Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-31222

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-12 May, 2026 | 00:00
Updated At-15 May, 2026 | 18:05
Rejected At-
Credits

The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability (CWE-502) in the Trainer.load() method of the Trainer class. The method loads model checkpoint files using torch.load() without enabling the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the Pickle module. A remote attacker can exploit this by providing a maliciously crafted model file, leading to arbitrary code execution on the victim's system when the file is loaded via the vulnerable method.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:12 May, 2026 | 00:00
Updated At:15 May, 2026 | 18:05
Rejected At:
▼CVE Numbering Authority (CNA)

The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability (CWE-502) in the Trainer.load() method of the Trainer class. The method loads model checkpoint files using torch.load() without enabling the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the Pickle module. A remote attacker can exploit this by providing a maliciously crafted model file, leading to arbitrary code execution on the victim's system when the file is loaded via the vulnerable method.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/snorkel-team/snorkel
N/A
https://www.notion.so/CVE-2026-31222-35d1e139318881db8398e0732af8df6d
N/A
Hyperlink: https://github.com/snorkel-team/snorkel
Resource: N/A
Hyperlink: https://www.notion.so/CVE-2026-31222-35d1e139318881db8398e0732af8df6d
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-502CWE-502 Deserialization of Untrusted Data
Type: CWE
CWE ID: CWE-502
Description: CWE-502 Deserialization of Untrusted Data
Metrics
VersionBase scoreBase severityVector
3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:12 May, 2026 | 16:16
Updated At:15 May, 2026 | 19:16

The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability (CWE-502) in the Trainer.load() method of the Trainer class. The method loads model checkpoint files using torch.load() without enabling the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the Pickle module. A remote attacker can exploit this by providing a maliciously crafted model file, leading to arbitrary code execution on the victim's system when the file is loaded via the vulnerable method.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Secondary3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CPE Matches
snorkel
snorkel
>>snorkel>>Versions up to 0.10.0(inclusive)
cpe:2.3:a:snorkel:snorkel:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-502Primarynvd@nist.gov
CWE-502Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-502
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-502
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/snorkel-team/snorkelcve@mitre.org
Product
https://www.notion.so/CVE-2026-31222-35d1e139318881db8398e0732af8df6dcve@mitre.org
Third Party Advisory
Hyperlink: https://github.com/snorkel-team/snorkel
Source: cve@mitre.org
Resource:
Product
Hyperlink: https://www.notion.so/CVE-2026-31222-35d1e139318881db8398e0732af8df6d
Source: cve@mitre.org
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

86Records found
CVE-2025-33214
Matching Score-4
Assigner-NVIDIA Corporation
ShareView Details
Matching Score-4
Assigner-NVIDIA Corporation
CVSS Score-8.8||HIGH
EPSS-0.11% / 28.74%
||
7 Day CHG+0.01%
Published-09 Dec, 2025 | 17:49
Updated-09 Dec, 2025 | 20:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

NVIDIA NVTabular for Linux contains a vulnerability in the Workflow component, where a user could cause a deserialization issue. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering.

Action-Not Available
Vendor-NVIDIA Corporation
Product-NVTabular
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-33213
Matching Score-4
Assigner-NVIDIA Corporation
ShareView Details
Matching Score-4
Assigner-NVIDIA Corporation
CVSS Score-8.8||HIGH
EPSS-0.11% / 28.74%
||
7 Day CHG+0.01%
Published-09 Dec, 2025 | 17:48
Updated-09 Dec, 2025 | 20:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

NVIDIA Merlin Transformers4Rec for Linux contains a vulnerability in the Trainer component, where a user could cause a deserialization issue. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering.

Action-Not Available
Vendor-NVIDIA Corporation
Product-Merlin Transformers4Rec
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-31129
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.8||HIGH
EPSS-0.46% / 64.44%
||
7 Day CHG~0.00%
Published-31 Mar, 2025 | 19:10
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
jooby-pac4j: deserialization of untrusted data

Jooby is a web framework for Java and Kotlin. The pac4j io.jooby.internal.pac4j.SessionStoreImpl#get module deserializes untrusted data. This vulnerability is fixed in 2.17.0 (2.x) and 3.7.0 (3.x).

Action-Not Available
Vendor-jooby-project
Product-jooby
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-37059
Matching Score-4
Assigner-HiddenLayer, Inc.
ShareView Details
Matching Score-4
Assigner-HiddenLayer, Inc.
CVSS Score-8.8||HIGH
EPSS-0.44% / 63.19%
||
7 Day CHG~0.00%
Published-04 Jun, 2024 | 12:01
Updated-03 Feb, 2025 | 14:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0 or newer, enabling a maliciously uploaded PyTorch model to run arbitrary code on an end user’s system when interacted with.

Action-Not Available
Vendor-lfprojectsMLflowmlflow
Product-mlflowMLflowmlflow
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-37052
Matching Score-4
Assigner-HiddenLayer, Inc.
ShareView Details
Matching Score-4
Assigner-HiddenLayer, Inc.
CVSS Score-8.8||HIGH
EPSS-0.32% / 55.24%
||
7 Day CHG~0.00%
Published-04 Jun, 2024 | 11:59
Updated-03 Feb, 2025 | 14:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with.

Action-Not Available
Vendor-lfprojectsMLflowlfprojects
Product-mlflowMLflowmlflow
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-37054
Matching Score-4
Assigner-HiddenLayer, Inc.
ShareView Details
Matching Score-4
Assigner-HiddenLayer, Inc.
CVSS Score-8.8||HIGH
EPSS-0.22% / 44.11%
||
7 Day CHG+0.01%
Published-04 Jun, 2024 | 12:00
Updated-03 Feb, 2025 | 14:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.9.0 or newer, enabling a maliciously uploaded PyFunc model to run arbitrary code on an end user’s system when interacted with.

Action-Not Available
Vendor-lfprojectsMLflowlfprojects
Product-mlflowMLflowmlflow
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-37055
Matching Score-4
Assigner-HiddenLayer, Inc.
ShareView Details
Matching Score-4
Assigner-HiddenLayer, Inc.
CVSS Score-8.8||HIGH
EPSS-0.44% / 63.19%
||
7 Day CHG~0.00%
Published-04 Jun, 2024 | 12:00
Updated-03 Feb, 2025 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.24.0 or newer, enabling a maliciously uploaded pmdarima model to run arbitrary code on an end user’s system when interacted with.

Action-Not Available
Vendor-lfprojectsMLflowlfprojects
Product-mlflowMLflowmlflow
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-37057
Matching Score-4
Assigner-HiddenLayer, Inc.
ShareView Details
Matching Score-4
Assigner-HiddenLayer, Inc.
CVSS Score-8.8||HIGH
EPSS-0.44% / 63.19%
||
7 Day CHG~0.00%
Published-04 Jun, 2024 | 12:01
Updated-03 Feb, 2025 | 14:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.0.0rc0 or newer, enabling a maliciously uploaded Tensorflow model to run arbitrary code on an end user’s system when interacted with.

Action-Not Available
Vendor-lfprojectsMLflowlfprojects
Product-mlflowMLflowmlflow
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-37053
Matching Score-4
Assigner-HiddenLayer, Inc.
ShareView Details
Matching Score-4
Assigner-HiddenLayer, Inc.
CVSS Score-8.8||HIGH
EPSS-0.44% / 63.19%
||
7 Day CHG~0.00%
Published-04 Jun, 2024 | 12:00
Updated-03 Feb, 2025 | 14:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with.

Action-Not Available
Vendor-lfprojectsMLflowlfprojects
Product-mlflowMLflowmlflow
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-37056
Matching Score-4
Assigner-HiddenLayer, Inc.
ShareView Details
Matching Score-4
Assigner-HiddenLayer, Inc.
CVSS Score-8.8||HIGH
EPSS-0.40% / 60.81%
||
7 Day CHG~0.00%
Published-04 Jun, 2024 | 12:01
Updated-03 Feb, 2025 | 14:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.23.0 or newer, enabling a maliciously uploaded LightGBM scikit-learn model to run arbitrary code on an end user’s system when interacted with.

Action-Not Available
Vendor-lfprojectsMLflowlfprojects
Product-mlflowMLflowmlflow
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-37058
Matching Score-4
Assigner-HiddenLayer, Inc.
ShareView Details
Matching Score-4
Assigner-HiddenLayer, Inc.
CVSS Score-8.8||HIGH
EPSS-0.40% / 60.81%
||
7 Day CHG~0.00%
Published-04 Jun, 2024 | 12:01
Updated-03 Feb, 2025 | 14:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.5.0 or newer, enabling a maliciously uploaded Langchain AgentExecutor model to run arbitrary code on an end user’s system when interacted with.

Action-Not Available
Vendor-lfprojectsMLflowlfprojects
Product-mlflowMLflowmlflow
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-32935
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-8.8||HIGH
EPSS-0.55% / 68.17%
||
7 Day CHG~0.00%
Published-23 May, 2022 | 18:42
Updated-16 Apr, 2025 | 17:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cognex In-Sight OPC Server - Deserialization of Untrusted Data

The affected Cognex product, the In-Sight OPC Server versions v5.7.4 (96) and prior, deserializes untrusted data, which could allow a remote attacker access to system level permission commands and local privilege escalation.

Action-Not Available
Vendor-cognexCognex
Product-in-sight_opc_serverIn-Sight OPC Server
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-27322
Matching Score-4
Assigner-HiddenLayer, Inc.
ShareView Details
Matching Score-4
Assigner-HiddenLayer, Inc.
CVSS Score-8.8||HIGH
EPSS-5.77% / 90.58%
||
7 Day CHG-0.18%
Published-29 Apr, 2024 | 13:02
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user’s system when interacted with.

Action-Not Available
Vendor-The R Projectr_project
Product-Rr
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-27130
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-6.3||MEDIUM
EPSS-0.61% / 70.09%
||
7 Day CHG~0.00%
Published-01 Apr, 2025 | 08:57
Updated-08 Jul, 2025 | 17:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Welcart e-Commerce 2.11.6 and earlier versions contains an untrusted data deserialization vulnerability. If this vulnerability is exploited, arbitrary code may be executed by a remote unauthenticated attacker who can access websites created using the product.

Action-Not Available
Vendor-welcartWelcart Inc.
Product-welcart_e-commerceWelcart e-Commerce
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-24590
Matching Score-4
Assigner-HiddenLayer, Inc.
ShareView Details
Matching Score-4
Assigner-HiddenLayer, Inc.
CVSS Score-8||HIGH
EPSS-82.83% / 99.26%
||
7 Day CHG~0.00%
Published-06 Feb, 2024 | 14:40
Updated-17 Jun, 2025 | 21:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Deserialization of untrusted data can occur in versions 0.17.0 to 1.14.2 of the client SDK of Allegro AI’s ClearML platform, enabling a maliciously uploaded artifact to run arbitrary code on an end user’s system when interacted with.

Action-Not Available
Vendor-clearAllegro.AI
Product-clearmlClearML
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-4305
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-8.1||HIGH
EPSS-1.39% / 80.62%
||
7 Day CHG~0.00%
Published-09 Jul, 2020 | 19:05
Updated-16 Sep, 2024 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM InfoSphere Information Server 11.3, 11.5, and 11.7 could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 176677.

Action-Not Available
Vendor-IBM Corporation
Product-infosphere_information_server_on_cloudinfosphere_information_serverInfoSphere Information Server
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-10932
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-1.74% / 82.78%
||
7 Day CHG~0.00%
Published-04 Jan, 2025 | 07:24
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Backup Migration <= 1.4.6 - Unauthenticated PHP Object Injection via 'recursive_unserialize_replace'

The Backup Migration plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.6 via deserialization of untrusted input in the 'recursive_unserialize_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must create a staging site in order to trigger the exploit.

Action-Not Available
Vendor-inisev
Product-BackupBliss – Backup & Migration with Free Cloud Storage
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-36181
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-5.43% / 90.27%
||
7 Day CHG+0.02%
Published-06 Jan, 2021 | 22:29
Updated-04 Aug, 2024 | 17:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.

Action-Not Available
Vendor-n/aDebian GNU/LinuxOracle CorporationFasterXML, LLC.NetApp, Inc.
Product-primavera_unifierjd_edwards_enterpriseone_orchestratorprimavera_gatewaycommunications_network_charging_and_controlcommunications_session_route_managerretail_service_backbonecommunications_session_report_managercommunications_instant_messaging_serverautovue_for_agile_product_lifecycle_managementagile_plmcommunications_policy_managementcommunications_cloud_native_core_policyretail_merchandising_systemcommunications_convergent_charging_controllercommerce_platformblockchain_platformcommunications_cloud_native_core_unified_data_repositoryjackson-databindcommunications_evolved_communications_application_servercommunications_unified_inventory_managementservice_level_managerdocumakerapplication_testing_suitecommunications_services_gatekeeperbanking_virtual_account_managementretail_customer_management_and_segmentation_foundationinsurance_rules_palettecommunications_billing_and_revenue_managementcommunications_offline_mediation_controllerdebian_linuxbanking_supply_chain_financecommunications_diameter_signaling_routecommunications_pricing_design_centerbanking_credit_facilities_process_managementretail_xstore_point_of_serviceinsurance_policy_administrationbanking_corporate_lending_process_managementgoldengate_application_adaptersbanking_extensibility_workbenchcommunications_element_managerjd_edwards_enterpriseone_toolsbanking_treasury_managementwebcenter_portaldata_integratorn/acommunications_diameter_signaling_routerglobal_lifecycle_management_opatchretail_sales_auditprimavera_unifierbanking_digital_experiencejd_edwards_enterpriseone_orchestratorretail_service_backbonecommunications_network_charging_and_controlcommunications_session_route_managercommunications_instant_messaging_serverautovue_for_agile_product_lifecycle_managementagile_plmfinancial_services_retail_customer_analyticsfinancial_services_price_creation_and_discoveryretail_merchandising_systemfinancial_services_institutional_performance_analyticssteelstore_cloud_integrated_storagedebian_linuxinsurance_policy_administration_j2eeweblogic_serverjackson-databindfinancial_services_analytical_applications_infrastructurecommunications_calendar_serverretail_xstore_point_of_servicecommunications_evolved_communications_application_servercommunications_element_managerenterprise_manager_base_platform
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-36182
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-2.73% / 86.13%
||
7 Day CHG+0.01%
Published-06 Jan, 2021 | 22:30
Updated-04 Aug, 2024 | 17:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.

Action-Not Available
Vendor-n/aDebian GNU/LinuxOracle CorporationFasterXML, LLC.NetApp, Inc.
Product-primavera_unifiercloud_backupjd_edwards_enterpriseone_orchestratorprimavera_gatewaycommunications_network_charging_and_controlcommunications_session_route_managerretail_service_backbonecommunications_session_report_managercommunications_instant_messaging_serverautovue_for_agile_product_lifecycle_managementagile_plmcommunications_policy_managementcommunications_cloud_native_core_policyretail_merchandising_systemcommunications_convergent_charging_controllercommerce_platformblockchain_platformcommunications_cloud_native_core_unified_data_repositoryjackson-databindcommunications_evolved_communications_application_servercommunications_unified_inventory_managementservice_level_managerdocumakerapplication_testing_suitecommunications_services_gatekeeperbanking_virtual_account_managementretail_customer_management_and_segmentation_foundationinsurance_rules_palettecommunications_billing_and_revenue_managementcommunications_offline_mediation_controllerdebian_linuxbanking_supply_chain_financecommunications_diameter_signaling_routecommunications_pricing_design_centerbanking_credit_facilities_process_managementretail_xstore_point_of_serviceinsurance_policy_administrationbanking_corporate_lending_process_managementgoldengate_application_adaptersbanking_extensibility_workbenchcommunications_element_managerjd_edwards_enterpriseone_toolsbanking_treasury_managementwebcenter_portaldata_integratorn/acommunications_diameter_signaling_routerglobal_lifecycle_management_opatchretail_sales_auditprimavera_unifierbanking_digital_experiencejd_edwards_enterpriseone_orchestratorretail_service_backbonecommunications_network_charging_and_controlcommunications_session_route_managercommunications_instant_messaging_serveragile_plmautovue_for_agile_product_lifecycle_managementfinancial_services_retail_customer_analyticsfinancial_services_price_creation_and_discoveryretail_merchandising_systemfinancial_services_institutional_performance_analyticssteelstore_cloud_integrated_storagedebian_linuxinsurance_policy_administration_j2eeweblogic_serverjackson-databindfinancial_services_analytical_applications_infrastructurecommunications_calendar_serverretail_xstore_point_of_servicecommunications_evolved_communications_application_servercommunications_element_managerenterprise_manager_base_platform
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-36179
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-60.26% / 98.30%
||
7 Day CHG~0.00%
Published-06 Jan, 2021 | 22:30
Updated-04 Aug, 2024 | 17:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.

Action-Not Available
Vendor-n/aDebian GNU/LinuxOracle CorporationFasterXML, LLC.NetApp, Inc.
Product-primavera_unifiercloud_backupjd_edwards_enterpriseone_orchestratorprimavera_gatewaycommunications_network_charging_and_controlcommunications_session_route_managerretail_service_backbonecommunications_session_report_managercommunications_instant_messaging_serverautovue_for_agile_product_lifecycle_managementagile_plmcommunications_policy_managementcommunications_cloud_native_core_policyretail_merchandising_systemcommunications_convergent_charging_controllercommerce_platformblockchain_platformcommunications_cloud_native_core_unified_data_repositoryjackson-databindcommunications_evolved_communications_application_servercommunications_unified_inventory_managementservice_level_managerapplication_testing_suitecommunications_services_gatekeeperbanking_virtual_account_managementretail_customer_management_and_segmentation_foundationinsurance_rules_palettecommunications_billing_and_revenue_managementcommunications_offline_mediation_controllerdebian_linuxbanking_supply_chain_financecommunications_diameter_signaling_routecommunications_pricing_design_centerretail_xstore_point_of_serviceinsurance_policy_administrationbanking_corporate_lending_process_managementgoldengate_application_adaptersbanking_credit_facilities_process_managementcommunications_element_managerjd_edwards_enterpriseone_toolsbanking_treasury_managementwebcenter_portaldata_integratorn/acommunications_diameter_signaling_routerglobal_lifecycle_management_opatchretail_sales_auditprimavera_unifierbanking_digital_experiencejd_edwards_enterpriseone_orchestratorretail_service_backbonecommunications_network_charging_and_controlcommunications_session_route_managercommunications_instant_messaging_serveragile_plmautovue_for_agile_product_lifecycle_managementfinancial_services_retail_customer_analyticsfinancial_services_price_creation_and_discoveryretail_merchandising_systemfinancial_services_institutional_performance_analyticssteelstore_cloud_integrated_storagedebian_linuxinsurance_policy_administration_j2eeweblogic_serverjackson-databindfinancial_services_analytical_applications_infrastructurecommunications_calendar_serverretail_xstore_point_of_servicecommunications_evolved_communications_application_servercommunications_element_managerenterprise_manager_base_platform
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-11112
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-6.77% / 91.42%
||
7 Day CHG~0.00%
Published-31 Mar, 2020 | 04:37
Updated-29 Apr, 2026 | 18:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).

Action-Not Available
Vendor-n/aFasterXML, LLC.Oracle CorporationDebian GNU/LinuxNetApp, Inc.
Product-communications_contacts_serverdebian_linuxinsurance_policy_administration_j2eejd_edwards_enterpriseone_orchestratorprimavera_unifiercommunications_calendar_servercommunications_session_route_managercommunications_instant_messaging_serverfinancial_services_retail_customer_analyticsbanking_digital_experienceretail_merchandising_systemcommunications_session_report_managercommunications_element_managersteelstore_cloud_integrated_storageenterprise_manager_base_platformbanking_platformcommunications_evolved_communications_application_serverautovue_for_agile_product_lifecycle_managementweblogic_serverjackson-databindfinancial_services_price_creation_and_discoverycommunications_diameter_signaling_routerjd_edwards_enterpriseone_toolscommunications_network_charging_and_controlfinancial_services_analytical_applications_infrastructureretail_xstore_point_of_serviceretail_service_backboneretail_sales_auditagile_plmfinancial_services_institutional_performance_analyticsglobal_lifecycle_management_opatchn/acommunications_diameter_signaling_routerglobal_lifecycle_management_opatchretail_sales_auditprimavera_unifierbanking_digital_experiencejd_edwards_enterpriseone_orchestratorretail_service_backbonecommunications_network_charging_and_controlcommunications_session_route_managercommunications_instant_messaging_serveragile_plmautovue_for_agile_product_lifecycle_managementfinancial_services_retail_customer_analyticsfinancial_services_price_creation_and_discoveryretail_merchandising_systemfinancial_services_institutional_performance_analyticssteelstore_cloud_integrated_storagedebian_linuxinsurance_policy_administration_j2eeweblogic_serverjackson-databindfinancial_services_analytical_applications_infrastructurecommunications_calendar_serverretail_xstore_point_of_servicecommunications_evolved_communications_application_servercommunications_element_managerenterprise_manager_base_platform
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-11113
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-60.71% / 98.31%
||
7 Day CHG~0.00%
Published-31 Mar, 2020 | 04:37
Updated-29 Apr, 2026 | 20:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).

Action-Not Available
Vendor-n/aFasterXML, LLC.Oracle CorporationDebian GNU/LinuxNetApp, Inc.
Product-communications_contacts_serverwebcenter_portalcommunications_calendar_servercommunications_session_route_managercommunications_instant_messaging_serverfinancial_services_retail_customer_analyticscommunications_session_report_managercommunications_element_managerbanking_platformcommunications_evolved_communications_application_serverweblogic_serverjackson-databindfinancial_services_price_creation_and_discoverycommunications_diameter_signaling_routerjd_edwards_enterpriseone_toolsretail_service_backboneagile_plmfinancial_services_institutional_performance_analyticsglobal_lifecycle_management_opatchdebian_linuxinsurance_policy_administration_j2eejd_edwards_enterpriseone_orchestratorprimavera_unifierbanking_digital_experienceretail_merchandising_systemsteelstore_cloud_integrated_storageenterprise_manager_base_platformautovue_for_agile_product_lifecycle_managementcommunications_network_charging_and_controlfinancial_services_analytical_applications_infrastructureretail_xstore_point_of_serviceretail_sales_auditn/aenterprise_manager_base_platformcommunications_diameter_signaling_routercommunications_network_charging_and_controlcommunications_element_managercommunications_evolved_communications_application_serverretail_sales_auditautovue_for_agile_product_lifecycle_managementfinancial_services_analytical_applications_infrastructureretail_xstore_point_of_servicecommunications_instant_messaging_serverfinancial_services_institutional_performance_analyticsprimavera_unifiercommunications_calendar_serverweblogic_servercommunications_session_route_managerdebian_linuxretail_merchandising_systemretail_service_backbonefinancial_services_price_creation_and_discoverysteelstore_cloud_integrated_storageinsurance_policy_administration_j2eeagile_plmjd_edwards_enterpriseone_orchestratorglobal_lifecycle_management_opatchfinancial_services_retail_customer_analyticsjackson-databindbanking_digital_experience
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-10968
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-3.82% / 88.28%
||
7 Day CHG~0.00%
Published-26 Mar, 2020 | 12:43
Updated-04 Aug, 2024 | 11:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).

Action-Not Available
Vendor-n/aDebian GNU/LinuxOracle CorporationFasterXML, LLC.NetApp, Inc.
Product-communications_diameter_signaling_routerglobal_lifecycle_management_opatchretail_sales_auditcommunications_contacts_serverprimavera_unifierbanking_digital_experiencejd_edwards_enterpriseone_orchestratorretail_service_backbonecommunications_network_charging_and_controlcommunications_session_route_managerbanking_platformcommunications_session_report_managercommunications_instant_messaging_serveragile_plmautovue_for_agile_product_lifecycle_managementfinancial_services_retail_customer_analyticsfinancial_services_price_creation_and_discoveryretail_merchandising_systemfinancial_services_institutional_performance_analyticssteelstore_cloud_integrated_storagedebian_linuxinsurance_policy_administration_j2eeweblogic_serverjackson-databindfinancial_services_analytical_applications_infrastructurecommunications_calendar_serverretail_xstore_point_of_servicecommunications_evolved_communications_application_servercommunications_element_managerjd_edwards_enterpriseone_toolsenterprise_manager_base_platformn/acommunications_diameter_signaling_routerglobal_lifecycle_management_opatchretail_sales_auditprimavera_unifierbanking_digital_experiencejd_edwards_enterpriseone_orchestratorretail_service_backbonecommunications_network_charging_and_controlcommunications_session_route_managercommunications_instant_messaging_serverautovue_for_agile_product_lifecycle_managementagile_plmfinancial_services_retail_customer_analyticsfinancial_services_price_creation_and_discoveryretail_merchandising_systemfinancial_services_institutional_performance_analyticssteelstore_cloud_integrated_storagedebian_linuxinsurance_policy_administration_j2eeweblogic_serverjackson-databindfinancial_services_analytical_applications_infrastructurecommunications_calendar_serverretail_xstore_point_of_servicecommunications_evolved_communications_application_servercommunications_element_managerenterprise_manager_base_platform
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-10672
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-39.16% / 97.34%
||
7 Day CHG+0.25%
Published-18 Mar, 2020 | 21:17
Updated-04 Aug, 2024 | 11:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).

Action-Not Available
Vendor-n/aDebian GNU/LinuxOracle CorporationFasterXML, LLC.NetApp, Inc.
Product-communications_diameter_signaling_routerglobal_lifecycle_management_opatchretail_sales_auditcommunications_contacts_serverprimavera_unifierbanking_digital_experiencejd_edwards_enterpriseone_orchestratorretail_service_backbonecommunications_network_charging_and_controlcommunications_session_route_managerbanking_platformcommunications_session_report_managercommunications_instant_messaging_serveragile_plmautovue_for_agile_product_lifecycle_managementfinancial_services_retail_customer_analyticsfinancial_services_price_creation_and_discoveryretail_merchandising_systemfinancial_services_institutional_performance_analyticssteelstore_cloud_integrated_storagedebian_linuxinsurance_policy_administration_j2eeweblogic_serverjackson-databindfinancial_services_analytical_applications_infrastructurecommunications_calendar_serverretail_xstore_point_of_servicecommunications_evolved_communications_application_servercommunications_element_managerjd_edwards_enterpriseone_toolsenterprise_manager_base_platformn/acommunications_diameter_signaling_routerglobal_lifecycle_management_opatchretail_sales_auditprimavera_unifierbanking_digital_experiencejd_edwards_enterpriseone_orchestratorretail_service_backbonecommunications_network_charging_and_controlcommunications_session_route_managercommunications_instant_messaging_serverautovue_for_agile_product_lifecycle_managementagile_plmfinancial_services_retail_customer_analyticsfinancial_services_price_creation_and_discoveryretail_merchandising_systemfinancial_services_institutional_performance_analyticssteelstore_cloud_integrated_storagedebian_linuxinsurance_policy_administration_j2eeweblogic_serverjackson-databindfinancial_services_analytical_applications_infrastructurecommunications_calendar_serverretail_xstore_point_of_servicecommunications_evolved_communications_application_servercommunications_element_managerenterprise_manager_base_platform
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-10969
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.03% / 77.64%
||
7 Day CHG~0.00%
Published-26 Mar, 2020 | 12:43
Updated-04 Aug, 2024 | 11:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.

Action-Not Available
Vendor-n/aDebian GNU/LinuxOracle CorporationFasterXML, LLC.NetApp, Inc.
Product-communications_diameter_signaling_routerglobal_lifecycle_management_opatchretail_sales_auditcommunications_contacts_serverprimavera_unifierbanking_digital_experiencejd_edwards_enterpriseone_orchestratorretail_service_backbonecommunications_network_charging_and_controlcommunications_session_route_managerbanking_platformcommunications_session_report_managercommunications_instant_messaging_serveragile_plmautovue_for_agile_product_lifecycle_managementfinancial_services_retail_customer_analyticsfinancial_services_price_creation_and_discoveryretail_merchandising_systemfinancial_services_institutional_performance_analyticssteelstore_cloud_integrated_storagedebian_linuxinsurance_policy_administration_j2eeweblogic_serverjackson-databindfinancial_services_analytical_applications_infrastructurecommunications_calendar_serverretail_xstore_point_of_servicecommunications_evolved_communications_application_servercommunications_element_managerjd_edwards_enterpriseone_toolsenterprise_manager_base_platformn/acommunications_diameter_signaling_routerglobal_lifecycle_management_opatchretail_sales_auditprimavera_unifierbanking_digital_experiencejd_edwards_enterpriseone_orchestratorretail_service_backbonecommunications_network_charging_and_controlcommunications_session_route_managercommunications_instant_messaging_serverautovue_for_agile_product_lifecycle_managementagile_plmfinancial_services_retail_customer_analyticsfinancial_services_price_creation_and_discoveryretail_merchandising_systemfinancial_services_institutional_performance_analyticssteelstore_cloud_integrated_storagedebian_linuxinsurance_policy_administration_j2eeweblogic_serverjackson-databindfinancial_services_analytical_applications_infrastructurecommunications_calendar_serverretail_xstore_point_of_servicecommunications_evolved_communications_application_servercommunications_element_managerenterprise_manager_base_platform
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-10673
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-20.47% / 95.64%
||
7 Day CHG~0.00%
Published-18 Mar, 2020 | 21:17
Updated-27 Aug, 2025 | 20:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).

Action-Not Available
Vendor-n/aOracle CorporationDebian GNU/LinuxNetApp, Inc.FasterXML, LLC.
Product-communications_diameter_signaling_routerglobal_lifecycle_management_opatchretail_sales_auditcommunications_contacts_serverprimavera_unifierbanking_digital_experiencejd_edwards_enterpriseone_orchestratorretail_service_backbonecommunications_network_charging_and_controlcommunications_session_route_managerbanking_platformcommunications_session_report_managercommunications_instant_messaging_serveragile_plmautovue_for_agile_product_lifecycle_managementfinancial_services_retail_customer_analyticsfinancial_services_price_creation_and_discoveryretail_merchandising_systemfinancial_services_institutional_performance_analyticssteelstore_cloud_integrated_storagedebian_linuxinsurance_policy_administration_j2eeweblogic_serverjackson-databindfinancial_services_analytical_applications_infrastructurecommunications_calendar_serverretail_xstore_point_of_servicecommunications_evolved_communications_application_servercommunications_element_managerjd_edwards_enterpriseone_toolsenterprise_manager_base_platformn/aenterprise_manager_base_platformcommunications_diameter_signaling_routercommunications_network_charging_and_controlcommunications_element_managercommunications_evolved_communications_application_serverretail_sales_auditautovue_for_agile_product_lifecycle_managementfinancial_services_analytical_applications_infrastructureretail_xstore_point_of_servicecommunications_instant_messaging_serverfinancial_services_institutional_performance_analyticsprimavera_unifiercommunications_calendar_serverweblogic_servercommunications_session_route_managerdebian_linuxretail_merchandising_systemretail_service_backbonefinancial_services_price_creation_and_discoverysteelstore_cloud_integrated_storageinsurance_policy_administration_j2eeagile_plmjd_edwards_enterpriseone_orchestratorglobal_lifecycle_management_opatchfinancial_services_retail_customer_analyticsjackson-databindbanking_digital_experience
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-63675
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.9||MEDIUM
EPSS-0.05% / 15.50%
||
7 Day CHG~0.00%
Published-31 Oct, 2025 | 00:00
Updated-08 Dec, 2025 | 13:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

cryptidy through 1.2.4 allows code execution via untrusted data because pickle.loads is used. This occurs in aes_decrypt_message in symmetric_encryption.py.

Action-Not Available
Vendor-netinventcryptidy
Product-cryptidycryptidy
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-60035
Matching Score-4
Assigner-Robert Bosch GmbH
ShareView Details
Matching Score-4
Assigner-Robert Bosch GmbH
CVSS Score-7.8||HIGH
EPSS-0.18% / 39.63%
||
7 Day CHG~0.00%
Published-18 Feb, 2026 | 14:01
Updated-24 Feb, 2026 | 16:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in the OPC.Testclient utility, which is included in Rexroth IndraWorks. All versions prior to 15V24 are affected. This flaw allows an attacker to execute arbitrary code on the user's system by parsing a manipulated file containing malicious serialized data. Exploitation requires user interaction, specifically opening a specially crafted file, which then causes the application to deserialize the malicious data, enabling Remote Code Execution (RCE). This can lead to a complete compromise of the system running the OPC.Testclient.

Action-Not Available
Vendor-Bosch RexrothRobert Bosch GmbH
Product-rexroth_indraworksIndraWorks
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-60037
Matching Score-4
Assigner-Robert Bosch GmbH
ShareView Details
Matching Score-4
Assigner-Robert Bosch GmbH
CVSS Score-7.8||HIGH
EPSS-0.18% / 39.63%
||
7 Day CHG~0.00%
Published-18 Feb, 2026 | 14:03
Updated-24 Feb, 2026 | 16:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in Rexroth IndraWorks. This flaw allows an attacker to execute arbitrary code on the user's system by parsing a manipulated file containing malicious serialized data. Exploitation requires user interaction, specifically opening a specially crafted file, which then causes the application to deserialize the malicious data, enabling Remote Code Execution (RCE). This can lead to a complete compromise of the system running Rexroth IndraWorks.

Action-Not Available
Vendor-Bosch RexrothRobert Bosch GmbH
Product-rexroth_indraworksIndraWorks
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-60036
Matching Score-4
Assigner-Robert Bosch GmbH
ShareView Details
Matching Score-4
Assigner-Robert Bosch GmbH
CVSS Score-7.8||HIGH
EPSS-0.18% / 39.63%
||
7 Day CHG~0.00%
Published-18 Feb, 2026 | 14:02
Updated-24 Feb, 2026 | 16:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in the UA.Testclient utility, which is included in Rexroth IndraWorks. All versions prior to 15V24 are affected. This flaw allows an attacker to execute arbitrary code on the user's system by parsing a manipulated file containing malicious serialized data. Exploitation requires user interaction, specifically opening a specially crafted file, which then causes the application to deserialize the malicious data, enabling Remote Code Execution (RCE). This can lead to a complete compromise of the system running the UA.Testclient.

Action-Not Available
Vendor-Bosch RexrothRobert Bosch GmbH
Product-rexroth_ua.testclientrexroth_indraworksIndraWorksUA.Testclient
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-56816
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-2.01% / 83.96%
||
7 Day CHG~0.00%
Published-24 Sep, 2025 | 00:00
Updated-10 Oct, 2025 | 21:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Datart 1.0.0-rc.3 is vulnerable to Directory Traversal. The configuration file handling of the application allows attackers to upload arbitrary YAML files to the config/jdbc-driver-ext.yml path. The application parses this file using SnakeYAML's unsafe load() or loadAs() method without input sanitization. This allows deserialization of attacker-controlled YAML content, leading to arbitrary class instantiation. Under certain conditions, this can be exploited to achieve remote code execution (RCE).

Action-Not Available
Vendor-running-elephantn/a
Product-datartn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-58757
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.8||HIGH
EPSS-1.06% / 77.85%
||
7 Day CHG+0.37%
Published-08 Sep, 2025 | 23:42
Updated-19 Sep, 2025 | 15:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MONAI's unsafe use of Pickle deserialization may lead to RCE

MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. In versions up to and including 1.5.0, the `pickle_operations` function in `monai/data/utils.py` automatically handles dictionary key-value pairs ending with a specific suffix and deserializes them using `pickle.loads()` . This function also lacks any security measures. The deserialization may lead to code execution. As of time of publication, no known fixed versions are available.

Action-Not Available
Vendor-monaiProject-MONAI
Product-medical_open_network_for_aiMONAI
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-48101
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-0.09% / 24.94%
||
7 Day CHG~0.00%
Published-09 Sep, 2025 | 16:26
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Constant Contact for WordPress Plugin <= 4.1.1 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in webdevstudios Constant Contact for WordPress allows Object Injection. This issue affects Constant Contact for WordPress: from n/a through 4.1.1.

Action-Not Available
Vendor-webdevstudios
Product-Constant Contact for WordPress
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-52287
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.21% / 43.47%
||
7 Day CHG~0.00%
Published-22 Aug, 2025 | 00:00
Updated-12 Sep, 2025 | 19:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OperaMasks SDK ELite Script Engine v0.5.0 was discovered to contain a deserialization vulnerability.

Action-Not Available
Vendor-elite_projectn/a
Product-eliten/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-36184
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-6.98% / 91.56%
||
7 Day CHG+0.07%
Published-06 Jan, 2021 | 22:30
Updated-04 Aug, 2024 | 17:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.

Action-Not Available
Vendor-n/aDebian GNU/LinuxOracle CorporationFasterXML, LLC.NetApp, Inc.
Product-primavera_unifiercloud_backupjd_edwards_enterpriseone_orchestratorprimavera_gatewaycommunications_network_charging_and_controlcommunications_session_route_managerretail_service_backbonecommunications_session_report_managercommunications_instant_messaging_serverautovue_for_agile_product_lifecycle_managementagile_plmcommunications_policy_managementcommunications_cloud_native_core_policyretail_merchandising_systemcommunications_convergent_charging_controllercommerce_platformblockchain_platformcommunications_cloud_native_core_unified_data_repositoryjackson-databindcommunications_evolved_communications_application_servercommunications_unified_inventory_managementservice_level_managerdocumakerapplication_testing_suitecommunications_services_gatekeeperbanking_virtual_account_managementretail_customer_management_and_segmentation_foundationinsurance_rules_palettecommunications_billing_and_revenue_managementcommunications_offline_mediation_controllerdebian_linuxbanking_supply_chain_financecommunications_diameter_signaling_routecommunications_pricing_design_centerbanking_credit_facilities_process_managementretail_xstore_point_of_serviceinsurance_policy_administrationbanking_corporate_lending_process_managementgoldengate_application_adaptersbanking_extensibility_workbenchcommunications_element_managerjd_edwards_enterpriseone_toolsbanking_treasury_managementwebcenter_portaldata_integratorn/acommunications_diameter_signaling_routerglobal_lifecycle_management_opatchretail_sales_auditprimavera_unifierbanking_digital_experiencejd_edwards_enterpriseone_orchestratorretail_service_backbonecommunications_network_charging_and_controlcommunications_session_route_managercommunications_instant_messaging_serveragile_plmautovue_for_agile_product_lifecycle_managementfinancial_services_retail_customer_analyticsfinancial_services_price_creation_and_discoveryretail_merchandising_systemfinancial_services_institutional_performance_analyticssteelstore_cloud_integrated_storagedebian_linuxinsurance_policy_administration_j2eeweblogic_serverjackson-databindfinancial_services_analytical_applications_infrastructurecommunications_calendar_serverretail_xstore_point_of_servicecommunications_evolved_communications_application_servercommunications_element_managerenterprise_manager_base_platform
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-36180
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-2.73% / 86.13%
||
7 Day CHG+0.01%
Published-06 Jan, 2021 | 22:30
Updated-04 Aug, 2024 | 17:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.

Action-Not Available
Vendor-n/aDebian GNU/LinuxOracle CorporationFasterXML, LLC.NetApp, Inc.
Product-primavera_unifiercloud_backupjd_edwards_enterpriseone_orchestratorprimavera_gatewaycommunications_network_charging_and_controlcommunications_session_route_managerretail_service_backbonecommunications_session_report_managercommunications_instant_messaging_serverautovue_for_agile_product_lifecycle_managementagile_plmcommunications_policy_managementcommunications_cloud_native_core_policyretail_merchandising_systemcommunications_convergent_charging_controllercommerce_platformblockchain_platformcommunications_cloud_native_core_unified_data_repositoryjackson-databindcommunications_evolved_communications_application_servercommunications_unified_inventory_managementservice_level_managerdocumakerapplication_testing_suitecommunications_services_gatekeeperbanking_virtual_account_managementretail_customer_management_and_segmentation_foundationinsurance_rules_palettecommunications_billing_and_revenue_managementcommunications_offline_mediation_controllerdebian_linuxbanking_supply_chain_financecommunications_diameter_signaling_routecommunications_pricing_design_centerbanking_credit_facilities_process_managementretail_xstore_point_of_serviceinsurance_policy_administrationbanking_corporate_lending_process_managementgoldengate_application_adaptersbanking_extensibility_workbenchcommunications_element_managerjd_edwards_enterpriseone_toolsbanking_treasury_managementwebcenter_portaldata_integratorn/acommunications_diameter_signaling_routerglobal_lifecycle_management_opatchretail_sales_auditprimavera_unifierbanking_digital_experiencejd_edwards_enterpriseone_orchestratorretail_service_backbonecommunications_network_charging_and_controlcommunications_session_route_managercommunications_instant_messaging_serveragile_plmautovue_for_agile_product_lifecycle_managementfinancial_services_retail_customer_analyticsfinancial_services_price_creation_and_discoveryretail_merchandising_systemfinancial_services_institutional_performance_analyticssteelstore_cloud_integrated_storagedebian_linuxinsurance_policy_administration_j2eeweblogic_serverjackson-databindfinancial_services_analytical_applications_infrastructurecommunications_calendar_serverretail_xstore_point_of_servicecommunications_evolved_communications_application_servercommunications_element_managerenterprise_manager_base_platform
CWE ID-CWE-502
Deserialization of Untrusted Data
  • Previous
  • 1
  • 2
  • Next
Details not found