Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-56031

Summary
Assigner-Patchstack
Assigner Org ID-21595511-bba5-4825-b968-b78d1f9984a3
Published At-26 Jun, 2026 | 14:52
Updated At-26 Jun, 2026 | 17:43
Rejected At-
Credits

WordPress Uncanny Automator plugin <= 7.3.1.2 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Uncanny Automator <= 7.3.1.2 versions.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Patchstack
Assigner Org ID:21595511-bba5-4825-b968-b78d1f9984a3
Published At:26 Jun, 2026 | 14:52
Updated At:26 Jun, 2026 | 17:43
Rejected At:
▼CVE Numbering Authority (CNA)
WordPress Uncanny Automator plugin <= 7.3.1.2 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Uncanny Automator <= 7.3.1.2 versions.

Affected Products
Vendor
Uncanny Owl Inc.Uncanny Owl
Product
Uncanny Automator
Collection URL
https://wordpress.org/plugins
Package Name
uncanny-automator
Default Status
unaffected
Versions
Affected
  • From n/a through 7.3.1.2 (custom)
    • -> unaffectedfrom7.3.1.3
Problem Types
TypeCWE IDDescription
CWECWE-502CWE-502 Deserialization of Untrusted Data
Type: CWE
CWE ID: CWE-502
Description: CWE-502 Deserialization of Untrusted Data
Metrics
VersionBase scoreBase severityVector
3.18.1HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 8.1
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-586CAPEC-586 Object Injection
CAPEC ID: CAPEC-586
Description: CAPEC-586 Object Injection
Solutions

Update the WordPress Uncanny Automator Plugin to the latest available version (at least 7.3.1.3).

Configurations

Workarounds

Exploits

Credits

finder
VanTastic | Patchstack Bug Bounty Program
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://patchstack.com/database/wordpress/plugin/uncanny-automator/vulnerability/wordpress-uncanny-automator-plugin-7-3-1-2-php-object-injection-vulnerability?_s_id=cve
vdb-entry
Hyperlink: https://patchstack.com/database/wordpress/plugin/uncanny-automator/vulnerability/wordpress-uncanny-automator-plugin-7-3-1-2-php-object-injection-vulnerability?_s_id=cve
Resource:
vdb-entry
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:audit@patchstack.com
Published At:26 Jun, 2026 | 15:16
Updated At:26 Jun, 2026 | 18:17

Unauthenticated PHP Object Injection in Uncanny Automator <= 7.3.1.2 versions.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.18.1HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
N/A
Type: Secondary
Version: 3.1
Base score: 8.1
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-502Secondaryaudit@patchstack.com
CWE ID: CWE-502
Type: Secondary
Source: audit@patchstack.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://patchstack.com/database/wordpress/plugin/uncanny-automator/vulnerability/wordpress-uncanny-automator-plugin-7-3-1-2-php-object-injection-vulnerability?_s_id=cveaudit@patchstack.com
N/A
Hyperlink: https://patchstack.com/database/wordpress/plugin/uncanny-automator/vulnerability/wordpress-uncanny-automator-plugin-7-3-1-2-php-object-injection-vulnerability?_s_id=cve
Source: audit@patchstack.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

161Records found

CVE-2025-11938
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.67% / 47.53%
||
7 Day CHG~0.00%
Published-19 Oct, 2025 | 07:32
Updated-24 Feb, 2026 | 08:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ChurchCRM setup.php deserialization

A vulnerability was found in ChurchCRM up to 5.18.0. This vulnerability affects unknown code of the file setup/routes/setup.php. Performing a manipulation of the argument DB_PASSWORD/ROOT_PATH/URL results in deserialization. The attack may be initiated remotely. The attack's complexity is rated as high. It is stated that the exploitability is difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-churchcrmn/a
Product-churchcrmChurchCRM
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-14062
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-8.07% / 94.10%
||
7 Day CHG~0.00%
Published-14 Jun, 2020 | 19:42
Updated-29 Apr, 2026 | 20:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).

Action-Not Available
Vendor-n/aFasterXML, LLC.Oracle CorporationDebian GNU/LinuxNetApp, Inc.
Product-active_iq_unified_managerdebian_linuxcommunications_contacts_servercommunications_element_managerjackson-databindsteelstore_cloud_integrated_storagecommunications_diameter_signaling_routercommunications_calendar_servercommunications_session_route_managerbanking_digital_experiencecommunications_session_report_manageragile_plmcommunications_evolved_communications_application_servern/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-14060
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-8.61% / 94.43%
||
7 Day CHG~0.00%
Published-14 Jun, 2020 | 20:46
Updated-29 Apr, 2026 | 20:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).

Action-Not Available
Vendor-n/aFasterXML, LLC.Oracle CorporationNetApp, Inc.
Product-active_iq_unified_managercommunications_contacts_servercommunications_element_managerjackson-databindsteelstore_cloud_integrated_storagecommunications_diameter_signaling_routercommunications_calendar_servercommunications_session_route_managerbanking_digital_experiencecommunications_session_report_manageragile_plmcommunications_evolved_communications_application_servern/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-40755
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.1||HIGH
EPSS-0.25% / 16.19%
||
7 Day CHG~0.00%
Published-16 Jun, 2026 | 20:57
Updated-17 Jun, 2026 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress TechLink theme <= 1.3 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in TechLink <= 1.3 versions.

Action-Not Available
Vendor-Mikado-Themes
Product-TechLink
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-40761
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.1||HIGH
EPSS-0.25% / 16.19%
||
7 Day CHG~0.00%
Published-16 Jun, 2026 | 20:57
Updated-17 Jun, 2026 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Valeska theme <= 1.2.2 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Valeska <= 1.2.2 versions.

Action-Not Available
Vendor-Edge-Themes
Product-Valeska
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-40758
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.1||HIGH
EPSS-0.32% / 23.84%
||
7 Day CHG~0.00%
Published-16 Jun, 2026 | 20:57
Updated-17 Jun, 2026 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Léonie theme <= 1.2.1 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Léonie <= 1.2.1 versions.

Action-Not Available
Vendor-Elated-Themes
Product-Léonie
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-40739
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.1||HIGH
EPSS-0.32% / 23.84%
||
7 Day CHG~0.00%
Published-16 Jun, 2026 | 20:57
Updated-17 Jun, 2026 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress LuxeDrive theme <= 1.4 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in LuxeDrive <= 1.4 versions.

Action-Not Available
Vendor-Mikado-Themes
Product-LuxeDrive
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-40753
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.1||HIGH
EPSS-0.31% / 22.54%
||
7 Day CHG~0.00%
Published-17 Jun, 2026 | 09:51
Updated-17 Jun, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress EasyMeals theme <= 1.5.1 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in EasyMeals <= 1.5.1 versions.

Action-Not Available
Vendor-Mikado-Themes
Product-EasyMeals
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-40735
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.1||HIGH
EPSS-0.40% / 31.46%
||
7 Day CHG~0.00%
Published-17 Jun, 2026 | 09:51
Updated-17 Jun, 2026 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Reina theme <= 2.1 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Reina <= 2.1 versions.

Action-Not Available
Vendor-Edge-Themes
Product-Reina
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-40733
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.1||HIGH
EPSS-0.31% / 22.54%
||
7 Day CHG~0.00%
Published-17 Jun, 2026 | 12:47
Updated-17 Jun, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress ShiftUp theme <= 1.3 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in ShiftUp <= 1.3 versions.

Action-Not Available
Vendor-Mikado-Themes
Product-ShiftUp
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-39567
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.1||HIGH
EPSS-0.31% / 22.54%
||
7 Day CHG~0.00%
Published-16 Jun, 2026 | 20:57
Updated-17 Jun, 2026 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Santé theme <= 1.5.1 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Santé <= 1.5.1 versions.

Action-Not Available
Vendor-Select-Themes
Product-Santé
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-39443
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.1||HIGH
EPSS-0.31% / 22.54%
||
7 Day CHG~0.00%
Published-16 Jun, 2026 | 20:57
Updated-17 Jun, 2026 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress EmallShop theme <= 2.4.21 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in EmallShop <= 2.4.21 versions.

Action-Not Available
Vendor-PressLayouts
Product-EmallShop
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-39446
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.1||HIGH
EPSS-0.31% / 22.54%
||
7 Day CHG~0.00%
Published-16 Jun, 2026 | 20:57
Updated-17 Jun, 2026 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Kapee theme < 1.7.0 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Kapee < 1.7.0 versions.

Action-Not Available
Vendor-PressLayouts
Product-Kapee
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-39580
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.1||HIGH
EPSS-0.25% / 16.19%
||
7 Day CHG~0.00%
Published-16 Jun, 2026 | 20:57
Updated-17 Jun, 2026 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Micdrop theme <= 1.3.1 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Micdrop <= 1.3.1 versions.

Action-Not Available
Vendor-Select-Themes
Product-Micdrop
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-39560
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.1||HIGH
EPSS-0.31% / 22.55%
||
7 Day CHG~0.00%
Published-17 Jun, 2026 | 12:47
Updated-17 Jun, 2026 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Hiroshi theme <= 1.5.1 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Hiroshi <= 1.5.1 versions.

Action-Not Available
Vendor-Select-Themes
Product-Hiroshi
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-0956
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.1||HIGH
EPSS-0.52% / 40.46%
||
7 Day CHG~0.00%
Published-05 Mar, 2025 | 09:21
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WooCommerce Recover Abandoned Cart <= 24.4.0 - Unauthenticated PHP Object Injection

The WooCommerce Recover Abandoned Cart plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 24.4.0 via deserialization of untrusted input from the 'raccookie_guest_email' cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.

Action-Not Available
Vendor-FantasticPlugins
Product-WooCommerce Recover Abandoned Cart
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-39554
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.1||HIGH
EPSS-0.31% / 22.54%
||
7 Day CHG~0.00%
Published-16 Jun, 2026 | 20:57
Updated-17 Jun, 2026 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Fidalgo theme <= 1.2.2 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Fidalgo <= 1.2.2 versions.

Action-Not Available
Vendor-Elated-Themes
Product-Fidalgo
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-39545
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.1||HIGH
EPSS-0.40% / 31.46%
||
7 Day CHG~0.00%
Published-17 Jun, 2026 | 09:50
Updated-17 Jun, 2026 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Zermatt theme <= 1.6.1 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Zermatt <= 1.6.1 versions.

Action-Not Available
Vendor-Select-Themes
Product-Zermatt
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-42631
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-6.32% / 92.77%
||
7 Day CHG~0.00%
Published-31 Jan, 2022 | 17:48
Updated-04 Aug, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

PrinterLogic Web Stack versions 19.1.1.13 SP9 and below deserializes attacker controlled leading to pre-auth remote code execution.

Action-Not Available
Vendor-printerlogicn/aLinux Kernel Organization, IncApple Inc.
Product-virtual_appliancemacoslinux_kernelweb_stackn/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-11619
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-3.61% / 88.07%
||
7 Day CHG~0.00%
Published-07 Apr, 2020 | 22:14
Updated-29 Apr, 2026 | 20:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).

Action-Not Available
Vendor-n/aFasterXML, LLC.Oracle CorporationDebian GNU/LinuxNetApp, Inc.
Product-communications_contacts_serverdebian_linuxjd_edwards_enterpriseone_orchestratorprimavera_unifiercommunications_calendar_servercommunications_instant_messaging_serverretail_merchandising_systemsteelstore_cloud_integrated_storageenterprise_manager_base_platformbanking_platformcommunications_evolved_communications_application_serveractive_iq_unified_managerweblogic_serverjackson-databindjd_edwards_enterpriseone_toolscommunications_diameter_signaling_routercommunications_network_charging_and_controlretail_xstore_point_of_serviceretail_sales_auditagile_plmglobal_lifecycle_management_opatchn/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-39557
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.1||HIGH
EPSS-0.40% / 31.46%
||
7 Day CHG~0.00%
Published-16 Jun, 2026 | 20:57
Updated-17 Jun, 2026 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress NeoBeat theme <= 1.7 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in NeoBeat <= 1.7 versions.

Action-Not Available
Vendor-Elated-Themes
Product-NeoBeat
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-39550
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.1||HIGH
EPSS-0.31% / 22.54%
||
7 Day CHG~0.00%
Published-02 Jun, 2026 | 10:44
Updated-02 Jun, 2026 | 13:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Aperitif theme <= 1.6 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in Elated-Themes Aperitif allows Object Injection. This issue affects Aperitif: from n/a through 1.6.

Action-Not Available
Vendor-Elated-Themes
Product-Aperitif
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-11620
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-5.59% / 91.96%
||
7 Day CHG~0.00%
Published-07 Apr, 2020 | 22:14
Updated-04 Aug, 2024 | 11:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).

Action-Not Available
Vendor-n/aDebian GNU/LinuxOracle CorporationFasterXML, LLC.NetApp, Inc.
Product-global_lifecycle_management_opatchcommunications_contacts_serverretail_sales_auditprimavera_unifierjd_edwards_enterpriseone_orchestratorcommunications_network_charging_and_controlactive_iq_unified_managerbanking_platformcommunications_instant_messaging_serverretail_merchandising_systemsteelstore_cloud_integrated_storagedebian_linuxweblogic_serverjackson-databindretail_xstore_point_of_servicecommunications_evolved_communications_application_serverjd_edwards_enterpriseone_toolsenterprise_manager_base_platformn/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-39555
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.1||HIGH
EPSS-0.26% / 16.81%
||
7 Day CHG~0.00%
Published-02 Jun, 2026 | 13:34
Updated-02 Jun, 2026 | 15:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Askka theme <= 1.3.1 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in Elated-Themes Askka allows Object Injection. This issue affects Askka: from n/a through 1.3.1.

Action-Not Available
Vendor-Elated-Themes
Product-Askka
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-39576
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.1||HIGH
EPSS-0.40% / 31.46%
||
7 Day CHG~0.00%
Published-17 Jun, 2026 | 12:47
Updated-17 Jun, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress SingleMalt theme <= 1.5 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in SingleMalt <= 1.5 versions.

Action-Not Available
Vendor-Elated-Themes
Product-SingleMalt
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-4125
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-8.1||HIGH
EPSS-1.19% / 64.12%
||
7 Day CHG~0.00%
Published-24 Aug, 2022 | 15:09
Updated-03 Aug, 2024 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

It was found that the original fix for log4j CVE-2021-44228 and CVE-2021-45046 in the OpenShift metering hive containers was incomplete, as not all JndiLookup.class files were removed. This CVE only applies to the OpenShift Metering hive container images, shipped in OpenShift 4.8, 4.7 and 4.6.

Action-Not Available
Vendor-n/aRed Hat, Inc.
Product-openshiftkube-reporting/hive
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-39442
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.1||HIGH
EPSS-0.31% / 22.54%
||
7 Day CHG~0.00%
Published-17 Jun, 2026 | 12:47
Updated-17 Jun, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress PressMart theme <= 1.2.26 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in PressMart <= 1.2.26 versions.

Action-Not Available
Vendor-PressLayouts
Product-PressMart
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-39253
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-0.80% / 52.28%
||
7 Day CHG~0.00%
Published-23 Jun, 2026 | 00:00
Updated-23 Jun, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in Pivotal CRM v.6.6.04.08 allows a remote attacker to execute arbitrary code via the Pivotal.Core.Common.dll and Pivotal.Engine.Client.Services.Conversion.dll components.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2018-15133
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-76.81% / 99.49%
||
7 Day CHG~0.00%
Published-09 Aug, 2018 | 19:00
Updated-07 Nov, 2025 | 19:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2024-02-06||Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack.

Action-Not Available
Vendor-laraveln/aLaravel
Product-laraveln/aLaravel Framework
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-10650
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-3.30% / 87.03%
||
7 Day CHG~0.00%
Published-26 Dec, 2022 | 00:00
Updated-19 Aug, 2025 | 16:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider.

Action-Not Available
Vendor-n/aDebian GNU/LinuxFasterXML, LLC.NetApp, Inc.Oracle Corporation
Product-debian_linuxjackson-databindretail_merchandising_systemactive_iq_unified_managerretail_sales_auditn/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-33701
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.3||CRITICAL
EPSS-0.93% / 56.37%
||
7 Day CHG+0.02%
Published-27 Mar, 2026 | 00:01
Updated-30 Jun, 2026 | 12:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution

OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: First, OpenTelemetry Java instrumentation is attached as a Java agent (`-javaagent`) on Java 16 or earlier. Second, JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable. Third, gadget-chain-compatible library is present on the classpath. This results in arbitrary remote code execution with the privileges of the user running the instrumented JVM. For JDK >= 17, no action is required, but upgrading is strongly encouraged. For JDK < 17, upgrade to version 2.26.1 or later. As a workaround, set the system property `-Dotel.instrumentation.rmi.enabled=false` to disable the RMI integration.

Action-Not Available
Vendor-open-telemetryThe Linux FoundationRed Hat, Inc.
Product-opentelemetry_instrumentation_for_javaopentelemetry-java-instrumentationRed Hat JBoss Enterprise Application Platform 8Red Hat JBoss Enterprise Application Platform Expansion Pack
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-37632
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.1||HIGH
EPSS-1.68% / 74.07%
||
7 Day CHG~0.00%
Published-05 Aug, 2021 | 20:15
Updated-04 Aug, 2024 | 01:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Deserialization of Untrusted Data in com.supermartijn642.configlib.ConfigSyncPacket

SuperMartijn642's Config Lib is a library used by a number of mods for the game Minecraft. The versions of SuperMartijn642's Config Lib between 1.0.4 and 1.0.8 are affected by a vulnerability and can be exploited on both servers and clients. Using SuperMartijn642's Config Lib, servers will send a packet to clients with the server's config values. In order to read `enum` values from the packet data, `ObjectInputStream#readObject` is used. `ObjectInputStream#readObject` will instantiate a class based on the input data. Since, the packet data is not validated before `ObjectInputStream#readObject` is called, an attacker can instantiate any class by sending a malicious packet. If a suitable class is found, the vulnerability can lead to a number of exploits, including remote code execution. Although the vulnerable packet is typically only send from server to client, it can theoretically also be send from client to server. This means both clients and servers running SuperMartijn642's Config Lib between 1.0.4 and 1.0.8 are vulnerable. The vulnerability has been patched in SuperMartijn642's Config lib 1.0.9. Both, players and server owners, should update to 1.0.9 or higher.

Action-Not Available
Vendor-config_lib_projectSuperMartijn642
Product-config_libSuperMartijn642sConfigLib
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-56283
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.1||HIGH
EPSS-0.41% / 32.93%
||
7 Day CHG~0.00%
Published-07 Jan, 2025 | 10:49
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Locatoraid Store Locator Plugin <= 3.9.50 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in plainware Locatoraid Store Locator locatoraid allows Object Injection.This issue affects Locatoraid Store Locator: from n/a through <= 3.9.50.

Action-Not Available
Vendor-plainware
Product-Locatoraid Store Locator
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-56291
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.1||HIGH
EPSS-0.41% / 32.93%
||
7 Day CHG~0.00%
Published-07 Jan, 2025 | 10:49
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress PlainInventory – Inventory Management Plugin Plugin <= 3.1.6 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in plainware PlainInventory z-inventory-manager allows Object Injection.This issue affects PlainInventory: from n/a through <= 3.1.6.

Action-Not Available
Vendor-plainware
Product-PlainInventory
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-38689
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.1||HIGH
EPSS-1.21% / 64.74%
||
7 Day CHG~0.00%
Published-04 Aug, 2023 | 16:21
Updated-10 Oct, 2024 | 15:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Deserialization of Untrusted Data in network IO

Logistics Pipes is a modification (a.k.a. mod) for the computer game Minecraft Java Edition. The mod used Java's `ObjectInputStream#readObject` on untrusted data coming from clients or servers over the network resulting in possible remote code execution when sending specifically crafted network packets after connecting. The affected versions were released between 2013 and 2016 and the issue (back then unknown) was fixed in 2016 by a refactoring of the network IO code. The issue is present in all Logistics Pipes versions ranged from 0.7.0.91 prior to 0.10.0.71, which were downloaded from different platforms summing up to multi-million downloads. For Minecraft version 1.7.10 the issue was fixed in build 0.10.0.71. Everybody on Minecraft 1.7.10 should check their version number of Logistics Pipes in their modlist and update, if the version number is smaller than 0.10.0.71. Any newer supported Minecraft version (like 1.12.2) never had a Logistics Pipes version with vulnerable code. The best available workaround for vulnerable versions is to play in singleplayer only or update to newer Minecraft versions and modpacks.

Action-Not Available
Vendor-rs485RS485rs485
Product-logisticspipesLogisticsPipeslogisticspipes
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-39573
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.1||HIGH
EPSS-0.40% / 31.46%
||
7 Day CHG~0.00%
Published-17 Jun, 2026 | 09:50
Updated-17 Jun, 2026 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Mildhill theme <= 1.5 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Mildhill <= 1.5 versions.

Action-Not Available
Vendor-Select-Themes
Product-Mildhill
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-53673
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-8.1||HIGH
EPSS-0.72% / 49.29%
||
7 Day CHG~0.00%
Published-26 Nov, 2024 | 21:45
Updated-12 Dec, 2024 | 19:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A java deserialization vulnerability in HPE Remote Insight Support may allow an unauthenticated attacker to execute code.

Action-Not Available
Vendor-Hewlett Packard Enterprise (HPE)
Product-insight_remote_supportInsight Remote Supportinsight_remote_support
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-27206
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.1||HIGH
EPSS-0.74% / 50.10%
||
7 Day CHG~0.00%
Published-21 Feb, 2026 | 07:01
Updated-24 Feb, 2026 | 18:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Zumba Json Serializer has a potential PHP Object Injection via Unrestricted @type in unserialize()

Zumba Json Serializer is a library to serialize PHP variables in JSON format. In versions 3.2.2 and below, the library allows deserialization of PHP objects from JSON using a special @type field. The deserializer instantiates any class specified in the @type field without restriction. When processing untrusted JSON input, this behavior may allow an attacker to instantiate arbitrary classes available in the application. If a vulnerable application passes attacker-controlled JSON into JsonSerializer::unserialize() and contains classes with dangerous magic methods (such as __wakeup() or __destruct()), this may lead to PHP Object Injection and potentially Remote Code Execution (RCE), depending on available gadget chains in the application or its dependencies. This behavior is similar in risk profile to PHP's native unserialize() when used without the allowed_classes restriction. Applications are impacted only if untrusted or attacker-controlled JSON is passed into JsonSerializer::unserialize() and the application or its dependencies contain classes that can be leveraged as a gadget chain. This issue has been fixed in version 3.2.3. If an immediate upgrade isn't feasible, mitigate the vulnerability by never deserializing untrusted JSON with JsonSerializer::unserialize(), validating and sanitizing all JSON input before deserialization, and disabling @type-based object instantiation wherever possible.

Action-Not Available
Vendor-zumba
Product-json-serializer
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-24217
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-8.1||HIGH
EPSS-3.52% / 87.81%
||
7 Day CHG~0.00%
Published-12 Apr, 2021 | 14:01
Updated-03 Aug, 2024 | 19:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Facebook for WordPress < 3.0.0 - PHP Object Injection with POP Chain

The run_action function of the Facebook for WordPress plugin before 3.0.0 deserializes user supplied data making it possible for PHP objects to be supplied creating an Object Injection vulnerability. There was also a useable magic method in the plugin that could be used to achieve remote code execution.

Action-Not Available
Vendor-UnknownFacebook
Product-facebookFacebook for WordPress
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-49826
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.1||HIGH
EPSS-0.57% / 42.85%
||
7 Day CHG~0.00%
Published-21 Dec, 2023 | 12:34
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Soledad Theme <= 8.4.1 is vulnerable to PHP Object Injection

Deserialization of Untrusted Data vulnerability in PenciDesign Soledad – Multipurpose, Newspaper, Blog & WooCommerce WordPress Theme.This issue affects Soledad – Multipurpose, Newspaper, Blog & WooCommerce WordPress Theme: from n/a through 8.4.1.

Action-Not Available
Vendor-pencidesignPenciDesign
Product-soledadSoledad – Multipurpose, Newspaper, Blog & WooCommerce WordPress Theme
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-47130
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.1||HIGH
EPSS-3.15% / 86.36%
||
7 Day CHG~0.00%
Published-14 Nov, 2023 | 20:30
Updated-14 Aug, 2024 | 19:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unsafe deserialization of user data in yiisoft/yii

Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been developed for the 1.1.29 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-yiiframeworkyiisoftyiiframework
Product-yiiyiiyii
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-4386
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.1||HIGH
EPSS-0.77% / 51.04%
||
7 Day CHG~0.00%
Published-20 Oct, 2023 | 07:29
Updated-08 Apr, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Essential Blocks <= 4.2.0 - Unauthenticated PHP Object Injection via queries

The Essential Blocks plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.0 via deserialization of untrusted input in the get_posts function. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Action-Not Available
Vendor-WPDeveloper
Product-essential_blocksEssential Blocks ProGutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-4402
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.1||HIGH
EPSS-1.34% / 67.86%
||
7 Day CHG~0.00%
Published-20 Oct, 2023 | 06:35
Updated-08 Apr, 2026 | 17:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Essential Blocks <= 4.2.0 - Unauthenticated PHP Object Injection via products

The Essential Blocks plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.0 via deserialization of untrusted input in the get_products function. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Action-Not Available
Vendor-WPDeveloper
Product-essential_blocks_proessential_blocksEssential Blocks ProGutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-38155
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-7||HIGH
EPSS-1.29% / 66.71%
||
7 Day CHG~0.00%
Published-12 Sep, 2023 | 16:58
Updated-30 Oct, 2025 | 18:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Azure DevOps Server Remote Code Execution Vulnerability

Azure DevOps Server Remote Code Execution Vulnerability

Action-Not Available
Vendor-Microsoft Corporation
Product-azure_devops_serverAzure DevOps Server 2020.0.2Azure DevOps Server 2020.1.2Azure DevOps ServerAzure DevOps Server 2022.0.1Azure DevOps Server 2019.0.1
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2018-5968
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-6.96% / 93.35%
||
7 Day CHG-0.05%
Published-22 Jan, 2018 | 04:00
Updated-05 Aug, 2024 | 05:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.

Action-Not Available
Vendor-n/aRed Hat, Inc.FasterXML, LLC.NetApp, Inc.Debian GNU/Linux
Product-enterprise_linux_servervirtualizationdebian_linuxjackson-databindopenshift_container_platforme-series_santricity_os_controllervirtualization_hoste-series_santricity_web_services_proxyoncommand_shiftjboss_enterprise_application_platformn/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CWE ID-CWE-184
Incomplete List of Disallowed Inputs
CVE-2021-32836
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-2.04% / 78.74%
||
7 Day CHG+0.07%
Published-09 Sep, 2021 | 02:05
Updated-03 Aug, 2024 | 23:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Pre-auth unsafe deserialization in ZStack

ZStack is open source IaaS(infrastructure as a service) software. In ZStack before versions 3.10.12 and 4.1.6 there is a pre-auth unsafe deserialization vulnerability in the REST API. An attacker in control of the request body will be able to provide both the class name and the data to be deserialized and therefore will be able to instantiate an arbitrary type and assign arbitrary values to its fields. This issue may lead to a Denial Of Service. If a suitable gadget is available, then an attacker may also be able to exploit this vulnerability to gain pre-auth remote code execution. For additional details see the referenced GHSL-2021-087.

Action-Not Available
Vendor-zstackzstackio
Product-zstackzstack
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-32030
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.1||HIGH
EPSS-34.09% / 98.20%
||
7 Day CHG~0.00%
Published-19 Jun, 2024 | 16:35
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Remote code execution via JNDI resolution in JMX metrics collection in Kafka UI

Kafka UI is an Open-Source Web UI for Apache Kafka Management. Kafka UI API allows users to connect to different Kafka brokers by specifying their network address and port. As a separate feature, it also provides the ability to monitor the performance of Kafka brokers by connecting to their JMX ports. JMX is based on the RMI protocol, so it is inherently susceptible to deserialization attacks. A potential attacker can exploit this feature by connecting Kafka UI backend to its own malicious broker. This vulnerability affects the deployments where one of the following occurs: 1. dynamic.config.enabled property is set in settings. It's not enabled by default, but it's suggested to be enabled in many tutorials for Kafka UI, including its own README.md. OR 2. an attacker has access to the Kafka cluster that is being connected to Kafka UI. In this scenario the attacker can exploit this vulnerability to expand their access and execute code on Kafka UI as well. Instead of setting up a legitimate JMX port, an attacker can create an RMI listener that returns a malicious serialized object for any RMI call. In the worst case it could lead to remote code execution as Kafka UI has the required gadget chains in its classpath. This issue may lead to post-auth remote code execution. This is particularly dangerous as Kafka-UI does not have authentication enabled by default. This issue has been addressed in version 0.7.2. All users are advised to upgrade. There are no known workarounds for this vulnerability. These issues were discovered and reported by the GitHub Security lab and is also tracked as GHSL-2023-230.

Action-Not Available
Vendor-provectusprovectus
Product-kafka-uiui
CWE ID-CWE-502
Deserialization of Untrusted Data
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-27333
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.1||HIGH
EPSS-0.32% / 23.52%
||
7 Day CHG~0.00%
Published-15 Jun, 2026 | 20:17
Updated-16 Jun, 2026 | 14:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Paid Videochat Turnkey Site plugin <= 7.3.23 - Deserialization of untrusted data vulnerability

Unauthenticated Deserialization of untrusted data in Paid Videochat Turnkey Site <= 7.3.23 versions.

Action-Not Available
Vendor-VideoWhisper.com
Product-Paid Videochat Turnkey Site
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-27369
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.1||HIGH
EPSS-0.31% / 22.54%
||
7 Day CHG~0.00%
Published-05 Mar, 2026 | 05:53
Updated-28 Apr, 2026 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Celeste theme <= 1.3.6 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in BoldThemes Celeste celeste allows Object Injection.This issue affects Celeste: from n/a through <= 1.3.6.

Action-Not Available
Vendor-BoldThemes
Product-Celeste
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-27096
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.1||HIGH
EPSS-0.32% / 24.23%
||
7 Day CHG~0.00%
Published-19 Mar, 2026 | 05:31
Updated-28 Apr, 2026 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress ColorFolio - Freelance Designer WordPress Theme theme <= 1.3 - Deserialization of untrusted data vulnerability

Deserialization of Untrusted Data vulnerability in BuddhaThemes ColorFolio - Freelance Designer WordPress Theme allows Object Injection.This issue affects ColorFolio - Freelance Designer WordPress Theme: from n/a through 1.3.

Action-Not Available
Vendor-BuddhaThemes
Product-ColorFolio - Freelance Designer WordPress Theme
CWE ID-CWE-502
Deserialization of Untrusted Data
  • Previous
  • 1
  • 2
  • 3
  • 4
  • Next
Details not found