Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-60038

Summary
Assigner-bosch
Assigner Org ID-c95f66b2-7e7c-41c5-8f09-6f86ec68659c
Published At-18 Feb, 2026 | 14:03
Updated At-18 Feb, 2026 | 14:23
Rejected At-
Credits

A vulnerability has been identified in Rexroth IndraWorks. This flaw allows an attacker to execute arbitrary code on the user's system by parsing a manipulated file containing malicious serialized data. Exploitation requires user interaction, specifically opening a specially crafted file, which then causes the application to deserialize the malicious data, enabling Remote Code Execution (RCE). This can lead to a complete compromise of the system running Rexroth IndraWorks.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:bosch
Assigner Org ID:c95f66b2-7e7c-41c5-8f09-6f86ec68659c
Published At:18 Feb, 2026 | 14:03
Updated At:18 Feb, 2026 | 14:23
Rejected At:
▼CVE Numbering Authority (CNA)

A vulnerability has been identified in Rexroth IndraWorks. This flaw allows an attacker to execute arbitrary code on the user's system by parsing a manipulated file containing malicious serialized data. Exploitation requires user interaction, specifically opening a specially crafted file, which then causes the application to deserialize the malicious data, enabling Remote Code Execution (RCE). This can lead to a complete compromise of the system running Rexroth IndraWorks.

Affected Products
Vendor
Bosch Rexroth
Product
IndraWorks
Versions
Affected
  • all
Problem Types
TypeCWE IDDescription
N/AN/ACWE-502 Deserialization of Untrusted Data
Type: N/A
CWE ID: N/A
Description: CWE-502 Deserialization of Untrusted Data
Metrics
VersionBase scoreBase severityVector
3.17.8HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 7.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://psirt.bosch.com/security-advisories/BOSCH-SA-591522.html
vendor-advisory
Hyperlink: https://psirt.bosch.com/security-advisories/BOSCH-SA-591522.html
Resource:
vendor-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:psirt@bosch.com
Published At:18 Feb, 2026 | 14:16
Updated At:24 Feb, 2026 | 16:01

A vulnerability has been identified in Rexroth IndraWorks. This flaw allows an attacker to execute arbitrary code on the user's system by parsing a manipulated file containing malicious serialized data. Exploitation requires user interaction, specifically opening a specially crafted file, which then causes the application to deserialize the malicious data, enabling Remote Code Execution (RCE). This can lead to a complete compromise of the system running Rexroth IndraWorks.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.8HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 7.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CPE Matches
Robert Bosch GmbH
bosch
>>rexroth_indraworks>>Versions up to 15v24(inclusive)
cpe:2.3:a:bosch:rexroth_indraworks:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-502Secondarypsirt@bosch.com
CWE ID: CWE-502
Type: Secondary
Source: psirt@bosch.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://psirt.bosch.com/security-advisories/BOSCH-SA-591522.htmlpsirt@bosch.com
Vendor Advisory
Hyperlink: https://psirt.bosch.com/security-advisories/BOSCH-SA-591522.html
Source: psirt@bosch.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

187Records found
CVE-2025-33212
Matching Score-4
Assigner-NVIDIA Corporation
ShareView Details
Matching Score-4
Assigner-NVIDIA Corporation
CVSS Score-7.3||HIGH
EPSS-0.07% / 21.42%
||
7 Day CHG+0.01%
Published-16 Dec, 2025 | 17:21
Updated-26 Feb, 2026 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

NVIDIA NeMo Framework contains a vulnerability in model loading that could allow an attacker to exploit improper control mechanisms if a user loads a maliciously crafted file. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, denial of service, and data tampering.

Action-Not Available
Vendor-NVIDIA Corporation
Product-nemoNeMo Framework
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-7528
Matching Score-4
Assigner-Schneider Electric
ShareView Details
Matching Score-4
Assigner-Schneider Electric
CVSS Score-7.8||HIGH
EPSS-0.41% / 60.65%
||
7 Day CHG~0.00%
Published-16 Sep, 2020 | 15:39
Updated-04 Aug, 2024 | 09:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-502 Deserialization of Untrusted Data vulnerability exists in SCADAPack 7x Remote Connect (V3.6.3.574 and prior) which could allow arbitrary code execution when an attacker builds a custom .PRJ file containing a malicious serialized buffer.

Action-Not Available
Vendor-n/a
Product-scadapack_7x_remote_connectSCADAPack 7x Remote Connect V3.6.3.574 and prior.
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2022-3679
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-8.8||HIGH
EPSS-0.75% / 72.89%
||
7 Day CHG~0.00%
Published-09 Jan, 2023 | 22:13
Updated-09 Apr, 2025 | 18:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Starter Templates by Kadence WP < 1.2.17 - Admin+ PHP Object Injection

The Starter Templates by Kadence WP WordPress plugin before 1.2.17 unserialises the content of an imported file, which could lead to PHP object injection issues when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.

Action-Not Available
Vendor-UnknownKadence WP
Product-starter_templatesStarter Templates by Kadence WP
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-27130
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-6.3||MEDIUM
EPSS-0.93% / 75.80%
||
7 Day CHG~0.00%
Published-01 Apr, 2025 | 08:57
Updated-08 Jul, 2025 | 17:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Welcart e-Commerce 2.11.6 and earlier versions contains an untrusted data deserialization vulnerability. If this vulnerability is exploited, arbitrary code may be executed by a remote unauthenticated attacker who can access websites created using the product.

Action-Not Available
Vendor-welcartWelcart Inc.
Product-welcart_e-commerceWelcart e-Commerce
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-24621
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.03% / 9.71%
||
7 Day CHG~0.00%
Published-25 Aug, 2023 | 00:00
Updated-02 Oct, 2024 | 18:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Esoteric YamlBeans through 1.15. It allows untrusted deserialisation to Java classes by default, where the data and class are controlled by the author of the YAML document being processed.

Action-Not Available
Vendor-esotericsoftwaren/a
Product-yamlbeansn/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2022-35870
Matching Score-4
Assigner-Zero Day Initiative
ShareView Details
Matching Score-4
Assigner-Zero Day Initiative
CVSS Score-8.8||HIGH
EPSS-19.37% / 95.25%
||
7 Day CHG~0.00%
Published-25 Jul, 2022 | 18:16
Updated-03 Aug, 2024 | 09:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition 8.1.15 (b2022030114). Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within com.inductiveautomation.metro.impl. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-17265.

Action-Not Available
Vendor-inductiveautomationInductive Automation
Product-ignitionIgnition
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2022-35872
Matching Score-4
Assigner-Zero Day Initiative
ShareView Details
Matching Score-4
Assigner-Zero Day Initiative
CVSS Score-7.8||HIGH
EPSS-0.95% / 76.00%
||
7 Day CHG~0.00%
Published-25 Jul, 2022 | 18:16
Updated-03 Aug, 2024 | 09:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition 8.1.15 (b2022030114). User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of ZIP files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-17115.

Action-Not Available
Vendor-inductiveautomationInductive Automation
Product-ignitionIgnition
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2022-36038
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.8||HIGH
EPSS-1.47% / 80.69%
||
7 Day CHG~0.00%
Published-06 Sep, 2022 | 19:00
Updated-23 Apr, 2025 | 17:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CircuitVerse potential RCE vulnerability via Oj.load

CircuitVerse is an open-source platform which allows users to construct digital logic circuits online. A remote code execution (RCE) vulnerability in CircuitVerse allows authenticated attackers to execute arbitrary code via specially crafted JSON payloads. This issue may lead to Remote Code Execution (RCE). A patch is available in commit number 7b3023a99499a7675f10f2c1d9effdf10c35fb6e. There are currently no known workarounds.

Action-Not Available
Vendor-circuitverseCircuitVerse
Product-circuitverseCircuitVerse
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-24590
Matching Score-4
Assigner-HiddenLayer, Inc.
ShareView Details
Matching Score-4
Assigner-HiddenLayer, Inc.
CVSS Score-8||HIGH
EPSS-82.83% / 99.22%
||
7 Day CHG+3.20%
Published-06 Feb, 2024 | 14:40
Updated-17 Jun, 2025 | 21:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Deserialization of untrusted data can occur in versions 0.17.0 to 1.14.2 of the client SDK of Allegro AI’s ClearML platform, enabling a maliciously uploaded artifact to run arbitrary code on an end user’s system when interacted with.

Action-Not Available
Vendor-clearAllegro.AI
Product-clearmlClearML
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-10936
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-29.15% / 96.48%
||
7 Day CHG~0.00%
Published-21 Jan, 2025 | 08:21
Updated-05 Feb, 2025 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
String Locator <= 2.6.6 - Unauthenticated PHP Object Injection

The String locator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.6 via deserialization of untrusted input in the 'recursive_unserialize_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must perform a search and replace action to trigger the exploit.

Action-Not Available
Vendor-instawpinstawp
Product-string_locatorString locator
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-28948
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-76.22% / 98.90%
||
7 Day CHG~0.00%
Published-19 Nov, 2020 | 18:14
Updated-04 Aug, 2024 | 16:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.

Action-Not Available
Vendor-n/aDebian GNU/LinuxFedora ProjectThe PHP GroupThe Drupal Association
Product-debian_linuxfedoradrupalarchive_tarn/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-2229
Matching Score-4
Assigner-Schneider Electric
ShareView Details
Matching Score-4
Assigner-Schneider Electric
CVSS Score-7.8||HIGH
EPSS-0.04% / 12.14%
||
7 Day CHG~0.00%
Published-18 Mar, 2024 | 16:08
Updated-01 Aug, 2024 | 19:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CWE-502: Deserialization of Untrusted Data vulnerability exists that could cause remote code execution when a malicious project file is loaded into the application by a valid user.

Action-Not Available
Vendor-
Product-EcoStruxure Power Design - Ecodialecostruxure_power_monitoring_expert
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-39780
Matching Score-4
Assigner-Canonical Ltd.
ShareView Details
Matching Score-4
Assigner-Canonical Ltd.
CVSS Score-7.8||HIGH
EPSS-0.73% / 72.48%
||
7 Day CHG~0.00%
Published-02 Apr, 2025 | 07:31
Updated-26 Aug, 2025 | 16:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Use of unsafe yaml load in dynparam

A YAML deserialization vulnerability was found in the Robot Operating System (ROS) 'dynparam', a command-line tool for getting, setting, and deleting parameters of a dynamically configurable node, affecting ROS distributions Noetic and earlier. The issue is caused by the use of the yaml.load() function in the 'set' and 'get' verbs, and allows for the creation of arbitrary Python objects. Through this flaw, a local or remote user can craft and execute arbitrary Python code.

Action-Not Available
Vendor-openroboticsOpen Source Robotics Foundation
Product-robot_operating_systemRobot Operating System (ROS)
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-22369
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-7.8||HIGH
EPSS-4.75% / 89.23%
||
7 Day CHG~0.00%
Published-20 Feb, 2024 | 14:58
Updated-02 Apr, 2025 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Camel: Camel-SQL: Unsafe Deserialization from JDBCAggregationRepository

Deserialization of Untrusted Data vulnerability in Apache Camel SQL ComponentThis issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0. Users are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1

Action-Not Available
Vendor-The Apache Software Foundation
Product-camelApache Camelcamel
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-10957
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-1.64% / 81.69%
||
7 Day CHG+0.62%
Published-04 Jan, 2025 | 13:41
Updated-06 Jan, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
UpdraftPlus: WP Backup & Migration Plugin 1.23.8 - 1.24.11 - Unauthenticated PHP Object Injection

The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to PHP Object Injection in all versions from 1.23.8 to 1.24.11 via deserialization of untrusted input in the 'recursive_unserialized_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. An administrator must perform a search and replace action to trigger the exploit.

Action-Not Available
Vendor-davidanderson
Product-UpdraftPlus: WP Backup & Migration Plugin
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-10012
Matching Score-4
Assigner-Progress Software Corporation
ShareView Details
Matching Score-4
Assigner-Progress Software Corporation
CVSS Score-7.8||HIGH
EPSS-0.06% / 18.20%
||
7 Day CHG~0.00%
Published-13 Nov, 2024 | 15:19
Updated-07 Jan, 2025 | 15:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Progress UI for WPF format provider unsafe deserialization vulnerability

In Progress Telerik UI for WPF versions prior to 2024 Q4 (2024.4.1111), a code execution attack is possible through an insecure deserialization vulnerability.

Action-Not Available
Vendor-Progress Software CorporationTelerik
Product-ui_for_wpfTelerik UI for WPFprogress_telerik_ui_for_wpf_versions
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-0936
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.08% / 23.82%
||
7 Day CHG~0.00%
Published-26 Jan, 2024 | 17:00
Updated-27 Aug, 2024 | 20:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
van_der_Schaar LAB TemporAI PKL File load_from_file deserialization

A vulnerability classified as critical was found in van_der_Schaar LAB TemporAI 0.0.3. Affected by this vulnerability is the function load_from_file of the component PKL File Handler. The manipulation leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-252181 was assigned to this vulnerability. NOTE: The vendor was contacted early and confirmed immediately the existence of the issue. A patch is planned to be released in February 2024.

Action-Not Available
Vendor-vanderschaarlabvan_der_Schaar LAB
Product-temporaiTemporAI
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-12677
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-8.5||HIGH
EPSS-0.06% / 19.75%
||
7 Day CHG~0.00%
Published-20 Dec, 2024 | 16:44
Updated-24 Dec, 2024 | 00:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Delta Electronics DTM Soft Deserialization of Untrusted Data

Delta Electronics DTM Soft deserializes objects, which could allow an attacker to execute arbitrary code.

Action-Not Available
Vendor-Delta Electronics, Inc.
Product-DTM Soft
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-12742
Matching Score-4
Assigner-National Instruments
ShareView Details
Matching Score-4
Assigner-National Instruments
CVSS Score-8.4||HIGH
EPSS-0.34% / 56.23%
||
7 Day CHG~0.00%
Published-06 Mar, 2025 | 16:27
Updated-06 Mar, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Deserialization of Untrusted Data Vulnerability in NI G Web Development Software

A deserialization of untrusted data vulnerability exists in NI G Web Development Software that may result in arbitrary code execution.  Successful exploitation requires an attacker to get a user to open a specially crafted project file.  This vulnerability affects G Web Development Software 2022 Q3 and prior versions.

Action-Not Available
Vendor-NI
Product-G Web Development Software
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-12703
Matching Score-4
Assigner-Schneider Electric
ShareView Details
Matching Score-4
Assigner-Schneider Electric
CVSS Score-8.5||HIGH
EPSS-1.04% / 77.14%
||
7 Day CHG+0.67%
Published-17 Jan, 2025 | 10:23
Updated-12 Feb, 2025 | 18:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CWE-502: Deserialization of untrusted data vulnerability exists that could lead to loss of confidentiality, integrity and potential remote code execution on workstation when a non-admin authenticated user opens a malicious project file.

Action-Not Available
Vendor-Schneider Electric SE
Product-RemoteConnect and SCADAPack x70 Utilities
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-11393
Matching Score-4
Assigner-Zero Day Initiative
ShareView Details
Matching Score-4
Assigner-Zero Day Initiative
CVSS Score-8.8||HIGH
EPSS-76.12% / 98.89%
||
7 Day CHG~0.00%
Published-22 Nov, 2024 | 21:23
Updated-10 Feb, 2025 | 22:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Hugging Face Transformers MaskFormer Model Deserialization of Untrusted Data Remote Code Execution Vulnerability

Hugging Face Transformers MaskFormer Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25191.

Action-Not Available
Vendor-huggingfaceHugging Face
Product-transformersTransformers
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-10913
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-2.50% / 85.07%
||
7 Day CHG~0.00%
Published-20 Nov, 2024 | 13:55
Updated-20 Nov, 2024 | 14:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Clone <= 2.4.6 - Unauthenticated PHP Object Injection via 'recursive_unserialized_replace'

The Clone plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.4.6 via deserialization of untrusted input in the 'recursive_unserialized_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Action-Not Available
Vendor-migratemigrate
Product-Cloneclone
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-37064
Matching Score-4
Assigner-HiddenLayer, Inc.
ShareView Details
Matching Score-4
Assigner-HiddenLayer, Inc.
CVSS Score-7.8||HIGH
EPSS-0.19% / 40.49%
||
7 Day CHG~0.00%
Published-04 Jun, 2024 | 12:03
Updated-02 Aug, 2024 | 03:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Deseriliazation of untrusted data can occur in versions 3.7.0 or newer of Ydata's ydata-profiling open-source library, enabling a maliciously crafted dataset to run arbitrary code on an end user's system when loaded.

Action-Not Available
Vendor-YdataAIydataai
Product-ydata-profilingydata-profiling
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-37057
Matching Score-4
Assigner-HiddenLayer, Inc.
ShareView Details
Matching Score-4
Assigner-HiddenLayer, Inc.
CVSS Score-8.8||HIGH
EPSS-0.52% / 66.38%
||
7 Day CHG~0.00%
Published-04 Jun, 2024 | 12:01
Updated-03 Feb, 2025 | 14:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.0.0rc0 or newer, enabling a maliciously uploaded Tensorflow model to run arbitrary code on an end user’s system when interacted with.

Action-Not Available
Vendor-lfprojectsMLflowlfprojects
Product-mlflowMLflowmlflow
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2022-3417
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-8.8||HIGH
EPSS-0.69% / 71.48%
||
7 Day CHG~0.00%
Published-09 Jan, 2023 | 22:13
Updated-09 Apr, 2025 | 19:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WPtouch < 4.3.45 - Admin+ PHP Object Injection

The WPtouch WordPress plugin before 4.3.45 unserialises the content of an imported settings file, which could lead to PHP object injections issues when an user import (intentionally or not) a malicious settings file and a suitable gadget chain is present on the blog.

Action-Not Available
Vendor-bravenewcodeUnknown
Product-wptouchWPtouch
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-37056
Matching Score-4
Assigner-HiddenLayer, Inc.
ShareView Details
Matching Score-4
Assigner-HiddenLayer, Inc.
CVSS Score-8.8||HIGH
EPSS-0.52% / 66.44%
||
7 Day CHG~0.00%
Published-04 Jun, 2024 | 12:01
Updated-03 Feb, 2025 | 14:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.23.0 or newer, enabling a maliciously uploaded LightGBM scikit-learn model to run arbitrary code on an end user’s system when interacted with.

Action-Not Available
Vendor-lfprojectsMLflowlfprojects
Product-mlflowMLflowmlflow
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-7018
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-9.6||CRITICAL
EPSS-0.20% / 42.30%
||
7 Day CHG+0.02%
Published-20 Dec, 2023 | 16:13
Updated-02 Aug, 2024 | 08:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Deserialization of Untrusted Data in huggingface/transformers

Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.

Action-Not Available
Vendor-huggingfacehuggingface
Product-transformershuggingface/transformers
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2022-33316
Matching Score-4
Assigner-Mitsubishi Electric Corporation
ShareView Details
Matching Score-4
Assigner-Mitsubishi Electric Corporation
CVSS Score-7.8||HIGH
EPSS-0.11% / 29.56%
||
7 Day CHG~0.00%
Published-20 Jul, 2022 | 16:51
Updated-09 Jan, 2026 | 06:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Deserialization of Untrusted Data vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric ICONICS Suite versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97 to 10.97.1, and Mitsubishi Electric MC Works64 versions 4.04E and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a monitoring screen file including malicious XAML codes.

Action-Not Available
Vendor-iconicsMitsubishi Electric Iconics Digital SolutionsMitsubishi Electric Corporation
Product-genesis64mc_works64MC Works64ICONICS SuiteGENESIS64
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2022-33320
Matching Score-4
Assigner-Mitsubishi Electric Corporation
ShareView Details
Matching Score-4
Assigner-Mitsubishi Electric Corporation
CVSS Score-7.8||HIGH
EPSS-0.20% / 41.47%
||
7 Day CHG~0.00%
Published-20 Jul, 2022 | 16:56
Updated-09 Jan, 2026 | 06:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Deserialization of Untrusted Data vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric ICONICS Suite versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97 to 10.97.1, and Mitsubishi Electric MC Works64 versions 4.04E and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a project configuration file including malicious XML codes.

Action-Not Available
Vendor-iconicsMitsubishi Electric Iconics Digital SolutionsMitsubishi Electric Corporation
Product-genesis64mc_works64MC Works64ICONICS SuiteGENESIS64
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2022-3359
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-8.8||HIGH
EPSS-0.76% / 72.93%
||
7 Day CHG~0.00%
Published-12 Dec, 2022 | 17:54
Updated-22 Apr, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Shortcodes and extra features for Phlox theme < 2.10.7 - PHP Objection Injection

The Shortcodes and extra features for Phlox theme WordPress plugin before 2.10.7 unserializes the content of an imported file, which could lead to PHP object injection when a user imports (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.

Action-Not Available
Vendor-UnknownDepicter (Averta)
Product-shortcodes_and_extra_features_for_phlox_themeShortcodes and extra features for Phlox theme
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2022-33315
Matching Score-4
Assigner-Mitsubishi Electric Corporation
ShareView Details
Matching Score-4
Assigner-Mitsubishi Electric Corporation
CVSS Score-7.8||HIGH
EPSS-0.11% / 29.56%
||
7 Day CHG~0.00%
Published-20 Jul, 2022 | 16:55
Updated-09 Jan, 2026 | 05:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Deserialization of Untrusted Data vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric ICONICS Suite versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97 to 10.97.1, and Mitsubishi Electric MC Works64 versions 4.04E and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a monitoring screen file including malicious XAML codes.

Action-Not Available
Vendor-iconicsMitsubishi Electric Iconics Digital SolutionsMitsubishi Electric Corporation
Product-genesis64mc_works64MC Works64ICONICS SuiteGENESIS64
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-36180
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-2.23% / 84.28%
||
7 Day CHG~0.00%
Published-06 Jan, 2021 | 22:30
Updated-04 Aug, 2024 | 17:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.

Action-Not Available
Vendor-n/aDebian GNU/LinuxOracle CorporationFasterXML, LLC.NetApp, Inc.
Product-primavera_unifiercloud_backupjd_edwards_enterpriseone_orchestratorprimavera_gatewaycommunications_network_charging_and_controlcommunications_session_route_managerretail_service_backbonecommunications_session_report_managercommunications_instant_messaging_serverautovue_for_agile_product_lifecycle_managementagile_plmcommunications_policy_managementcommunications_cloud_native_core_policyretail_merchandising_systemcommunications_convergent_charging_controllercommerce_platformblockchain_platformcommunications_cloud_native_core_unified_data_repositoryjackson-databindcommunications_evolved_communications_application_servercommunications_unified_inventory_managementservice_level_managerdocumakerapplication_testing_suitecommunications_services_gatekeeperbanking_virtual_account_managementretail_customer_management_and_segmentation_foundationinsurance_rules_palettecommunications_billing_and_revenue_managementcommunications_offline_mediation_controllerdebian_linuxbanking_supply_chain_financecommunications_diameter_signaling_routecommunications_pricing_design_centerbanking_credit_facilities_process_managementretail_xstore_point_of_serviceinsurance_policy_administrationbanking_corporate_lending_process_managementgoldengate_application_adaptersbanking_extensibility_workbenchcommunications_element_managerjd_edwards_enterpriseone_toolsbanking_treasury_managementwebcenter_portaldata_integratorn/acommunications_diameter_signaling_routerglobal_lifecycle_management_opatchretail_sales_auditprimavera_unifierbanking_digital_experiencejd_edwards_enterpriseone_orchestratorretail_service_backbonecommunications_network_charging_and_controlcommunications_session_route_managercommunications_instant_messaging_serveragile_plmautovue_for_agile_product_lifecycle_managementfinancial_services_retail_customer_analyticsfinancial_services_price_creation_and_discoveryretail_merchandising_systemfinancial_services_institutional_performance_analyticssteelstore_cloud_integrated_storagedebian_linuxinsurance_policy_administration_j2eeweblogic_serverjackson-databindfinancial_services_analytical_applications_infrastructurecommunications_calendar_serverretail_xstore_point_of_servicecommunications_evolved_communications_application_servercommunications_element_managerenterprise_manager_base_platform
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-36182
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-2.71% / 85.68%
||
7 Day CHG~0.00%
Published-06 Jan, 2021 | 22:30
Updated-04 Aug, 2024 | 17:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.

Action-Not Available
Vendor-n/aDebian GNU/LinuxOracle CorporationFasterXML, LLC.NetApp, Inc.
Product-primavera_unifiercloud_backupjd_edwards_enterpriseone_orchestratorprimavera_gatewaycommunications_network_charging_and_controlcommunications_session_route_managerretail_service_backbonecommunications_session_report_managercommunications_instant_messaging_serverautovue_for_agile_product_lifecycle_managementagile_plmcommunications_policy_managementcommunications_cloud_native_core_policyretail_merchandising_systemcommunications_convergent_charging_controllercommerce_platformblockchain_platformcommunications_cloud_native_core_unified_data_repositoryjackson-databindcommunications_evolved_communications_application_servercommunications_unified_inventory_managementservice_level_managerdocumakerapplication_testing_suitecommunications_services_gatekeeperbanking_virtual_account_managementretail_customer_management_and_segmentation_foundationinsurance_rules_palettecommunications_billing_and_revenue_managementcommunications_offline_mediation_controllerdebian_linuxbanking_supply_chain_financecommunications_diameter_signaling_routecommunications_pricing_design_centerbanking_credit_facilities_process_managementretail_xstore_point_of_serviceinsurance_policy_administrationbanking_corporate_lending_process_managementgoldengate_application_adaptersbanking_extensibility_workbenchcommunications_element_managerjd_edwards_enterpriseone_toolsbanking_treasury_managementwebcenter_portaldata_integratorn/acommunications_diameter_signaling_routerglobal_lifecycle_management_opatchretail_sales_auditprimavera_unifierbanking_digital_experiencejd_edwards_enterpriseone_orchestratorretail_service_backbonecommunications_network_charging_and_controlcommunications_session_route_managercommunications_instant_messaging_serveragile_plmautovue_for_agile_product_lifecycle_managementfinancial_services_retail_customer_analyticsfinancial_services_price_creation_and_discoveryretail_merchandising_systemfinancial_services_institutional_performance_analyticssteelstore_cloud_integrated_storagedebian_linuxinsurance_policy_administration_j2eeweblogic_serverjackson-databindfinancial_services_analytical_applications_infrastructurecommunications_calendar_serverretail_xstore_point_of_servicecommunications_evolved_communications_application_servercommunications_element_managerenterprise_manager_base_platform
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-36179
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-60.26% / 98.23%
||
7 Day CHG~0.00%
Published-06 Jan, 2021 | 22:30
Updated-04 Aug, 2024 | 17:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.

Action-Not Available
Vendor-n/aDebian GNU/LinuxOracle CorporationFasterXML, LLC.NetApp, Inc.
Product-primavera_unifiercloud_backupjd_edwards_enterpriseone_orchestratorprimavera_gatewaycommunications_network_charging_and_controlcommunications_session_route_managerretail_service_backbonecommunications_session_report_managercommunications_instant_messaging_serverautovue_for_agile_product_lifecycle_managementagile_plmcommunications_policy_managementcommunications_cloud_native_core_policyretail_merchandising_systemcommunications_convergent_charging_controllercommerce_platformblockchain_platformcommunications_cloud_native_core_unified_data_repositoryjackson-databindcommunications_evolved_communications_application_servercommunications_unified_inventory_managementservice_level_managerapplication_testing_suitecommunications_services_gatekeeperbanking_virtual_account_managementretail_customer_management_and_segmentation_foundationinsurance_rules_palettecommunications_billing_and_revenue_managementcommunications_offline_mediation_controllerdebian_linuxbanking_supply_chain_financecommunications_diameter_signaling_routecommunications_pricing_design_centerretail_xstore_point_of_serviceinsurance_policy_administrationbanking_corporate_lending_process_managementgoldengate_application_adaptersbanking_credit_facilities_process_managementcommunications_element_managerjd_edwards_enterpriseone_toolsbanking_treasury_managementwebcenter_portaldata_integratorn/acommunications_diameter_signaling_routerglobal_lifecycle_management_opatchretail_sales_auditprimavera_unifierbanking_digital_experiencejd_edwards_enterpriseone_orchestratorretail_service_backbonecommunications_network_charging_and_controlcommunications_session_route_managercommunications_instant_messaging_serveragile_plmautovue_for_agile_product_lifecycle_managementfinancial_services_retail_customer_analyticsfinancial_services_price_creation_and_discoveryretail_merchandising_systemfinancial_services_institutional_performance_analyticssteelstore_cloud_integrated_storagedebian_linuxinsurance_policy_administration_j2eeweblogic_serverjackson-databindfinancial_services_analytical_applications_infrastructurecommunications_calendar_serverretail_xstore_point_of_servicecommunications_evolved_communications_application_servercommunications_element_managerenterprise_manager_base_platform
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-36181
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-5.41% / 89.96%
||
7 Day CHG~0.00%
Published-06 Jan, 2021 | 22:29
Updated-04 Aug, 2024 | 17:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.

Action-Not Available
Vendor-n/aDebian GNU/LinuxOracle CorporationFasterXML, LLC.NetApp, Inc.
Product-primavera_unifierjd_edwards_enterpriseone_orchestratorprimavera_gatewaycommunications_network_charging_and_controlcommunications_session_route_managerretail_service_backbonecommunications_session_report_managercommunications_instant_messaging_serverautovue_for_agile_product_lifecycle_managementagile_plmcommunications_policy_managementcommunications_cloud_native_core_policyretail_merchandising_systemcommunications_convergent_charging_controllercommerce_platformblockchain_platformcommunications_cloud_native_core_unified_data_repositoryjackson-databindcommunications_evolved_communications_application_servercommunications_unified_inventory_managementservice_level_managerdocumakerapplication_testing_suitecommunications_services_gatekeeperbanking_virtual_account_managementretail_customer_management_and_segmentation_foundationinsurance_rules_palettecommunications_billing_and_revenue_managementcommunications_offline_mediation_controllerdebian_linuxbanking_supply_chain_financecommunications_diameter_signaling_routecommunications_pricing_design_centerbanking_credit_facilities_process_managementretail_xstore_point_of_serviceinsurance_policy_administrationbanking_corporate_lending_process_managementgoldengate_application_adaptersbanking_extensibility_workbenchcommunications_element_managerjd_edwards_enterpriseone_toolsbanking_treasury_managementwebcenter_portaldata_integratorn/acommunications_diameter_signaling_routerglobal_lifecycle_management_opatchretail_sales_auditprimavera_unifierbanking_digital_experiencejd_edwards_enterpriseone_orchestratorretail_service_backbonecommunications_network_charging_and_controlcommunications_session_route_managercommunications_instant_messaging_serverautovue_for_agile_product_lifecycle_managementagile_plmfinancial_services_retail_customer_analyticsfinancial_services_price_creation_and_discoveryretail_merchandising_systemfinancial_services_institutional_performance_analyticssteelstore_cloud_integrated_storagedebian_linuxinsurance_policy_administration_j2eeweblogic_serverjackson-databindfinancial_services_analytical_applications_infrastructurecommunications_calendar_serverretail_xstore_point_of_servicecommunications_evolved_communications_application_servercommunications_element_managerenterprise_manager_base_platform
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-50221
Matching Score-4
Assigner-Zero Day Initiative
ShareView Details
Matching Score-4
Assigner-Zero Day Initiative
CVSS Score-8.8||HIGH
EPSS-3.10% / 86.57%
||
7 Day CHG~0.00%
Published-03 May, 2024 | 02:14
Updated-12 Mar, 2025 | 14:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Inductive Automation Ignition ResponseParser SerializedResponse Deserialization of Untrusted Data Remote Code Execution Vulnerability

Inductive Automation Ignition ResponseParser SerializedResponse Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. User interaction is required to exploit this vulnerability in that the target must connect to a malicious server. The specific flaw exists within the ResponseParser method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-21926.

Action-Not Available
Vendor-inductiveautomationInductive Automationinductiveautomation
Product-ignitionIgnitionignition
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-50222
Matching Score-4
Assigner-Zero Day Initiative
ShareView Details
Matching Score-4
Assigner-Zero Day Initiative
CVSS Score-8.8||HIGH
EPSS-3.20% / 86.76%
||
7 Day CHG~0.00%
Published-03 May, 2024 | 02:14
Updated-12 Mar, 2025 | 14:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Inductive Automation Ignition ResponseParser Notification Deserialization of Untrusted Data Remote Code Execution Vulnerability

Inductive Automation Ignition ResponseParser Notification Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. User interaction is required to exploit this vulnerability in that the target must connect to a malicious server. The specific flaw exists within the ResponseParser method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22067.

Action-Not Available
Vendor-inductiveautomationInductive Automationinductiveautomation
Product-ignitionIgnitionignition
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-30042
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-7.8||HIGH
EPSS-0.26% / 48.77%
||
7 Day CHG~0.00%
Published-14 May, 2024 | 16:57
Updated-03 May, 2025 | 00:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Microsoft Excel Remote Code Execution Vulnerability

Microsoft Excel Remote Code Execution Vulnerability

Action-Not Available
Vendor-Microsoft Corporation
Product-office_long_term_servicing_channeloffice_online_serverofficeexcel365_appsOffice Online ServerMicrosoft Office LTSC for Mac 2021Microsoft Excel 2016Microsoft 365 Apps for EnterpriseMicrosoft Office LTSC 2021Microsoft Office 2019
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-49297
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-3.3||LOW
EPSS-0.11% / 29.06%
||
7 Day CHG~0.00%
Published-05 Dec, 2023 | 20:51
Updated-13 Feb, 2025 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unsafe YAML deserialization in PyDrive2

PyDrive2 is a wrapper library of google-api-python-client that simplifies many common Google Drive API V2 tasks. Unsafe YAML deserilization will result in arbitrary code execution. A maliciously crafted YAML file can cause arbitrary code execution if PyDrive2 is run in the same directory as it, or if it is loaded in via `LoadSettingsFile`. This is a deserilization attack that will affect any user who initializes GoogleAuth from this package while a malicious yaml file is present in the same directory. This vulnerability does not require the file to be directly loaded through the code, only present. This issue has been addressed in commit `c57355dc` which is included in release version `1.16.2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-iterativeiterative
Product-pydrive2PyDrive2
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-28964
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-7.8||HIGH
EPSS-0.15% / 36.18%
||
7 Day CHG~0.00%
Published-12 Jun, 2024 | 15:02
Updated-16 Aug, 2024 | 16:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell Common Event Enabler, version 8.9.10.0 and prior, contain an insecure deserialization vulnerability in CAVATools. A local unauthenticated attacker could potentially exploit this vulnerability, leading to arbitrary code execution in the context of the logged in user. Exploitation of this issue requires a victim to open a malicious file.

Action-Not Available
Vendor-Dell Inc.
Product-common_event_enablerCommon Event Enablercommon_event_enabler
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-27322
Matching Score-4
Assigner-HiddenLayer, Inc.
ShareView Details
Matching Score-4
Assigner-HiddenLayer, Inc.
CVSS Score-8.8||HIGH
EPSS-6.99% / 91.29%
||
7 Day CHG~0.00%
Published-29 Apr, 2024 | 13:02
Updated-13 Feb, 2025 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user’s system when interacted with.

Action-Not Available
Vendor-The R Projectr_project
Product-Rr
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2022-28685
Matching Score-4
Assigner-Zero Day Initiative
ShareView Details
Matching Score-4
Assigner-Zero Day Initiative
CVSS Score-7.8||HIGH
EPSS-14.75% / 94.35%
||
7 Day CHG~0.00%
Published-29 Mar, 2023 | 00:00
Updated-18 Feb, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to execute arbitrary code on affected installations of AVEVA Edge 2020 SP2 Patch 0(4201.2111.1802.0000). User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of APP files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-17212.

Action-Not Available
Vendor-AVEVA
Product-aveva_edgeEdge
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2022-2433
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-3.59% / 87.53%
||
7 Day CHG~0.00%
Published-06 Sep, 2022 | 17:18
Updated-21 Aug, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Infinite Scroll – Ajax Load More <= 5.5.3 - Cross-Site Request Forgery to PHAR Deserialization

The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to deserialization of untrusted input via the 'alm_repeaters_export' parameter in versions up to, and including 5.5.3. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they can trick a site administrator into performing an action such as clicking on a link, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.

Action-Not Available
Vendor-connekthqdcooney
Product-ajax_load_moreAjax Load More – Infinite Scroll
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2022-2434
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-4.23% / 88.55%
||
7 Day CHG~0.00%
Published-06 Sep, 2022 | 17:18
Updated-05 May, 2025 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The String Locator plugin for WordPress is vulnerable to deserialization of untrusted input via the 'string-locator-path' parameter in versions up to, and including 2.5.0. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they can trick a site administrator into performing an action such as clicking on a link, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.

Action-Not Available
Vendor-instawpinstawp
Product-string_locatorString locator
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-12741
Matching Score-4
Assigner-National Instruments
ShareView Details
Matching Score-4
Assigner-National Instruments
CVSS Score-8.4||HIGH
EPSS-6.13% / 90.62%
||
7 Day CHG~0.00%
Published-18 Dec, 2024 | 19:20
Updated-06 Mar, 2025 | 16:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Deserialization Of Untrusted Data Vulnerability In NI DAQExpress Project File

A deserialization of untrusted data vulnerability exists in NI DAQExpress that may result in remote code execution. Successful exploitation requires an attacker to get a user to open a specially crafted project file. This vulnerability affects DAQExpress 5.1 and prior versions.  Please note that DAQExpress is an EOL product and will not receive any updates.

Action-Not Available
Vendor-NI
Product-DAQExpress
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-13163
Matching Score-4
Assigner-Ivanti
ShareView Details
Matching Score-4
Assigner-Ivanti
CVSS Score-7.8||HIGH
EPSS-23.11% / 95.81%
||
7 Day CHG+21.85%
Published-14 Jan, 2025 | 17:23
Updated-26 Feb, 2026 | 19:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Deserialization of untrusted data in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution. Local user interaction is required.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Manager
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-12525
Matching Score-4
Assigner-CERT@VDE
ShareView Details
Matching Score-4
Assigner-CERT@VDE
CVSS Score-7.3||HIGH
EPSS-0.11% / 28.77%
||
7 Day CHG~0.00%
Published-22 Jan, 2021 | 19:01
Updated-16 Sep, 2024 | 23:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WAGO/M&M Software Deserialization of untrusted data in fdtCONTAINER component

M&M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage.

Action-Not Available
Vendor-pepperl-fuchsweidmuelleremersonwagoM&M SoftwarePepperl+Fuchs/PACTwareWeidmüller
Product-fdtcontainer_componentwi_managerfdtcontainer_applicationio-link_master_dr-8-pnio-tio-link_master_dr-8-eipio-link_master_dr-8-eip-tio-link_master_4-pnioio-link_master_firmwarepactwareio-link_master_4-eipio-link_master_8-eip-lrosemount_transmitter_interface_softwareio-link_master_dr-8-pnio-pio-link_master_dr-8-eip-pio-link_master_8-pnioio-link_master_8-eipdtminspector_3io-link_master_8-pnio-lio-link_master_dr-8-pnioWI ManagerPACTwarefdtCONTAINER ComponentfdtCONTAINER ApplicationdtmlINSPECTOR
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-11394
Matching Score-4
Assigner-Zero Day Initiative
ShareView Details
Matching Score-4
Assigner-Zero Day Initiative
CVSS Score-8.8||HIGH
EPSS-59.39% / 98.20%
||
7 Day CHG~0.00%
Published-22 Nov, 2024 | 21:23
Updated-10 Feb, 2025 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Hugging Face Transformers Trax Model Deserialization of Untrusted Data Remote Code Execution Vulnerability

Hugging Face Transformers Trax Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25012.

Action-Not Available
Vendor-huggingfaceHugging Face
Product-transformersTransformers
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-10932
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-2.27% / 84.38%
||
7 Day CHG~0.00%
Published-04 Jan, 2025 | 07:24
Updated-06 Jan, 2025 | 16:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Backup Migration <= 1.4.6 - Unauthenticated PHP Object Injection via 'recursive_unserialize_replace'

The Backup Migration plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.6 via deserialization of untrusted input in the 'recursive_unserialize_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must create a staging site in order to trigger the exploit.

Action-Not Available
Vendor-inisev
Product-Backup Migration
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-10968
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-4.03% / 88.27%
||
7 Day CHG~0.00%
Published-26 Mar, 2020 | 12:43
Updated-04 Aug, 2024 | 11:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).

Action-Not Available
Vendor-n/aDebian GNU/LinuxOracle CorporationFasterXML, LLC.NetApp, Inc.
Product-communications_diameter_signaling_routerglobal_lifecycle_management_opatchretail_sales_auditcommunications_contacts_serverprimavera_unifierbanking_digital_experiencejd_edwards_enterpriseone_orchestratorretail_service_backbonecommunications_network_charging_and_controlcommunications_session_route_managerbanking_platformcommunications_session_report_managercommunications_instant_messaging_serveragile_plmautovue_for_agile_product_lifecycle_managementfinancial_services_retail_customer_analyticsfinancial_services_price_creation_and_discoveryretail_merchandising_systemfinancial_services_institutional_performance_analyticssteelstore_cloud_integrated_storagedebian_linuxinsurance_policy_administration_j2eeweblogic_serverjackson-databindfinancial_services_analytical_applications_infrastructurecommunications_calendar_serverretail_xstore_point_of_servicecommunications_evolved_communications_application_servercommunications_element_managerjd_edwards_enterpriseone_toolsenterprise_manager_base_platformn/acommunications_diameter_signaling_routerglobal_lifecycle_management_opatchretail_sales_auditprimavera_unifierbanking_digital_experiencejd_edwards_enterpriseone_orchestratorretail_service_backbonecommunications_network_charging_and_controlcommunications_session_route_managercommunications_instant_messaging_serverautovue_for_agile_product_lifecycle_managementagile_plmfinancial_services_retail_customer_analyticsfinancial_services_price_creation_and_discoveryretail_merchandising_systemfinancial_services_institutional_performance_analyticssteelstore_cloud_integrated_storagedebian_linuxinsurance_policy_administration_j2eeweblogic_serverjackson-databindfinancial_services_analytical_applications_infrastructurecommunications_calendar_serverretail_xstore_point_of_servicecommunications_evolved_communications_application_servercommunications_element_managerenterprise_manager_base_platform
CWE ID-CWE-502
Deserialization of Untrusted Data
  • Previous
  • 1
  • 2
  • 3
  • 4
  • Next
Details not found