Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-8003

Summary
Assigner-VulDB
Assigner Org ID-1af790b2-7ee1-4545-860a-a788eba489b5
Published At-20 Aug, 2024 | 13:31
Updated At-20 Aug, 2024 | 16:13
Rejected At-
Credits

Go-Tribe gotribe-admin Log routes.go InitRoutes deserialization

A vulnerability was found in Go-Tribe gotribe-admin 1.0 and classified as problematic. Affected by this issue is the function InitRoutes of the file internal/app/routes/routes.go of the component Log Handler. The manipulation leads to deserialization. The patch is identified as 45ac90d6d1f82716f77dbcdf8e7309c229080e3c. It is recommended to apply a patch to fix this issue.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulDB
Assigner Org ID:1af790b2-7ee1-4545-860a-a788eba489b5
Published At:20 Aug, 2024 | 13:31
Updated At:20 Aug, 2024 | 16:13
Rejected At:
▼CVE Numbering Authority (CNA)
Go-Tribe gotribe-admin Log routes.go InitRoutes deserialization

A vulnerability was found in Go-Tribe gotribe-admin 1.0 and classified as problematic. Affected by this issue is the function InitRoutes of the file internal/app/routes/routes.go of the component Log Handler. The manipulation leads to deserialization. The patch is identified as 45ac90d6d1f82716f77dbcdf8e7309c229080e3c. It is recommended to apply a patch to fix this issue.

Affected Products
Vendor
Go-Tribe
Product
gotribe-admin
Modules
  • Log Handler
Versions
Affected
  • 1.0
Problem Types
TypeCWE IDDescription
CWECWE-502CWE-502 Deserialization
Type: CWE
CWE ID: CWE-502
Description: CWE-502 Deserialization
Metrics
VersionBase scoreBase severityVector
4.05.1MEDIUM
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
3.13.5LOW
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
3.03.5LOW
CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
2.02.7N/A
AV:A/AC:L/Au:S/C:P/I:N/A:N
Version: 4.0
Base score: 5.1
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Version: 3.1
Base score: 3.5
Base severity: LOW
Vector:
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Version: 3.0
Base score: 3.5
Base severity: LOW
Vector:
CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Version: 2.0
Base score: 2.7
Base severity: N/A
Vector:
AV:A/AC:L/Au:S/C:P/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

reporter
zihe (VulDB User)
Timeline
EventDate
Advisory disclosed2024-08-20 00:00:00
VulDB entry created2024-08-20 02:00:00
VulDB entry last update2024-08-20 10:10:06
Event: Advisory disclosed
Date: 2024-08-20 00:00:00
Event: VulDB entry created
Date: 2024-08-20 02:00:00
Event: VulDB entry last update
Date: 2024-08-20 10:10:06
Replaced By

Rejected Reason

References
HyperlinkResource
https://vuldb.com/?id.275198
vdb-entry
technical-description
https://vuldb.com/?ctiid.275198
signature
permissions-required
https://vuldb.com/?submit.393987
third-party-advisory
https://github.com/Go-Tribe/gotribe-admin/issues/1
issue-tracking
https://github.com/Go-Tribe/gotribe-admin/issues/1#issuecomment-2298187923
issue-tracking
https://github.com/Go-Tribe/gotribe-admin/commit/45ac90d6d1f82716f77dbcdf8e7309c229080e3c
patch
Hyperlink: https://vuldb.com/?id.275198
Resource:
vdb-entry
technical-description
Hyperlink: https://vuldb.com/?ctiid.275198
Resource:
signature
permissions-required
Hyperlink: https://vuldb.com/?submit.393987
Resource:
third-party-advisory
Hyperlink: https://github.com/Go-Tribe/gotribe-admin/issues/1
Resource:
issue-tracking
Hyperlink: https://github.com/Go-Tribe/gotribe-admin/issues/1#issuecomment-2298187923
Resource:
issue-tracking
Hyperlink: https://github.com/Go-Tribe/gotribe-admin/commit/45ac90d6d1f82716f77dbcdf8e7309c229080e3c
Resource:
patch
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cna@vuldb.com
Published At:20 Aug, 2024 | 14:15
Updated At:21 Aug, 2024 | 15:51

A vulnerability was found in Go-Tribe gotribe-admin 1.0 and classified as problematic. Affected by this issue is the function InitRoutes of the file internal/app/routes/routes.go of the component Log Handler. The manipulation leads to deserialization. The patch is identified as 45ac90d6d1f82716f77dbcdf8e7309c229080e3c. It is recommended to apply a patch to fix this issue.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.05.1MEDIUM
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Secondary3.13.5LOW
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Secondary2.02.7LOW
AV:A/AC:L/Au:S/C:P/I:N/A:N
Type: Secondary
Version: 4.0
Base score: 5.1
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 3.5
Base severity: LOW
Vector:
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Type: Secondary
Version: 2.0
Base score: 2.7
Base severity: LOW
Vector:
AV:A/AC:L/Au:S/C:P/I:N/A:N
CPE Matches

gotribe
gotribe
>>gotribe-admin>>1.0
cpe:2.3:a:gotribe:gotribe-admin:1.0:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-502Primarynvd@nist.gov
CWE-502Secondarycna@vuldb.com
CWE ID: CWE-502
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-502
Type: Secondary
Source: cna@vuldb.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/Go-Tribe/gotribe-admin/commit/45ac90d6d1f82716f77dbcdf8e7309c229080e3ccna@vuldb.com
Patch
https://github.com/Go-Tribe/gotribe-admin/issues/1cna@vuldb.com
Exploit
Issue Tracking
https://github.com/Go-Tribe/gotribe-admin/issues/1#issuecomment-2298187923cna@vuldb.com
Exploit
Issue Tracking
https://vuldb.com/?ctiid.275198cna@vuldb.com
Permissions Required
Third Party Advisory
VDB Entry
https://vuldb.com/?id.275198cna@vuldb.com
Third Party Advisory
VDB Entry
https://vuldb.com/?submit.393987cna@vuldb.com
Third Party Advisory
VDB Entry
Hyperlink: https://github.com/Go-Tribe/gotribe-admin/commit/45ac90d6d1f82716f77dbcdf8e7309c229080e3c
Source: cna@vuldb.com
Resource:
Patch
Hyperlink: https://github.com/Go-Tribe/gotribe-admin/issues/1
Source: cna@vuldb.com
Resource:
Exploit
Issue Tracking
Hyperlink: https://github.com/Go-Tribe/gotribe-admin/issues/1#issuecomment-2298187923
Source: cna@vuldb.com
Resource:
Exploit
Issue Tracking
Hyperlink: https://vuldb.com/?ctiid.275198
Source: cna@vuldb.com
Resource:
Permissions Required
Third Party Advisory
VDB Entry
Hyperlink: https://vuldb.com/?id.275198
Source: cna@vuldb.com
Resource:
Third Party Advisory
VDB Entry
Hyperlink: https://vuldb.com/?submit.393987
Source: cna@vuldb.com
Resource:
Third Party Advisory
VDB Entry

Change History

0
Information is not available yet

Similar CVEs

725Records found

CVE-2025-49072
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.06% / 19.15%
||
7 Day CHG~0.00%
Published-06 Jun, 2025 | 12:15
Updated-06 Jun, 2025 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Mr. Murphy < 1.2.12.1 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in AncoraThemes Mr. Murphy allows Object Injection.This issue affects Mr. Murphy: from n/a before 1.2.12.1.

Action-Not Available
Vendor-AncoraThemes
Product-Mr. Murphy
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-3838
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-9.8||CRITICAL
EPSS-5.22% / 89.56%
||
7 Day CHG~0.00%
Published-15 Nov, 2024 | 10:51
Updated-19 Nov, 2024 | 17:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHAR Deserialization in dompdf/dompdf

DomPDF before version 2.0.0 is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the file_get_contents() function. An attacker who can upload files of any type to the server can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution, especially when DOMPdf is used with frameworks with documented POP chains like Laravel or vulnerable developer code.

Action-Not Available
Vendor-dompdf_projectdompdfdompdf
Product-dompdfdompdf/dompdfdompdf
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2022-35405
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-94.42% / 99.98%
||
7 Day CHG~0.00%
Published-19 Jul, 2022 | 14:51
Updated-30 Jul, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-10-13||Apply updates per vendor instructions.

Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution. (This also affects ManageEngine Access Manager Plus before 4303 with authentication.)

Action-Not Available
Vendor-n/aZoho Corporation Pvt. Ltd.
Product-manageengine_password_manager_promanageengine_access_manager_plusmanageengine_pam360n/aManageEngine
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-43850
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.9||HIGH
EPSS-0.90% / 74.78%
||
7 Day CHG~0.00%
Published-05 May, 2025 | 18:20
Updated-01 Aug, 2025 | 16:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GHSL-2025-020_Retrieval-based-Voice-Conversion-WebUI

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The ckpt_dir variable takes user input (e.g. a path to a model) and passes it to the change_info function in export.py, which uses it to load the model on that path with torch.load, which can lead to unsafe deserialization and remote code execution. As of time of publication, no known patches exist.

Action-Not Available
Vendor-rvc-projectRVC-Project
Product-retrieval-based-voice-conversion-webuiRetrieval-based-Voice-Conversion-WebUI
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-43849
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.9||HIGH
EPSS-0.90% / 74.78%
||
7 Day CHG~0.00%
Published-05 May, 2025 | 18:20
Updated-01 Aug, 2025 | 16:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GHSL-2025-019_Retrieval-based-Voice-Conversion-WebUI

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The ckpt_a and cpkt_b variables take user input (e.g. a path to a model) and pass it to the merge function in process_ckpt.py, which uses them to load the models on those paths with torch.load, which can lead to unsafe deserialization and remote code execution. As of time of publication, no known patches exist.

Action-Not Available
Vendor-rvc-projectRVC-Project
Product-retrieval-based-voice-conversion-webuiRetrieval-based-Voice-Conversion-WebUI
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2022-35223
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-9.8||CRITICAL
EPSS-3.47% / 87.09%
||
7 Day CHG~0.00%
Published-02 Aug, 2022 | 15:21
Updated-17 Sep, 2024 | 04:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
EasyUse MailHunter Ultimate - Deserialization of Untrusted Data

EasyUse MailHunter Ultimate’s cookie deserialization function has an inadequate validation vulnerability. Deserializing a cookie containing malicious payload will trigger this insecure deserialization vulnerability, allowing an unauthenticated remote attacker to execute arbitrary code, manipulate system command or interrupt service.

Action-Not Available
Vendor-easyuseEasyUse
Product-mailhunter_ultimateMailHunter Ultimate
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-43851
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.9||HIGH
EPSS-0.90% / 74.78%
||
7 Day CHG~0.00%
Published-05 May, 2025 | 18:21
Updated-01 Aug, 2025 | 16:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GHSL-2025-021_Retrieval-based-Voice-Conversion-WebUI

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The model_choose variable takes user input (e.g. a path to a model) and passes it to the uvr function in vr.py. In uvr , a new instance of AudioPre class is created with the model_path attribute containing the aformentioned user input. In the AudioPre class, the user input, is used to load the model on that path with torch.load, which can lead to unsafe deserialization and remote code execution. As of time of publication, no known patches exist.

Action-Not Available
Vendor-rvc-projectRVC-Project
Product-retrieval-based-voice-conversion-webuiRetrieval-based-Voice-Conversion-WebUI
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2012-4406
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-9.8||CRITICAL
EPSS-7.79% / 91.59%
||
7 Day CHG~0.00%
Published-22 Oct, 2012 | 23:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OpenStack Object Storage (swift) before 1.7.0 uses the loads function in the pickle Python module unsafely when storing and loading metadata in memcached, which allows remote attackers to execute arbitrary code via a crafted pickle object.

Action-Not Available
Vendor-n/aFedora ProjectOpenStackRed Hat, Inc.
Product-storagestorage_for_public_cloudgluster_storage_server_for_on-premisegluster_storage_management_consoleswiftfedoraenterprise_linux_servern/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-45146
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.08% / 25.08%
||
7 Day CHG~0.00%
Published-11 Aug, 2025 | 00:00
Updated-11 Aug, 2025 | 18:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ModelCache for LLM through v0.2.0 was discovered to contain an deserialization vulnerability via the component /manager/data_manager.py. This vulnerability allows attackers to execute arbitrary code via supplying crafted data.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-43846
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.9||HIGH
EPSS-0.90% / 74.78%
||
7 Day CHG~0.00%
Published-05 May, 2025 | 17:16
Updated-01 Aug, 2025 | 16:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GHSL-2025-016_Retrieval-based-Voice-Conversion-WebUI

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The ckpt_path1 variable takes user input (e.g. a path to a model) and passes it to the show_info function in process_ckpt.py, which uses it to load the model on that path with torch.load, which can lead to unsafe deserialization and remote code execution. As of time of publication, no known patches exist.

Action-Not Available
Vendor-rvc-projectRVC-Project
Product-retrieval-based-voice-conversion-webuiRetrieval-based-Voice-Conversion-WebUI
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-39354
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.06% / 19.15%
||
7 Day CHG~0.00%
Published-19 May, 2025 | 19:48
Updated-21 May, 2025 | 20:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Grand Conference theme <= 5.2 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Conference allows Object Injection.This issue affects Grand Conference: from n/a through 5.2.

Action-Not Available
Vendor-ThemeGoods
Product-Grand Conference
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-39349
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.06% / 19.15%
||
7 Day CHG~0.00%
Published-19 May, 2025 | 19:51
Updated-29 May, 2025 | 21:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress CiyaShop theme <= 4.18.0 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in Potenzaglobalsolutions CiyaShop allows Object Injection.This issue affects CiyaShop: from n/a through 4.18.0.

Action-Not Available
Vendor-potenzaglobalsolutionsPotenzaglobalsolutions
Product-ciyashopCiyaShop
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-39495
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.06% / 19.15%
||
7 Day CHG~0.00%
Published-23 May, 2025 | 12:43
Updated-23 May, 2025 | 15:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Avantage Theme <= 2.4.6 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in BoldThemes Avantage allows Object Injection. This issue affects Avantage: from n/a through 2.4.6.

Action-Not Available
Vendor-BoldThemes
Product-Avantage
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-39410
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.06% / 19.15%
||
7 Day CHG~0.00%
Published-19 May, 2025 | 18:58
Updated-21 May, 2025 | 20:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Smart Sections Theme Builder - WPBakery Page Builder Addon plugin <= 1.7.8 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in themegusta Smart Sections Theme Builder - WPBakery Page Builder Addon.This issue affects Smart Sections Theme Builder - WPBakery Page Builder Addon: from n/a through 1.7.8.

Action-Not Available
Vendor-themegusta
Product-Smart Sections Theme Builder - WPBakery Page Builder Addon
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-37578
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-1.58% / 80.84%
||
7 Day CHG~0.00%
Published-29 Jul, 2021 | 07:05
Updated-04 Aug, 2024 | 01:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Remote code execution via RMI

Apache jUDDI uses several classes related to Java's Remote Method Invocation (RMI) which (as an extension to UDDI) provides an alternate transport for accessing UDDI services. RMI uses the default Java serialization mechanism to pass parameters in RMI invocations. A remote attacker can send a malicious serialized object to the above RMI entries. The objects get deserialized without any check on the incoming data. In the worst case, it may let the attacker run arbitrary code remotely. For both jUDDI web service applications and jUDDI clients, the usage of RMI is disabled by default. Since this is an optional feature and an extension to the UDDI protocol, the likelihood of impact is low. Starting with 3.3.10, all RMI related code was removed.

Action-Not Available
Vendor-The Apache Software Foundation
Product-juddiApache jUDDI
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-39485
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.06% / 19.15%
||
7 Day CHG~0.00%
Published-23 May, 2025 | 12:43
Updated-23 May, 2025 | 15:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress GrandTour Theme <= 5.5.1 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Tour | Travel Agency WordPress allows Object Injection. This issue affects Grand Tour | Travel Agency WordPress: from n/a through 5.5.1.

Action-Not Available
Vendor-ThemeGoods
Product-Grand Tour | Travel Agency WordPress
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-39503
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.06% / 19.15%
||
7 Day CHG~0.00%
Published-23 May, 2025 | 12:43
Updated-23 May, 2025 | 15:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Goodlayers Hotel plugin <= 3.1.4 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in GoodLayers Goodlayers Hotel allows Object Injection. This issue affects Goodlayers Hotel: from n/a through 3.1.4.

Action-Not Available
Vendor-GoodLayers
Product-Goodlayers Hotel
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-39500
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.06% / 19.15%
||
7 Day CHG~0.00%
Published-23 May, 2025 | 12:43
Updated-23 May, 2025 | 15:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Goodlayers Hostel Plugin <= 3.1.2 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in GoodLayers Goodlayers Hostel allows Object Injection. This issue affects Goodlayers Hostel: from n/a through 3.1.2.

Action-Not Available
Vendor-GoodLayers
Product-Goodlayers Hostel
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-39480
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.06% / 19.15%
||
7 Day CHG~0.00%
Published-23 May, 2025 | 12:43
Updated-23 May, 2025 | 15:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Car Dealer <= 1.6.6 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in ThemeMakers Car Dealer allows Object Injection. This issue affects Car Dealer: from n/a through 1.6.6.

Action-Not Available
Vendor-ThemeMakers
Product-Car Dealer
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-39356
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.06% / 19.15%
||
7 Day CHG~0.00%
Published-19 May, 2025 | 19:45
Updated-21 May, 2025 | 20:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Foodbakery Sticky Cart plugin <= 3.2 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in Chimpstudio Foodbakery Sticky Cart allows Object Injection.This issue affects Foodbakery Sticky Cart: from n/a through 3.2.

Action-Not Available
Vendor-Chimpstudio
Product-Foodbakery Sticky Cart
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-39499
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.06% / 19.15%
||
7 Day CHG~0.00%
Published-23 May, 2025 | 12:43
Updated-03 Jul, 2025 | 12:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Medicare Theme <= 2.1.0 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in BoldThemes Medicare allows Object Injection.This issue affects Medicare: from n/a through 2.1.0.

Action-Not Available
Vendor-BoldThemes
Product-Medicare
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-39550
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.10% / 27.90%
||
7 Day CHG~0.00%
Published-17 Apr, 2025 | 15:46
Updated-17 Apr, 2025 | 20:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress FluentCommunity <= 1.2.15 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in Shahjahan Jewel FluentCommunity allows Object Injection. This issue affects FluentCommunity: from n/a through 1.2.15.

Action-Not Available
Vendor-Shahjahan Jewel
Product-FluentCommunity
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-39588
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.10% / 27.90%
||
7 Day CHG~0.00%
Published-17 Apr, 2025 | 15:46
Updated-17 Apr, 2025 | 20:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Ultimate Store Kit Elementor Addons <= 2.4.0 - Deserialization of untrusted data Vulnerability

Deserialization of Untrusted Data vulnerability in bdthemes Ultimate Store Kit Elementor Addons allows Object Injection. This issue affects Ultimate Store Kit Elementor Addons: from n/a through 2.4.0.

Action-Not Available
Vendor-BdThemes
Product-Ultimate Store Kit Elementor Addons
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-39551
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.10% / 27.90%
||
7 Day CHG~0.00%
Published-17 Apr, 2025 | 15:46
Updated-17 Apr, 2025 | 20:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress FluentBoards <= 1.47 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in Mahmudul Hasan Arif FluentBoards allows Object Injection. This issue affects FluentBoards: from n/a through 1.47.

Action-Not Available
Vendor-Mahmudul Hasan Arif
Product-FluentBoards
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-35971
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.78% / 72.65%
||
7 Day CHG~0.00%
Published-30 Jun, 2021 | 14:28
Updated-04 Aug, 2024 | 00:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Veeam Backup and Replication 10 before 10.0.1.4854 P20210609 and 11 before 11.0.0.837 P20210507 mishandles deserialization during Microsoft .NET remoting.

Action-Not Available
Vendor-n/aVeeam Software Group GmbH
Product-veeam_backup_\&_replicationn/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-24797
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.43% / 61.85%
||
7 Day CHG~0.00%
Published-12 Feb, 2024 | 07:19
Updated-08 Oct, 2024 | 16:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress ERE Recently Viewed Plugin <= 1.3 is vulnerable to PHP Object Injection

Deserialization of Untrusted Data vulnerability in G5Theme ERE Recently Viewed – Essential Real Estate Add-On.This issue affects ERE Recently Viewed – Essential Real Estate Add-On: from n/a through 1.3.

Action-Not Available
Vendor-g5plusG5Themeg5theme
Product-ere_recently_viewedERE Recently Viewed – Essential Real Estate Add-Onessential_real_estate
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-36336
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-9.8||CRITICAL
EPSS-3.06% / 86.16%
||
7 Day CHG~0.00%
Published-21 Dec, 2021 | 17:05
Updated-16 Sep, 2024 | 19:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Wyse Management Suite 3.3.1 and below versions contain a deserialization vulnerability that could allow an unauthenticated attacker to execute code on the affected system.

Action-Not Available
Vendor-Dell Inc.
Product-wyse_management_suiteWyse Management Suite
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-36163
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-1.61% / 81.02%
||
7 Day CHG~0.00%
Published-07 Sep, 2021 | 09:25
Updated-04 Aug, 2024 | 00:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unsafe deserialization in providers using the Hessian protocol

In Apache Dubbo, users may choose to use the Hessian protocol. The Hessian protocol is implemented on top of HTTP and passes the body of a POST request directly to a HessianSkeleton: New HessianSkeleton are created without any configuration of the serialization factory and therefore without applying the dubbo properties for applying allowed or blocked type lists. In addition, the generic service is always exposed and therefore attackers do not need to figure out a valid service/method name pair. This is fixed in 2.7.13, 2.6.10.1

Action-Not Available
Vendor-The Apache Software Foundation
Product-dubboApache Dubbo
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-35464
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-94.39% / 99.97%
||
7 Day CHG~0.00%
Published-22 Jul, 2021 | 17:10
Updated-30 Jul, 2025 | 01:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2021-11-17||Apply updates per vendor instructions.

ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier

Action-Not Available
Vendor-n/aForgeRock, Inc.
Product-openamaccess_managementn/aAccess Management (AM)
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-32928
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.06% / 19.15%
||
7 Day CHG~0.00%
Published-19 May, 2025 | 19:53
Updated-29 May, 2025 | 21:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Altair theme <= 5.2.2 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in ThemeGoods Altair allows Object Injection.This issue affects Altair: from n/a through 5.2.2.

Action-Not Available
Vendor-themegoodsThemeGoods
Product-altairAltair
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-32897
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-0.15% / 36.20%
||
7 Day CHG-0.05%
Published-28 Jun, 2025 | 18:25
Updated-08 Jul, 2025 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Seata (incubating): Deserialization of untrusted Data in Apache Seata Server

Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This security vulnerability is the same as CVE-2024-47552, but the version range described in the CVE-2024-47552 definition is too narrow. This issue affects Apache Seata (incubating): from 2.0.0 before 2.3.0. Users are recommended to upgrade to version 2.3.0, which fixes the issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-seataApache Seata (incubating)
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-23759
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-64.42% / 98.38%
||
7 Day CHG~0.00%
Published-12 Feb, 2024 | 00:00
Updated-07 May, 2025 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Deserialization of Untrusted Data in Gambio through 4.9.2.0 allows attackers to run arbitrary code via "search" parameter of the Parcelshopfinder/AddAddressBookEntry" function.

Action-Not Available
Vendor-gambion/a
Product-gambion/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2025-32927
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.06% / 19.15%
||
7 Day CHG~0.00%
Published-19 May, 2025 | 19:54
Updated-29 May, 2025 | 21:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress FoodBakery plugin <= 3.3 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in Chimpstudio FoodBakery allows Object Injection.This issue affects FoodBakery: from n/a through 3.3.

Action-Not Available
Vendor-chimpgroupChimpstudio
Product-foodbakeryFoodBakery
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-3439
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-1.15% / 77.65%
||
7 Day CHG~0.00%
Published-11 Apr, 2025 | 12:42
Updated-11 Apr, 2025 | 15:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress <= 3.1.1 - Unauthenticated PHP Object Injection

The Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.1.1 via deserialization of untrusted input from the 'field_value' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.

Action-Not Available
Vendor-wpeverest
Product-Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-34066
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.41% / 60.40%
||
7 Day CHG~0.00%
Published-30 Aug, 2021 | 18:31
Updated-04 Aug, 2024 | 00:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in EdgeGallery/developer before v1.0. There is a "Deserialization of yaml file" vulnerability that can allow attackers to execute system command through uploading the malicious constructed YAML file.

Action-Not Available
Vendor-edgegalleryn/a
Product-developer-ben/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-34371
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-68.07% / 98.53%
||
7 Day CHG~0.00%
Published-05 Aug, 2021 | 19:35
Updated-04 Aug, 2024 | 00:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Neo4j through 3.4.18 (with the shell server enabled) exposes an RMI service that arbitrarily deserializes Java objects, e.g., through setSessionVariable. An attacker can abuse this for remote code execution because there are dependencies with exploitable gadget chains.

Action-Not Available
Vendor-neo4jn/a
Product-neo4jn/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-36038
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-9||CRITICAL
EPSS-0.19% / 40.65%
||
7 Day CHG~0.00%
Published-25 Jun, 2025 | 20:38
Updated-26 Aug, 2025 | 14:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM WebSphere Application Server code execution

IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially crafted sequence of serialized objects.

Action-Not Available
Vendor-IBM CorporationHP Inc.Microsoft CorporationLinux Kernel Organization, IncOracle Corporation
Product-linux_kernelwindowswebsphere_application_serveraixsolarishp-uxiz\/osWebSphere Application Server
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2014-3699
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.99% / 75.94%
||
7 Day CHG~0.00%
Published-15 Dec, 2019 | 21:19
Updated-06 Aug, 2024 | 10:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

eDeploy has RCE via cPickle deserialization of untrusted data

Action-Not Available
Vendor-eDeployRed Hat, Inc.
Product-edeployjboss_enterprise_web_servereDeploy
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-32568
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.10% / 27.90%
||
7 Day CHG~0.00%
Published-11 Apr, 2025 | 08:42
Updated-11 Apr, 2025 | 15:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress EmpikPlace for Woocommerce Plugin <= 1.4.2 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in empik EmpikPlace for Woocommerce allows Object Injection. This issue affects EmpikPlace for Woocommerce: from n/a through 1.4.2.

Action-Not Available
Vendor-empik
Product-EmpikPlace for Woocommerce
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-33420
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.46% / 63.15%
||
7 Day CHG~0.00%
Published-15 Dec, 2022 | 00:00
Updated-21 Apr, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A deserialization issue discovered in inikulin replicator before 1.0.4 allows remote attackers to run arbitrary code via the fromSerializable function in TypedArray object.

Action-Not Available
Vendor-replicator_projectn/a
Product-replicatorn/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-32572
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.10% / 27.90%
||
7 Day CHG~0.00%
Published-17 Apr, 2025 | 15:47
Updated-17 Apr, 2025 | 20:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Kata Plus Plugin <= 1.5.2 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in Climax Themes Kata Plus allows Object Injection. This issue affects Kata Plus: from n/a through 1.5.2.

Action-Not Available
Vendor-Climax Themes
Product-Kata Plus
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-33026
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-19.11% / 95.11%
||
7 Day CHG-1.26%
Published-13 May, 2021 | 22:51
Updated-04 Aug, 2024 | 00:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: a third party indicates that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision

Action-Not Available
Vendor-flask-caching_projectn/aflask-caching_project
Product-flask-cachingn/aflask-caching
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-32434
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.3||CRITICAL
EPSS-0.43% / 61.79%
||
7 Day CHG~0.00%
Published-18 Apr, 2025 | 15:48
Updated-28 May, 2025 | 13:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PyTorch: `torch.load` with `weights_only=True` leads to remote code execution

PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd system. In version 2.5.1 and prior, a Remote Command Execution (RCE) vulnerability exists in PyTorch when loading a model using torch.load with weights_only=True. This issue has been patched in version 2.6.0.

Action-Not Available
Vendor-pytorchThe Linux Foundation
Product-pytorchpytorch
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-32935
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-8.8||HIGH
EPSS-0.32% / 54.04%
||
7 Day CHG~0.00%
Published-23 May, 2022 | 18:42
Updated-16 Apr, 2025 | 17:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cognex In-Sight OPC Server - Deserialization of Untrusted Data

The affected Cognex product, the In-Sight OPC Server versions v5.7.4 (96) and prior, deserializes untrusted data, which could allow a remote attacker access to system level permission commands and local privilege escalation.

Action-Not Available
Vendor-cognexCognex
Product-in-sight_opc_serverIn-Sight OPC Server
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-31631
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.06% / 19.15%
||
7 Day CHG~0.00%
Published-23 May, 2025 | 12:44
Updated-23 May, 2025 | 15:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Fish House <= 1.2.7 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in AncoraThemes Fish House allows Object Injection. This issue affects Fish House: from n/a through 1.2.7.

Action-Not Available
Vendor-AncoraThemes
Product-Fish House
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-3287
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-71.12% / 98.65%
||
7 Day CHG~0.00%
Published-22 Apr, 2021 | 12:58
Updated-03 Aug, 2024 | 16:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Zoho ManageEngine OpManager before 12.5.329 allows unauthenticated Remote Code Execution due to a general bypass in the deserialization class.

Action-Not Available
Vendor-n/aZoho Corporation Pvt. Ltd.
Product-manageengine_opmanagern/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-32569
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.10% / 27.90%
||
7 Day CHG~0.00%
Published-11 Apr, 2025 | 08:42
Updated-11 Apr, 2025 | 15:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress TableOn Plugin <= 1.0.2 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in RealMag777 TableOn – WordPress Posts Table Filterable allows Object Injection. This issue affects TableOn – WordPress Posts Table Filterable: from n/a through 1.0.2.

Action-Not Available
Vendor-PluginUs.Net (RealMag777)
Product-TableOn – WordPress Posts Table Filterable
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-32375
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-44.14% / 97.46%
||
7 Day CHG~0.00%
Published-09 Apr, 2025 | 15:30
Updated-22 Apr, 2025 | 16:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insecure Deserialization leads to RCE in BentoML's runner server

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.8, there was an insecure deserialization in BentoML's runner server. By setting specific headers and parameters in the POST request, it is possible to execute any unauthorized arbitrary code on the server, which will grant the attackers to have the initial access and information disclosure on the server. This vulnerability is fixed in 1.4.8.

Action-Not Available
Vendor-bentomlbentoml
Product-bentomlBentoML
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-31927
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.06% / 19.15%
||
7 Day CHG~0.00%
Published-23 May, 2025 | 12:44
Updated-23 May, 2025 | 15:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Acerola <= 1.6.5 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in themeton Acerola allows Object Injection. This issue affects Acerola: from n/a through 1.6.5.

Action-Not Available
Vendor-themeton
Product-Acerola
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-31919
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.06% / 19.15%
||
7 Day CHG~0.00%
Published-17 Jun, 2025 | 15:01
Updated-17 Jun, 2025 | 20:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Spare <= 1.7 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in themeton Spare allows Object Injection. This issue affects Spare: from n/a through 1.7.

Action-Not Available
Vendor-themeton
Product-Spare
CWE ID-CWE-502
Deserialization of Untrusted Data
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 14
  • 15
  • Next
Details not found