untrusted input in the 'themerex_callback_view_more_posts' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Wordfence
Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At:02 Jul, 2025 | 06:40
Updated At:08 Apr, 2026 | 17:24
Rejected At:
▼CVE Numbering Authority (CNA)
Education Center | LMS & Online Courses WordPress Theme <= 3.6.10 - PHP Object Injection

The education theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.6.10 via deserialization of untrusted input in the 'themerex_callback_view_more_posts' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.

Affected Products
Vendor
ThemeREX
Product
Education Center | LMS & Online Courses WordPress Theme
Default Status
unaffected
Versions
Affected
  • From 0 through 3.6.10 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-502CWE-502 Deserialization of Untrusted Data
Type: CWE
CWE ID: CWE-502
Description: CWE-502 Deserialization of Untrusted Data
Metrics
VersionBase scoreBase severityVector
3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

finder
Lucio Sá
Timeline
EventDate
Disclosed2025-03-01 00:00:00
Event: Disclosed
Date: 2025-03-01 00:00:00
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/d0b27bc8-617a-4f98-954f-e49f87dca311?source=cve
N/A
https://themeforest.net/item/education-center-training-courses-wordpress-theme/10652918#item-description__change-log
N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/d0b27bc8-617a-4f98-954f-e49f87dca311?source=cve
Resource: N/A
Hyperlink: https://themeforest.net/item/education-center-training-courses-wordpress-theme/10652918#item-description__change-log
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@wordfence.com
Published At:02 Jul, 2025 | 07:15
Updated At:03 Jul, 2025 | 15:13

The education theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.6.10 via deserialization of untrusted input in the 'themerex_callback_view_more_posts' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-502Primarysecurity@wordfence.com
CWE ID: CWE-502
Type: Primary
Source: security@wordfence.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://themeforest.net/item/education-center-training-courses-wordpress-theme/10652918#item-description__change-logsecurity@wordfence.com
N/A
https://www.wordfence.com/threat-intel/vulnerabilities/id/d0b27bc8-617a-4f98-954f-e49f87dca311?source=cvesecurity@wordfence.com
N/A
Hyperlink: https://themeforest.net/item/education-center-training-courses-wordpress-theme/10652918#item-description__change-log
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/d0b27bc8-617a-4f98-954f-e49f87dca311?source=cve
Source: security@wordfence.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

1002Records found

CVE-2025-60205
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.53% / 40.64%
||
7 Day CHG~0.00%
Published-17 Jun, 2026 | 09:50
Updated-17 Jun, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress ThemeREX Addons plugin <= 2.36.1.1 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in ThemeREX Addons <= 2.36.1.1 versions.

Action-Not Available
Vendor-ThemeREX
Product-ThemeREX Addons
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-54001
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.51% / 39.75%
||
7 Day CHG~0.00%
Published-05 Mar, 2026 | 05:53
Updated-28 Apr, 2026 | 18:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Classter theme <= 2.5 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in ThemeREX Classter classter allows Object Injection.This issue affects Classter: from n/a through <= 2.5.

Action-Not Available
Vendor-ThemeREX
Product-Classter
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-13770
Matching Score-10
Assigner-Wordfence
ShareView Details
Matching Score-10
Assigner-Wordfence
CVSS Score-8.1||HIGH
EPSS-0.76% / 50.59%
||
7 Day CHG~0.00%
Published-13 Feb, 2025 | 04:21
Updated-08 Apr, 2026 | 17:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Puzzles | WP Magazine / Review with Store WordPress Theme + RTL <= 4.2.4 - Unauthenticated PHP Object Injection

The Puzzles | WP Magazine / Review with Store WordPress Theme + RTL theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.2.4 via deserialization of untrusted input 'view_more_posts' AJAX action. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. The developer opted to remove the software from the repository, so an update is not available and it is recommended to find a replacement software.

Action-Not Available
Vendor-themerexThemeREX
Product-puzzlesPuzzles | WP Magazine / Review with Store WordPress Theme + RTL
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-49890
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.47% / 37.26%
||
7 Day CHG~0.00%
Published-20 Aug, 2025 | 08:03
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Organic Beauty Theme <= 1.4.6 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in ThemeREX Organic Beauty organic-beauty allows Object Injection.This issue affects Organic Beauty: from n/a through <= 1.4.6.

Action-Not Available
Vendor-ThemeREX
Product-Organic Beauty
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-28074
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.38% / 29.51%
||
7 Day CHG~0.00%
Published-05 Mar, 2026 | 05:54
Updated-28 Apr, 2026 | 17:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Pizza House theme <= 1.4.0 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in ThemeREX Pizza House pizzahouse allows Object Injection.This issue affects Pizza House: from n/a through <= 1.4.0.

Action-Not Available
Vendor-ThemeREX
Product-Pizza House
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-27439
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.38% / 29.51%
||
7 Day CHG~0.00%
Published-05 Mar, 2026 | 05:54
Updated-28 Apr, 2026 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Dentario theme <= 1.5 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in ThemeREX Dentario dentario allows Object Injection.This issue affects Dentario: from n/a through <= 1.5.

Action-Not Available
Vendor-ThemeREX
Product-Dentario
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-27437
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.38% / 29.50%
||
7 Day CHG~0.00%
Published-05 Mar, 2026 | 05:54
Updated-28 Apr, 2026 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Tennis Club theme <= 1.2.3 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in ThemeREX Tennis Club tennis-sportclub allows Object Injection.This issue affects Tennis Club: from n/a through <= 1.2.3.

Action-Not Available
Vendor-ThemeREX
Product-Tennis Club
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-27083
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.38% / 29.50%
||
7 Day CHG~0.00%
Published-25 Mar, 2026 | 16:14
Updated-28 Apr, 2026 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Work & Travel Company theme <= 1.2 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in ThemeREX Work & Travel Company work-travel-company allows Object Injection.This issue affects Work & Travel Company: from n/a through <= 1.2.

Action-Not Available
Vendor-ThemeREX
Product-Work & Travel Company
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-27082
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.38% / 29.50%
||
7 Day CHG~0.00%
Published-25 Mar, 2026 | 16:14
Updated-28 Apr, 2026 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Love Story theme <= 1.3.12 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in ThemeREX Love Story lovestory allows Object Injection.This issue affects Love Story: from n/a through <= 1.3.12.

Action-Not Available
Vendor-ThemeREX
Product-Love Story
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-27084
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.48% / 37.71%
||
7 Day CHG~0.00%
Published-25 Mar, 2026 | 16:14
Updated-28 Apr, 2026 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Buisson theme <= 1.1.11 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in ThemeREX Buisson buisson allows Object Injection.This issue affects Buisson: from n/a through <= 1.1.11.

Action-Not Available
Vendor-ThemeREX
Product-Buisson
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-27438
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.38% / 29.50%
||
7 Day CHG~0.00%
Published-05 Mar, 2026 | 05:54
Updated-28 Apr, 2026 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Kingler theme <= 1.7 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in ThemeREX Kingler kingler allows Object Injection.This issue affects Kingler: from n/a through <= 1.7.

Action-Not Available
Vendor-ThemeREX
Product-Kingler
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-28105
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.38% / 29.50%
||
7 Day CHG~0.00%
Published-05 Mar, 2026 | 05:54
Updated-28 Apr, 2026 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Good Energy theme <= 1.7.7 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in ThemeREX Good Energy goodenergy allows Object Injection.This issue affects Good Energy: from n/a through <= 1.7.7.

Action-Not Available
Vendor-ThemeREX
Product-Good Energy
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-22474
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.39% / 30.93%
||
7 Day CHG~0.00%
Published-05 Mar, 2026 | 05:53
Updated-28 Apr, 2026 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Equestrian Centre theme <= 1.5 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in ThemeREX Equestrian Centre equestrian-centre allows Object Injection.This issue affects Equestrian Centre: from n/a through <= 1.5.

Action-Not Available
Vendor-ThemeREX
Product-Equestrian Centre
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-22453
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.51% / 39.75%
||
7 Day CHG~0.00%
Published-05 Mar, 2026 | 05:53
Updated-28 Apr, 2026 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Pets Club theme <= 2.3 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in ThemeREX Pets Club petclub allows Object Injection.This issue affects Pets Club: from n/a through <= 2.3.

Action-Not Available
Vendor-ThemeREX
Product-Pets Club
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-22454
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.51% / 39.75%
||
7 Day CHG~0.00%
Published-05 Mar, 2026 | 05:53
Updated-28 Apr, 2026 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Solaris theme <= 2.5 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in ThemeREX Solaris solaris allows Object Injection.This issue affects Solaris: from n/a through <= 2.5.

Action-Not Available
Vendor-ThemeREX
Product-Solaris
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-69079
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.38% / 29.51%
||
7 Day CHG~0.00%
Published-22 Jan, 2026 | 16:52
Updated-28 Apr, 2026 | 20:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Sound | Musical Instruments Online Store theme <= 1.6.9 - Deserialization of untrusted data vulnerability

Deserialization of Untrusted Data vulnerability in ThemeREX Sound | Musical Instruments Online Store musicplace allows Object Injection.This issue affects Sound | Musical Instruments Online Store: from n/a through <= 1.6.9.

Action-Not Available
Vendor-ThemeREX
Product-Sound | Musical Instruments Online Store
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-69405
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.38% / 29.51%
||
7 Day CHG~0.00%
Published-20 Feb, 2026 | 15:46
Updated-28 Apr, 2026 | 21:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Lorem Ipsum | Books & Media Store theme <= 1.2.11 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in ThemeREX Lorem Ipsum | Books & Media Store lorem-ipsum-books-media-store allows Object Injection.This issue affects Lorem Ipsum | Books & Media Store: from n/a through <= 1.2.11.

Action-Not Available
Vendor-ThemeREX
Product-Lorem Ipsum | Books & Media Store
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-69127
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.39% / 30.61%
||
7 Day CHG~0.00%
Published-17 Jun, 2026 | 12:47
Updated-17 Jun, 2026 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Plumbing theme <= 1.6 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Plumbing <= 1.6 versions.

Action-Not Available
Vendor-ThemeREX
Product-Plumbing
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-69404
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.38% / 29.51%
||
7 Day CHG~0.00%
Published-20 Feb, 2026 | 15:46
Updated-28 Apr, 2026 | 21:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Extreme Store theme <= 1.5.10 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in ThemeREX Extreme Store extremestore allows Object Injection.This issue affects Extreme Store: from n/a through <= 1.5.10.

Action-Not Available
Vendor-ThemeREX
Product-Extreme Store
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-69108
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.53% / 40.64%
||
7 Day CHG~0.00%
Published-16 Jun, 2026 | 20:56
Updated-17 Jun, 2026 | 14:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Hot Coffee theme <= 1.7 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Hot Coffee <= 1.7 versions.

Action-Not Available
Vendor-ThemeREX
Product-Hot Coffee
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-69122
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.53% / 40.64%
||
7 Day CHG~0.00%
Published-16 Jun, 2026 | 20:57
Updated-17 Jun, 2026 | 14:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress SeaFood Company theme <= 1.4 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in SeaFood Company <= 1.4 versions.

Action-Not Available
Vendor-ThemeREX
Product-SeaFood Company
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-69111
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.39% / 30.61%
||
7 Day CHG~0.00%
Published-17 Jun, 2026 | 12:47
Updated-17 Jun, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Reisen theme <= 1.4.1 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Reisen <= 1.4.1 versions.

Action-Not Available
Vendor-ThemeREX
Product-Reisen
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-13448
Matching Score-8
Assigner-Wordfence
ShareView Details
Matching Score-8
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-0.88% / 54.72%
||
7 Day CHG~0.00%
Published-28 Jan, 2025 | 06:38
Updated-08 Apr, 2026 | 17:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ThemeREX Addons <= 2.32.3 - Unauthenticated Arbitrary File Upload in trx_addons_uploads_save_data

The ThemeREX Addons plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'trx_addons_uploads_save_data' function in all versions up to, and including, 2.32.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Action-Not Available
Vendor-themerexThemeREX
Product-addonsThemeREX Addons
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2026-28043
Matching Score-8
Assigner-Patchstack
ShareView Details
Matching Score-8
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.40% / 32.40%
||
7 Day CHG~0.00%
Published-05 Mar, 2026 | 05:54
Updated-28 Apr, 2026 | 17:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Healer - Doctor, Clinic & Medical WordPress Theme theme <= 1.0.0 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Healer - Doctor, Clinic & Medical WordPress Theme healer allows PHP Local File Inclusion.This issue affects Healer - Doctor, Clinic & Medical WordPress Theme: from n/a through <= 1.0.0.

Action-Not Available
Vendor-ThemeREX
Product-Healer - Doctor, Clinic & Medical WordPress Theme
CWE ID-CWE-98
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
CVE-2023-27372
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-99.64% / 99.95%
||
7 Day CHG-0.02%
Published-28 Feb, 2023 | 00:00
Updated-11 Mar, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.

Action-Not Available
Vendor-spipn/aDebian GNU/Linux
Product-debian_linuxspipn/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-60090
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.39% / 30.61%
||
7 Day CHG~0.00%
Published-18 Dec, 2025 | 07:22
Updated-28 Apr, 2026 | 18:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Gravity Forms Insightly plugin <= 1.1.6 - Deserialization of untrusted data vulnerability

Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Insightly gf-insightly allows Object Injection.This issue affects WP Gravity Forms Insightly: from n/a through <= 1.1.6.

Action-Not Available
Vendor-crmperksCRM Perks
Product-wp_gravity_forms_insightlyWP Gravity Forms Insightly
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-60216
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.53% / 40.84%
||
7 Day CHG~0.00%
Published-22 Oct, 2025 | 14:32
Updated-28 Apr, 2026 | 18:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Addison theme < 1.4.8 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in BoldThemes Addison addison allows Object Injection.This issue affects Addison: from n/a through < 1.4.8.

Action-Not Available
Vendor-BoldThemes
Product-Addison
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-28115
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-2.76% / 84.48%
||
7 Day CHG~0.00%
Published-17 Mar, 2023 | 21:15
Updated-25 Feb, 2025 | 14:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Snappy vulnerable to PHAR deserialization, allowing remote code execution

Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.4.2, Snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If a user can control the output file from the `generateFromHtml()` function, it will invoke deserialization. This vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains. It has been fixed in version 1.4.2.

Action-Not Available
Vendor-knplabsKnpLabs
Product-snappysnappy
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-26234
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.6||MEDIUM
EPSS-0.84% / 53.37%
||
7 Day CHG~0.00%
Published-20 Feb, 2023 | 00:00
Updated-17 Mar, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

JD-GUI 1.6.6 allows deserialization via UIMainWindowPreferencesProvider.singleInstance.

Action-Not Available
Vendor-jd-gui_projectn/a
Product-jd-guin/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-26779
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.43% / 69.70%
||
7 Day CHG~0.00%
Published-03 Mar, 2023 | 00:00
Updated-06 Mar, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CleverStupidDog yf-exam v 1.8.0 is vulnerable to Deserialization which can lead to remote code execution (RCE).

Action-Not Available
Vendor-yf-exam_projectn/a
Product-yf-examn/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-26359
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-9.8||CRITICAL
EPSS-17.94% / 96.82%
||
7 Day CHG~0.00%
Published-23 Mar, 2023 | 00:00
Updated-23 Oct, 2025 | 11:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2023-09-11||Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Adobe ColdFusion Deserialization of Untrusted Data Arbitrary code execution

Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.

Action-Not Available
Vendor-Adobe Inc.
Product-coldfusionColdFusionColdFusion
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-59287
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-9.8||CRITICAL
EPSS-99.96% / 99.98%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 17:01
Updated-26 Feb, 2026 | 16:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2025-11-14||Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Windows Server Update Service (WSUS) Remote Code Execution Vulnerability

Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_server_2022windows_server_2012windows_server_2025windows_server_2022_23h2windows_server_2019windows_server_2016Windows Server 2019 (Server Core installation)Windows Server 2012Windows Server 2019Windows Server 2022Windows Server 2022, 23H2 Edition (Server Core installation)Windows Server 2025Windows Server 2012 (Server Core installation)Windows Server 2016 (Server Core installation)Windows Server 2012 R2Windows Server 2025 (Server Core installation)Windows Server 2016Windows Server 2012 R2 (Server Core installation)Windows
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-26153
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-8.3||HIGH
EPSS-3.24% / 86.77%
||
7 Day CHG~0.00%
Published-06 Oct, 2023 | 05:00
Updated-19 Sep, 2024 | 18:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Versions of the package geokit-rails before 2.5.0 are vulnerable to Command Injection due to unsafe deserialisation of YAML within the 'geo_location' cookie. This issue can be exploited remotely via a malicious cookie value. **Note:** An attacker can use this vulnerability to execute commands on the host system.

Action-Not Available
Vendor-geokitn/a
Product-geokit-railsgeokit-rails
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-60245
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.43% / 34.21%
||
7 Day CHG~0.00%
Published-06 Nov, 2025 | 15:55
Updated-28 Apr, 2026 | 18:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP User Manager plugin <= 2.9.12 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in WP User Manager WP User Manager wp-user-manager allows Object Injection.This issue affects WP User Manager: from n/a through <= 2.9.12.

Action-Not Available
Vendor-WP User Manager
Product-WP User Manager
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-46990
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.46% / 70.35%
||
7 Day CHG~0.00%
Published-20 Nov, 2023 | 00:00
Updated-02 Aug, 2024 | 21:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Deserialization of Untrusted Data in PublicCMS v.4.0.202302.e allows a remote attacker to execute arbitrary code via a crafted script to the writeReplace function.

Action-Not Available
Vendor-publiccmsn/a
Product-publiccmsn/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-26326
Matching Score-4
Assigner-Tenable Network Security, Inc.
ShareView Details
Matching Score-4
Assigner-Tenable Network Security, Inc.
CVSS Score-9.8||CRITICAL
EPSS-3.82% / 88.79%
||
7 Day CHG~0.00%
Published-23 Feb, 2023 | 00:00
Updated-12 Mar, 2025 | 14:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The BuddyForms WordPress plugin, in versions prior to 2.7.8, was affected by an unauthenticated insecure deserialization issue. An unauthenticated attacker could leverage this issue to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present.

Action-Not Available
Vendor-themekraftn/a
Product-buddyformsBuddyForms WordPress Plugin
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-26512
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-1.03% / 59.65%
||
7 Day CHG~0.00%
Published-17 Jul, 2023 | 07:16
Updated-21 Nov, 2024 | 07:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache EventMesh RabbitMQ-Connector plugin allows RCE through deserialization of untrusted data

CWE-502 Deserialization of Untrusted Data at the rabbitmq-connector plugin module in Apache EventMesh (incubating) V1.7.0\V1.8.0 on windows\linux\mac os e.g. platforms allows attackers to send controlled message and remote code execute via rabbitmq messages. Users can use the code under the master branch in project repo to fix this issue, we will release the new version as soon as possible.

Action-Not Available
Vendor-Apple Inc.Microsoft CorporationThe Apache Software FoundationLinux Kernel Organization, Inc
Product-eventmeshmacoslinux_kernelwindowsApache EventMesh (incubating) RabbitMQ connectoreventmesh
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-60214
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.54% / 41.47%
||
7 Day CHG~0.00%
Published-22 Oct, 2025 | 14:32
Updated-28 Apr, 2026 | 18:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Goldenblatt theme < 1.3.0 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in BoldThemes Goldenblatt goldenblatt allows Object Injection.This issue affects Goldenblatt: from n/a through < 1.3.0.

Action-Not Available
Vendor-BoldThemes
Product-Goldenblatt
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-60178
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.39% / 30.61%
||
7 Day CHG~0.00%
Published-18 Dec, 2025 | 07:22
Updated-28 Apr, 2026 | 18:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Gravity Forms HubSpot plugin <= 1.2.6 - Deserialization of untrusted data vulnerability

Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms HubSpot gf-hubspot allows Object Injection.This issue affects WP Gravity Forms HubSpot: from n/a through <= 1.2.6.

Action-Not Available
Vendor-crmperksCRM Perks
Product-wp_gravity_forms_hubspotWP Gravity Forms HubSpot
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-52338
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-2.32% / 81.39%
||
7 Day CHG~0.00%
Published-28 Nov, 2024 | 16:31
Updated-15 Jul, 2025 | 16:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Arrow R package: Arbitrary code execution when loading a malicious data file

Deserialization of untrusted data in IPC and Parquet readers in the Apache Arrow R package versions 4.0.0 through 16.1.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example, user-supplied input files). This vulnerability only affects the arrow R package, not other Apache Arrow implementations or bindings unless those bindings are specifically used via the R package (for example, an R application that embeds a Python interpreter and uses PyArrow to read files from untrusted sources is still vulnerable if the arrow R package is an affected version). It is recommended that users of the arrow R package upgrade to 17.0.0 or later. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to arrow 17.0.0 or later. If using an affected version of the package, untrusted data can read into a Table and its internal to_data_frame() method can be used as a workaround (e.g., read_parquet(..., as_data_frame = FALSE)$to_data_frame()). This issue affects the Apache Arrow R package: from 4.0.0 through 16.1.0. Users are recommended to upgrade to version 17.0.0, which fixes the issue.

Action-Not Available
Vendor-apache_software_foundationThe Apache Software Foundation
Product-arrowApache Arrow R packageapache_arrow_r_package
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-60230
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.43% / 34.28%
||
7 Day CHG~0.00%
Published-17 Jun, 2026 | 13:15
Updated-17 Jun, 2026 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress The Barber Shop theme <= 1.9 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in Themeton The Barber Shop allows Object Injection. This issue affects The Barber Shop: from n/a through 1.9.

Action-Not Available
Vendor-Themeton
Product-The Barber Shop
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-60238
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.53% / 40.84%
||
7 Day CHG~0.00%
Published-22 Oct, 2025 | 14:32
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress UNIVERSAM plugin <= 9.04.02 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in universam UNIVERSAM universam-demo allows Object Injection.This issue affects UNIVERSAM: from n/a through <= 9.04.02.

Action-Not Available
Vendor-universam
Product-UNIVERSAM
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-60091
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.39% / 30.61%
||
7 Day CHG~0.00%
Published-18 Dec, 2025 | 07:22
Updated-28 Apr, 2026 | 18:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Gravity Forms Zoho CRM and Bigin plugin <= 1.2.9 - Deserialization of untrusted data vulnerability

Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Zoho CRM and Bigin gf-zoho allows Object Injection.This issue affects WP Gravity Forms Zoho CRM and Bigin: from n/a through <= 1.2.9.

Action-Not Available
Vendor-crmperksCRM Perks
Product-wp_gravity_forms_zoho_crm_and_biginWP Gravity Forms Zoho CRM and Bigin
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-60231
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.31% / 23.16%
||
7 Day CHG~0.00%
Published-17 Jun, 2026 | 13:46
Updated-17 Jun, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress The Hospital theme <= 1.8.1 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in EMV The Hospital nrghospital allows Object Injection. This issue affects The Hospital: from n/a through 1.8.1.

Action-Not Available
Vendor-EMV
Product-The Hospital
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-60226
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.53% / 40.84%
||
7 Day CHG~0.00%
Published-22 Oct, 2025 | 14:32
Updated-28 Apr, 2026 | 18:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress White Rabbit theme <= 1.5.2 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in axiomthemes White Rabbit whiterabbit allows Object Injection.This issue affects White Rabbit: from n/a through <= 1.5.2.

Action-Not Available
Vendor-axiomthemesaxiomthemes
Product-white_rabbitWhite Rabbit
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-30179
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-4.20% / 89.73%
||
7 Day CHG~0.00%
Published-31 May, 2021 | 07:25
Updated-03 Aug, 2024 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Dubbo Pre-auth RCE via Java deserialization in the Generic filter

Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection API to make the final call. The signature for the $invoke or $invokeAsync methods is Ljava/lang/String;[Ljava/lang/String;[Ljava/lang/Object; where the first argument is the name of the method to invoke, the second one is an array with the parameter types for the method being invoked and the third one is an array with the actual call arguments. In addition, the caller also needs to set an RPC attachment specifying that the call is a generic call and how to decode the arguments. The possible values are: - true - raw.return - nativejava - bean - protobuf-json An attacker can control this RPC attachment and set it to nativejava to force the java deserialization of the byte array located in the third argument.

Action-Not Available
Vendor-The Apache Software Foundation
Product-dubboApache Dubbo
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-24914
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-5.55% / 91.89%
||
7 Day CHG~0.00%
Published-04 Mar, 2021 | 12:33
Updated-04 Aug, 2024 | 15:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A PHP object injection bug in profile.php in qcubed (all versions including 3.1.1) unserializes the untrusted data of the POST-variable "strProfileData" and allows an unauthenticated attacker to execute code via a crafted POST request.

Action-Not Available
Vendor-qcubedn/a
Product-qcubedn/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-24648
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-9.8||CRITICAL
EPSS-10.10% / 95.08%
||
7 Day CHG~0.00%
Published-19 Oct, 2020 | 17:36
Updated-04 Aug, 2024 | 15:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A accessmgrservlet classname deserialization of untrusted data remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

Action-Not Available
Vendor-n/aHP Inc.
Product-intelligent_management_centerHPE Intelligent Management Center (iMC)
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-24162
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.27% / 66.27%
||
7 Day CHG~0.00%
Published-31 Jan, 2023 | 00:00
Updated-27 Mar, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Deserialization vulnerability in Dromara Hutool v5.8.11 allows attacker to execute arbitrary code via the XmlUtil.readObjectFromXml parameter.

Action-Not Available
Vendor-hutooln/a
Product-hutooln/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-7871
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.39% / 30.59%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 19:14
Updated-02 Jul, 2026 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insecure Deserialization in Redis Cache Backend

IBM Langflow OSS 1.0.0 through 1.10.0 allows users with Redis access to execute arbitrary code with full application privileges, compromising all secrets, data, and system integrity.

Action-Not Available
Vendor-langflowIBM Corporation
Product-langflowLangflow OSS
CWE ID-CWE-502
Deserialization of Untrusted Data
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 20
  • 21
  • Next
Details not found