Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-27429

Summary
Assigner-Patchstack
Assigner Org ID-21595511-bba5-4825-b968-b78d1f9984a3
Published At-16 Jun, 2026 | 20:57
Updated At-17 Jun, 2026 | 10:44
Rejected At-
Credits

WordPress Nifty theme <= 1.4.1 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Nifty <= 1.4.1 versions.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Patchstack
Assigner Org ID:21595511-bba5-4825-b968-b78d1f9984a3
Published At:16 Jun, 2026 | 20:57
Updated At:17 Jun, 2026 | 10:44
Rejected At:
▼CVE Numbering Authority (CNA)
WordPress Nifty theme <= 1.4.1 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Nifty <= 1.4.1 versions.

Affected Products
Vendor
BoldThemesBoldThemes
Product
Nifty
Collection URL
https://wordpress.org/themes
Package Name
nifty
Default Status
unaffected
Versions
Affected
  • From n/a through 1.4.1 (custom)
    • -> unaffectedfrom1.4.2
Problem Types
TypeCWE IDDescription
CWECWE-502CWE-502 Deserialization of Untrusted Data
Type: CWE
CWE ID: CWE-502
Description: CWE-502 Deserialization of Untrusted Data
Metrics
VersionBase scoreBase severityVector
3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-586CAPEC-586 Object Injection
CAPEC ID: CAPEC-586
Description: CAPEC-586 Object Injection
Solutions

Update the WordPress Nifty Theme to the latest available version (at least 1.4.2).

Configurations

Workarounds

Exploits

Credits

finder
Bonds | Patchstack Bug Bounty Program
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://patchstack.com/database/wordpress/theme/nifty/vulnerability/wordpress-nifty-theme-1-4-1-php-object-injection-vulnerability?_s_id=cve
vdb-entry
Hyperlink: https://patchstack.com/database/wordpress/theme/nifty/vulnerability/wordpress-nifty-theme-1-4-1-php-object-injection-vulnerability?_s_id=cve
Resource:
vdb-entry
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:audit@patchstack.com
Published At:17 Jun, 2026 | 13:20
Updated At:17 Jun, 2026 | 14:44

Unauthenticated PHP Object Injection in Nifty <= 1.4.1 versions.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
N/A
Type: Secondary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-502Primaryaudit@patchstack.com
CWE ID: CWE-502
Type: Primary
Source: audit@patchstack.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://patchstack.com/database/wordpress/theme/nifty/vulnerability/wordpress-nifty-theme-1-4-1-php-object-injection-vulnerability?_s_id=cveaudit@patchstack.com
N/A
Hyperlink: https://patchstack.com/database/wordpress/theme/nifty/vulnerability/wordpress-nifty-theme-1-4-1-php-object-injection-vulnerability?_s_id=cve
Source: audit@patchstack.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

1002Records found

CVE-2026-49075
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.38% / 29.50%
||
7 Day CHG~0.00%
Published-17 Jun, 2026 | 09:51
Updated-17 Jun, 2026 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetEngine plugin <= 3.8.9.1 - PHP Object Injection vulnerability

Contributor PHP Object Injection in JetEngine <= 3.8.9.1 versions.

Action-Not Available
Vendor-Jetimpex Inc.
Product-JetEngine
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-52439
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.54% / 41.47%
||
7 Day CHG~0.00%
Published-20 Nov, 2024 | 11:27
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Team Rosters plugin <= 4.8.2 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in Mark O'Donnell Team Rosters team-rosters allows Object Injection.This issue affects Team Rosters: from n/a through <= 4.8.2.

Action-Not Available
Vendor-Mark O'Donnellmark_odonnell
Product-Team Rostersteam_rosters
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-49108
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.30% / 22.18%
||
7 Day CHG~0.00%
Published-17 Jun, 2026 | 12:47
Updated-17 Jun, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Moderno theme < 1.43 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Moderno < 1.43 versions.

Action-Not Available
Vendor-park_of_ideas
Product-Moderno
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-49121
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-9.2||CRITICAL
EPSS-1.10% / 61.76%
||
7 Day CHG+0.06%
Published-01 Jun, 2026 | 17:09
Updated-30 Jun, 2026 | 12:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AI Tensor Engine for ROCm (AITER) 0.1.14 Unauthenticated RCE via MessageQueue.recv() Pickle Deserialization

AI Tensor Engine for ROCm (AITER) through 0.1.14 contains an unauthenticated remote code execution vulnerability in the MessageQueue.recv() function within shm_broadcast.py that allows unauthenticated remote attackers to execute arbitrary code by sending a malicious pickle payload to a ZMQ SUB socket with no authentication, HMAC, or format validation. Attackers who can reach the writer XPUB endpoint on the cluster network or supply a forged Handle with an attacker-controlled remote_subscribe_addr can deliver a crafted pickle payload that executes arbitrary code simultaneously as the inference worker process on every remote reader worker.

Action-Not Available
Vendor-ROCmAdvanced Micro Devices, Inc.Red Hat, Inc.
Product-aiteraiterRed Hat OpenShift AI (RHOAI)Red Hat AI Inference Server
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-49105
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.48% / 37.71%
||
7 Day CHG~0.00%
Published-15 Jun, 2026 | 20:19
Updated-15 Jun, 2026 | 21:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin <= 1.1.4 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 versions.

Action-Not Available
Vendor-CRM Perks
Product-WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-52443
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.54% / 41.43%
||
7 Day CHG~0.00%
Published-20 Nov, 2024 | 11:13
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Geolocator plugin <= 1.1 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in masikonis Geolocator geolocator allows Object Injection.This issue affects Geolocator: from n/a through <= 1.1.

Action-Not Available
Vendor-masikonisnerijus_masikonis
Product-Geolocatorgeolocator
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2019-17206
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.16% / 86.40%
||
7 Day CHG~0.00%
Published-05 Oct, 2019 | 22:01
Updated-05 Aug, 2024 | 01:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Uncontrolled deserialization of a pickled object in models.py in Frost Ming rediswrapper (aka Redis Wrapper) before 0.3.0 allows attackers to execute arbitrary scripts.

Action-Not Available
Vendor-redis_wrapper_projectn/a
Product-redis_wrappern/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-52412
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.51% / 39.68%
||
7 Day CHG~0.00%
Published-16 Nov, 2024 | 21:36
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Xin theme <= 1.0.8.1 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in Stephen Cui Xin allows Object Injection.This issue affects Xin: from n/a through 1.0.8.1.

Action-Not Available
Vendor-Stephen Cuistephen_cui
Product-Xinxin
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-47065
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-0.47% / 37.15%
||
7 Day CHG+0.10%
Published-03 Jun, 2026 | 09:39
Updated-30 Jun, 2026 | 19:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache MINA: Critical Deserialization Allow-list Bypass via resolveProxyClass - ZDRES-232

ZDRES-232: resolveProxyClass Not Overridden - acceptMatchers Filter Bypass via java.lang.reflect.Proxy Assessment: Fully addressed. When the serialised stream contains a TC_PROXYCLASSDESC (the marker for a java.lang.reflect.Proxy ), JDK’s ObjectInputStream.readProxyDesc() is dispatched. JDK then calls the default ObjectInputStream.resolveProxyClass(interfaces) implementation, which performs Class.forName(intf, false, latestUserDefinedLoader()) for EACH interface name and constructs the proxy class — bypassing the accepted classes list . ZDRES-233: Class.forName(name, initialize=true, classLoader) in readClassDescriptor Triggers Static Initialiser of Allow-Listed Classes Assessment: Fully addressed. For ANY class on the allow-list, deserialising a stream that names it triggers the class’s (static initialiser) BEFORE any instance is constructed. This means an attacker who supplies a class name on the allow-list (e.g., the developer wrote accept(“com.myapp.*") , attacker supplies com.myapp.SomeClass ) causes <clinit> of SomeClass — and many real-world classes have side-effecting static initialisers Both issues have been fixed.

Action-Not Available
Vendor-The Apache Software Foundation
Product-minaApache MINA
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2019-18283
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-9.8||CRITICAL
EPSS-5.43% / 91.74%
||
7 Day CHG~0.00%
Published-12 Dec, 2019 | 19:08
Updated-05 Aug, 2024 | 01:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in SPPA-T3000 Application Server (All versions < Service Pack R8.2 SP2). The AdminService is available without authentication on the Application Server. An attacker can gain remote code execution by sending specifically crafted objects to one of its functions. Please note that an attacker needs to have access to the Application Highway in order to exploit this vulnerability. At the time of advisory publication no public exploitation of this security vulnerability was known.

Action-Not Available
Vendor-Siemens AG
Product-sppa-t3000_application_serverSPPA-T3000 Application Server
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-45247
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-9.3||CRITICAL
EPSS-27.55% / 97.83%
||
7 Day CHG~0.00%
Published-26 May, 2026 | 14:15
Updated-04 Jun, 2026 | 03:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2026-06-06||Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Mirasvit Cache Warmer for Magento < 1.11.12 PHP Object Injection

Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted call to PHP's native unserialize() function combined with gadget chains available in Magento and its dependencies to execute arbitrary code on the server.

Action-Not Available
Vendor-mirasvitMirasvitMirasvit
Product-full_page_cache_warmerFull Page Cache Warmer for Magento 2Mirasvit Full Page Cache Warmer
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2019-17531
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-5.33% / 91.62%
||
7 Day CHG~0.00%
Published-12 Oct, 2019 | 20:07
Updated-05 Aug, 2024 | 01:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.

Action-Not Available
Vendor-n/aDebian GNU/LinuxOracle CorporationFasterXML, LLC.NetApp, Inc.Red Hat, Inc.
Product-enterprise_linux_serverretail_sales_auditcommunications_cloud_native_core_network_slice_selection_functioncommunications_billing_and_revenue_managementsiebel_engineering_-_installer_\&_deploymentjd_edwards_enterpriseone_orchestratorprimavera_gatewaybanking_platformoncommand_workflow_automationretail_merchandising_systemglobal_lifecycle_management_nextgen_oui_frameworksteelstore_cloud_integrated_storagedebian_linuxweblogic_serverjackson-databindcommunications_calendar_servertrace_file_analyzercommunications_evolved_communications_application_servergoldengate_application_adapterswebcenter_sitesjboss_enterprise_application_platformjd_edwards_enterpriseone_toolswebcenter_portaln/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2019-17556
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-3.62% / 88.11%
||
7 Day CHG~0.00%
Published-04 Dec, 2019 | 16:59
Updated-05 Aug, 2024 | 01:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case.

Action-Not Available
Vendor-The Apache Software Foundation
Product-olingoOlingo
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-52306
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.57% / 43.13%
||
7 Day CHG~0.00%
Published-13 Nov, 2024 | 15:15
Updated-19 Nov, 2024 | 15:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FileManager Deserialization of Untrusted Data

FileManager provides a Backpack admin interface for files and folder. Prior to 3.0.9, deserialization of untrusted data from the mimes parameter could lead to remote code execution. This vulnerability is fixed in 3.0.9.

Action-Not Available
Vendor-backpackforlaravelLaravel-Backpacklaravel-backpack
Product-filemanagerFileManagerfile_manager
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-60889
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.57% / 42.83%
||
7 Day CHG~0.00%
Published-28 Apr, 2026 | 00:00
Updated-18 May, 2026 | 18:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insecure deserialization of untrusted input in StellarGroup HPX 1.11.0 under certain conditions may allow attackers to execute arbitrary code or other unspecified impacts.

Action-Not Available
Vendor-stellar-groupn/a
Product-hpxn/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-52414
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.51% / 39.68%
||
7 Day CHG~0.00%
Published-16 Nov, 2024 | 21:22
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WDES Responsive Mobile Menu plugin <= 5.3.18 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in Anthony Carbon WDES Responsive Mobile Menu wdes-responsive-mobile-menu allows Object Injection.This issue affects WDES Responsive Mobile Menu: from n/a through <= 5.3.18.

Action-Not Available
Vendor-Anthony Carbonanthony_carbon
Product-WDES Responsive Mobile Menuwdes_responsive_mobile_menu
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-10915
Matching Score-4
Assigner-Zero Day Initiative
ShareView Details
Matching Score-4
Assigner-Zero Day Initiative
CVSS Score-9.8||CRITICAL
EPSS-86.62% / 99.72%
||
7 Day CHG~0.00%
Published-22 Apr, 2020 | 20:51
Updated-04 Aug, 2024 | 11:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to execute arbitrary code on affected installations of VEEAM One Agent 9.5.4.4587. Authentication is not required to exploit this vulnerability. The specific flaw exists within the HandshakeResult method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-10401.

Action-Not Available
Vendor-Veeam Software Group GmbH
Product-oneOne Agent
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-42779
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-0.90% / 55.34%
||
7 Day CHG~0.00%
Published-01 May, 2026 | 10:00
Updated-02 May, 2026 | 03:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache MINA: AbstractIoBuffer.resolveClass() null-clazz Branch Skips acceptMatchers Filter — Full Object Deserialization RCE (take 2)

The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed. The fix checks if the class is present in the accepted class filter before calling Class.forName(). Affected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6. The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade.

Action-Not Available
Vendor-The Apache Software Foundation
Product-minaApache MINA
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-42473
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.38% / 29.98%
||
7 Day CHG~0.00%
Published-01 May, 2026 | 00:00
Updated-05 May, 2026 | 19:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The session and cache handlers use unserialize() on data from the filesystem in the FileHandler object.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-42472
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.38% / 29.98%
||
7 Day CHG~0.00%
Published-01 May, 2026 | 00:00
Updated-05 May, 2026 | 19:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The session and cache handlers use unserialize() on data from Redis in the RedisHandler object.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-42380
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.51% / 39.75%
||
7 Day CHG~0.00%
Published-17 Jun, 2026 | 09:51
Updated-17 Jun, 2026 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress AI Lab theme < 5.4.2 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in AI Lab < 5.4.2 versions.

Action-Not Available
Vendor-jwsthemes
Product-AI Lab
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-41330
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-1.88% / 76.87%
||
7 Day CHG~0.00%
Published-06 Sep, 2023 | 17:33
Updated-30 Sep, 2024 | 15:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unsafe deserialization in knplabs/knp-snappy

knplabs/knp-snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. ## Issue On March 17th the vulnerability CVE-2023-28115 was disclosed, allowing an attacker to gain remote code execution through PHAR deserialization. Version 1.4.2 added a check `if (\strpos($filename, 'phar://') === 0)` in the `prepareOutput` function to resolve this CVE, however if the user is able to control the second parameter of the `generateFromHtml()` function of Snappy, it will then be passed as the `$filename` parameter in the `prepareOutput()` function. In the original vulnerability, a file name with a `phar://` wrapper could be sent to the `fileExists()` function, equivalent to the `file_exists()` PHP function. This allowed users to trigger a deserialization on arbitrary PHAR files. To fix this issue, the string is now passed to the `strpos()` function and if it starts with `phar://`, an exception is raised. However, PHP wrappers being case insensitive, this patch can be bypassed using `PHAR://` instead of `phar://`. A successful exploitation of this vulnerability allows executing arbitrary code and accessing the underlying filesystem. The attacker must be able to upload a file and the server must be running a PHP version prior to 8. This issue has been addressed in commit `d3b742d61a` which has been included in version 1.4.3. Users are advised to upgrade. Users unable to upgrade should ensure that only trusted users may submit data to the `AbstractGenerator->generate(...)` function.

Action-Not Available
Vendor-knplabsKnpLabs
Product-snappysnappy
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-62025
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.53% / 40.84%
||
7 Day CHG~0.00%
Published-22 Oct, 2025 | 14:32
Updated-28 Apr, 2026 | 18:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JobSearch plugin < 3.0.8 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in eyecix JobSearch wp-jobsearch.This issue affects JobSearch: from n/a through < 3.0.8.

Action-Not Available
Vendor-eyecix
Product-JobSearch
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-41635
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-0.64% / 46.21%
||
7 Day CHG~0.00%
Published-27 Apr, 2026 | 08:59
Updated-29 Apr, 2026 | 19:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache MINA: AbstractIoBuffer.resolveClass() null-clazz Branch Skips acceptMatchers Filter — Full Object Deserialization RCE

Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed. The fix checks if the class is present in the accepted class filter before calling Class.forName().  Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5. The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call  IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade.

Action-Not Available
Vendor-The Apache Software Foundation
Product-minaApache MINA
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-41409
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-0.45% / 36.07%
||
7 Day CHG~0.00%
Published-27 Apr, 2026 | 09:20
Updated-29 Apr, 2026 | 19:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache MINA: CWE-502 Deserialization of Untrusted Data

The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed. Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5. The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade

Action-Not Available
Vendor-The Apache Software Foundation
Product-minaApache MINA
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-52430
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-1.05% / 60.10%
||
7 Day CHG~0.00%
Published-18 Nov, 2024 | 14:27
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Lis Video Gallery plugin <= 0.2.1 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in bublick Lis Video Gallery lis-video-gallery allows Object Injection.This issue affects Lis Video Gallery: from n/a through <= 0.2.1.

Action-Not Available
Vendor-lisbublicklis
Product-video_galleryLis Video Galleryvideo_gallery
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-41855
Matching Score-4
Assigner-VMware by Broadcom
ShareView Details
Matching Score-4
Assigner-VMware by Broadcom
CVSS Score-8.1||HIGH
EPSS-0.27% / 18.41%
||
7 Day CHG+0.01%
Published-09 Jun, 2026 | 03:51
Updated-29 Jun, 2026 | 14:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Spring Framework Unsafe Deserialization via Jackson JMS Converters

In an untrusted JMS environment, org.springframework.jms.support.converter.MappingJackson2MessageConverter and org.springframework.jms.support.converter.JacksonJsonMessageConverter allow arbitrary class instantiation, which can lead to unauthorized actions via gadget class deserialization. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-spring_frameworkSpring Framework
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2019-17564
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-35.56% / 98.26%
||
7 Day CHG~0.00%
Published-01 Apr, 2020 | 21:17
Updated-05 Aug, 2024 | 01:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. This issue affected Apache Dubbo 2.7.0 to 2.7.4, 2.6.0 to 2.6.7, and all 2.5.x versions.

Action-Not Available
Vendor-The Apache Software Foundation
Product-dubboApache Dubbo
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-41699
Matching Score-4
Assigner-VMware by Broadcom
ShareView Details
Matching Score-4
Assigner-VMware by Broadcom
CVSS Score-8.1||HIGH
EPSS-0.43% / 34.57%
||
7 Day CHG~0.00%
Published-11 Jun, 2026 | 05:04
Updated-30 Jun, 2026 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unsafe Deserialization in Spring GraphQL

Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that can lead to Remote Code Execution when the application exposes a paginated (Connection) field and the classpath contains specific classes that can be leveraged during deserialization. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8.

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-spring_for_graphqlSpring for GraphQL
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2019-17267
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.59% / 90.50%
||
7 Day CHG~0.00%
Published-06 Oct, 2019 | 23:08
Updated-05 Aug, 2024 | 01:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.

Action-Not Available
Vendor-n/aDebian GNU/LinuxOracle CorporationFasterXML, LLC.NetApp, Inc.Red Hat, Inc.
Product-debian_linuxweblogic_serveroncommand_api_servicesjackson-databindenterprise_linuxactive_iq_unified_managercustomer_management_and_segmentation_foundationgoldengate_application_adaptersoncommand_workflow_automationservice_level_managerjboss_enterprise_application_platformretail_customer_management_and_segmentation_foundationsteelstore_cloud_integrated_storagen/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-39890
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.58% / 43.48%
||
7 Day CHG~0.00%
Published-08 Apr, 2026 | 20:45
Updated-15 Apr, 2026 | 17:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PraisonAI Affected by Remote Code Execution via YAML Deserialization in Agent Definition Loading

PraisonAI is a multi-agent teams system. Prior to 4.5.115, the AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags (such as !!js/function and !!js/undefined). This allows an attacker to craft a malicious YAML file that, when parsed, executes arbitrary JavaScript code. An attacker can exploit this vulnerability by uploading a malicious agent definition file via the API endpoint, leading to remote code execution (RCE) on the server. This vulnerability is fixed in 4.5.115.

Action-Not Available
Vendor-praisonMervinPraison
Product-praisonaiPraisonAI
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-40860
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-0.88% / 54.71%
||
7 Day CHG+0.19%
Published-27 Apr, 2026 | 08:03
Updated-30 Jun, 2026 | 03:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Camel: Unsafe Deserialization of JMS ObjectMessage in camel-jms, camel-sjms, camel-sjms2 and camel-amqp

JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values via javax.jms.ObjectMessage.getObject() without applying any ObjectInputFilter, class allowlist or class denylist. Because this code path is reached whenever the mapJmsMessage option is enabled (the default) and Camel acts as a JMS consumer, an attacker able to publish a crafted ObjectMessage to a queue or topic consumed by a Camel application could achieve remote code execution when a deserialization gadget chain was present on the classpath. The same handling was reached transitively through camel-sjms2 (whose Sjms2Endpoint extends SjmsEndpoint) and through camel-amqp (whose AMQPJmsBinding extends JmsBinding), and by other JMS-family components built on JmsComponent such as camel-activemq and camel-activemq6. This issue affects Apache Camel: from 3.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.7. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.

Action-Not Available
Vendor-The Apache Software FoundationRed Hat, Inc.
Product-camelApache CamelRed Hat build of Apache Camel 4.18.1 for Spring Boot 3.5.14Red Hat Build of Apache Camel 4.18 for Quarkus 3.33Red Hat build of Apache Camel 4 for Quarkus 3Red Hat Fuse 7Red Hat JBoss Enterprise Application Platform 8Red Hat JBoss Enterprise Application Platform Expansion Pack
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-40725
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.38% / 29.51%
||
7 Day CHG~0.00%
Published-17 Jun, 2026 | 09:50
Updated-17 Jun, 2026 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WooCommerce Product Filters plugin < 2.0.6 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in WooCommerce Product Filters < 2.0.6 versions.

Action-Not Available
Vendor-Barn2 Media Ltd
Product-WooCommerce Product Filters
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-40044
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-9.3||CRITICAL
EPSS-0.48% / 38.22%
||
7 Day CHG~0.00%
Published-13 Apr, 2026 | 18:11
Updated-12 May, 2026 | 01:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Pachno 1.0.6 FileCache Deserialization Remote Code Execution

Pachno 1.0.6 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting malicious serialized objects into cache files. Attackers can write PHP object payloads to world-writable cache files with predictable names in the cache directory, which are unserialized during framework bootstrap before authentication checks occur.

Action-Not Available
Vendor-Pachno
Product-Pachno
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2019-18364
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.48% / 87.68%
||
7 Day CHG~0.00%
Published-31 Oct, 2019 | 14:54
Updated-05 Aug, 2024 | 01:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains TeamCity before 2019.1.4, insecure Java Deserialization could potentially allow remote code execution.

Action-Not Available
Vendor-n/aJetBrains s.r.o.
Product-teamcityn/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2019-17571
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-69.06% / 99.27%
||
7 Day CHG~0.00%
Published-20 Dec, 2019 | 16:01
Updated-28 May, 2026 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

Action-Not Available
Vendor-Oracle CorporationNetApp, Inc.openSUSECanonical Ltd.The Apache Software FoundationDebian GNU/Linux
Product-application_testing_suiteendeca_information_discovery_studiooncommand_workflow_automationretail_extract_transform_and_loadleaprapid_planningdebian_linuxweblogic_serverubuntu_linuxoncommand_system_managercommunications_network_integrityfinancial_services_lending_and_leasingprimavera_gatewaylog4jmysql_enterprise_monitorretail_service_backbonebookkeeperLog4j
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-39006
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.52% / 40.04%
||
7 Day CHG~0.00%
Published-15 Jun, 2026 | 00:00
Updated-16 Jun, 2026 | 15:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in SNMP4J-Agent 3.8.3 allows a remote attacker to execute arbitrary code via the snmp4jCfgStoragePath component.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-502
Deserialization of Untrusted Data
CWE ID-CWE-73
External Control of File Name or Path
CVE-2019-17570
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-49.29% / 98.75%
||
7 Day CHG~0.00%
Published-23 Jan, 2020 | 00:00
Updated-05 Aug, 2024 | 01:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed.

Action-Not Available
Vendor-Canonical Ltd.The Apache Software FoundationRed Hat, Inc.Fedora ProjectDebian GNU/Linux
Product-ubuntu_linuxdebian_linuxsoftware_collectionsfedoraenterprise_linuxxml-rpcApache XML-RPC
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-35300
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-9.8||CRITICAL
EPSS-0.56% / 42.74%
||
7 Day CHG~0.00%
Published-16 Jun, 2026 | 19:27
Updated-18 Jun, 2026 | 15:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TCP to compromise WebLogic Server. Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Action-Not Available
Vendor-Oracle Corporation
Product-weblogic_serverWebLogic Server
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-34877
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.43% / 34.31%
||
7 Day CHG~0.00%
Published-02 Apr, 2026 | 00:00
Updated-05 Jun, 2026 | 19:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mbed TLS versions from 2.19.0 up to 3.6.5, Mbed TLS 4.0.0. Insufficient protection of serialized SSL context or session structures allows an attacker who can modify the serialized structures to induce memory corruption, leading to arbitrary code execution. This is caused by Incorrect Use of Privileged APIs.

Action-Not Available
Vendor-trustedfirmwaren/aArm Limited
Product-mbed_tlsn/a
CWE ID-CWE-250
Execution with Unnecessary Privileges
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-34084
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.2||CRITICAL
EPSS-0.71% / 49.10%
||
7 Day CHG~0.00%
Published-05 May, 2026 | 19:22
Updated-08 May, 2026 | 17:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PhpSpreadsheet SSRF and RCE via PHP stream wrappers in IOFactory::load

PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0, when the filename argument to IOFactory::load() is user-controlled, an attacker can supply a PHP stream wrapper path (such as phar://, ftp://, or ssh2.sftp://) that passes the is_file() check in File::assertFile(). The phar:// wrapper triggers deserialization of the PHAR metadata, which can lead to remote code execution if a suitable gadget chain is available in the application. The ftp:// and ssh2.sftp:// wrappers can be used for server-side request forgery. This issue has been fixed in versions 1.30.3, 2.1.15, 2.4.4, 3.10.4, and 5.6.0.

Action-Not Available
Vendor-PHPOffice
Product-phpspreadsheetPhpSpreadsheet
CWE ID-CWE-502
Deserialization of Untrusted Data
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2019-17076
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.50% / 82.79%
||
7 Day CHG~0.00%
Published-08 Jan, 2020 | 15:57
Updated-05 Aug, 2024 | 01:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Jamf Pro 9.x and 10.x before 10.15.1. Deserialization of untrusted data when parsing JSON in several APIs may cause Denial of Service (DoS), remote code execution (RCE), and/or deletion of files on the Jamf Pro server.

Action-Not Available
Vendor-jamfn/a
Product-jamfn/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2019-9365
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-9.8||CRITICAL
EPSS-0.97% / 57.39%
||
7 Day CHG~0.00%
Published-27 Sep, 2019 | 18:05
Updated-04 Aug, 2024 | 21:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Bluetooth, there is a possible deserialization error due to missing string validation. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-109838537

Action-Not Available
Vendor-n/aGoogle LLC
Product-androidAndroid
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-33701
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.3||CRITICAL
EPSS-0.93% / 56.37%
||
7 Day CHG+0.02%
Published-27 Mar, 2026 | 00:01
Updated-30 Jun, 2026 | 12:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution

OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: First, OpenTelemetry Java instrumentation is attached as a Java agent (`-javaagent`) on Java 16 or earlier. Second, JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable. Third, gadget-chain-compatible library is present on the classpath. This results in arbitrary remote code execution with the privileges of the user running the instrumented JVM. For JDK >= 17, no action is required, but upgrading is strongly encouraged. For JDK < 17, upgrade to version 2.26.1 or later. As a workaround, set the system property `-Dotel.instrumentation.rmi.enabled=false` to disable the RMI integration.

Action-Not Available
Vendor-open-telemetryThe Linux FoundationRed Hat, Inc.
Product-opentelemetry_instrumentation_for_javaopentelemetry-java-instrumentationRed Hat JBoss Enterprise Application Platform 8Red Hat JBoss Enterprise Application Platform Expansion Pack
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-3422
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-9.3||CRITICAL
EPSS-0.76% / 50.85%
||
7 Day CHG~0.00%
Published-02 Mar, 2026 | 06:24
Updated-09 Mar, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
e-Excellence|U-Office Force - Insecure Deserialization

U-Office Force developed by e-Excellence has a Insecure Deserialization vulnerability, allowing unauthenticated remote attackers to execute arbitrary code on the server by sending maliciously crafted serialized content.

Action-Not Available
Vendor-edetwe-Excellence
Product-u-office_forceU-Office Force
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-33942
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.1||HIGH
EPSS-0.62% / 45.44%
||
7 Day CHG~0.00%
Published-26 Mar, 2026 | 00:27
Updated-28 Mar, 2026 | 02:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Saloon has insecure deserialization in AccessTokenAuthenticator (object injection / RCE)

Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize() in AccessTokenAuthenticator::unserialize() to restore OAuth token state from cache or storage, with allowed_classes => true. An attacker who can control the serialized string (e.g. by overwriting a cached token file or via another injection) can supply a serialized "gadget" object. When unserialize() runs, PHP instantiates that object and runs its magic methods (__wakeup, __destruct, etc.), leading to object injection. In environments with common dependencies (e.g. Monolog), this can be chained to remote code execution (RCE). The fix in version 4.0.0 removes PHP serialization from the AccessTokenAuthenticator class requiring users to store and resolve the authenticator manually.

Action-Not Available
Vendor-saloonsaloonphp
Product-saloonsaloon
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-33439
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.3||CRITICAL
EPSS-10.49% / 95.20%
||
7 Day CHG~0.00%
Published-07 Apr, 2026 | 20:46
Updated-15 Apr, 2026 | 23:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Pre-Authentication Remote Code Execution via `jato.clientSession` Deserialization in OpenAM

Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream mitigation that was applied to the jato.pageSession parameter after CVE-2021-35464. An unauthenticated attacker can achieve arbitrary command execution on the server by sending a crafted serialized Java object as the jato.clientSession GET/POST parameter to any JATO ViewBean endpoint whose JSP contains <jato:form> tags (e.g., the Password Reset pages). This vulnerability is fixed in 16.0.6.

Action-Not Available
Vendor-openidentityplatformOpenIdentityPlatform
Product-openamOpenAM
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-32502
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.38% / 29.50%
||
7 Day CHG~0.00%
Published-25 Mar, 2026 | 16:15
Updated-29 Apr, 2026 | 09:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Borgholm theme < 1.6 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in Select-Themes Borgholm borgholm-marketing-agency-theme allows Object Injection.This issue affects Borgholm: from n/a through < 1.6.

Action-Not Available
Vendor-Select-Themes
Product-Borgholm
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2019-16942
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-5.68% / 92.05%
||
7 Day CHG~0.00%
Published-01 Oct, 2019 | 16:04
Updated-05 Aug, 2024 | 01:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.

Action-Not Available
Vendor-n/aDebian GNU/LinuxFedora ProjectOracle CorporationFasterXML, LLC.NetApp, Inc.Red Hat, Inc.
Product-retail_sales_auditprimavera_unifiercommunications_cloud_native_core_network_slice_selection_functiononcommand_api_servicescommunications_billing_and_revenue_managementsiebel_engineering_-_installer_\&_deploymentjd_edwards_enterpriseone_orchestratorprimavera_gatewaysiebel_ui_frameworkenterprise_linuxactive_iq_unified_managerbanking_platformdatabase_serveroncommand_workflow_automationretail_merchandising_systemglobal_lifecycle_management_nextgen_oui_frameworksteelstore_cloud_integrated_storagedebian_linuxweblogic_serverjackson-databindcommunications_calendar_serverfedoracommunications_evolved_communications_application_servergoldengate_application_adapterswebcenter_sitesservice_level_managerjboss_enterprise_application_platformjd_edwards_enterpriseone_toolswebcenter_portaln/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-3296
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-0.88% / 54.64%
||
7 Day CHG~0.00%
Published-08 Apr, 2026 | 01:24
Updated-27 Apr, 2026 | 19:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Everest Forms <= 3.4.3 - Unauthenticated PHP Object Injection via Form Entry Metadata

The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry metadata. This is due to the html-admin-page-entries-view.php file calling PHP's native unserialize() on stored entry meta values without passing the allowed_classes parameter. This makes it possible for unauthenticated attackers to inject a serialized PHP object payload through any public Everest Forms form field. The payload survives sanitize_text_field() sanitization (serialization control characters are not stripped) and is stored in the wp_evf_entrymeta database table. When an administrator views entries or views an individual entry, the unsafe unserialize() call processes the stored data without class restrictions.

Action-Not Available
Vendor-wpeverest
Product-Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder
CWE ID-CWE-502
Deserialization of Untrusted Data
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 20
  • 21
  • Next
Details not found