Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-57527

Summary
Assigner-VulnCheck
Assigner Org ID-83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At-26 Jun, 2026 | 14:43
Updated At-26 Jun, 2026 | 16:31
Rejected At-
Credits

ZAP ViewState Add-on Insecure Deserialization via JSFViewState.decode()

Zed Attack Proxy (ZAP) ViewState add-on before version 4 contains an insecure deserialization vulnerability that allows attackers who control a proxied web server to achieve arbitrary code execution by embedding a malicious serialized Java object in the javax.faces.ViewState HTTP response parameter. The JSFViewState.decode() method base64-decodes the ViewState value and passes it directly to ObjectInputStream.readObject() without a deserialization filter, allowlist, or type restriction, causing the malicious object to be deserialized within the ZAP JVM when the Desktop UI renders the ViewState panel.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulnCheck
Assigner Org ID:83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At:26 Jun, 2026 | 14:43
Updated At:26 Jun, 2026 | 16:31
Rejected At:
▼CVE Numbering Authority (CNA)
ZAP ViewState Add-on Insecure Deserialization via JSFViewState.decode()

Zed Attack Proxy (ZAP) ViewState add-on before version 4 contains an insecure deserialization vulnerability that allows attackers who control a proxied web server to achieve arbitrary code execution by embedding a malicious serialized Java object in the javax.faces.ViewState HTTP response parameter. The JSFViewState.decode() method base64-decodes the ViewState value and passes it directly to ObjectInputStream.readObject() without a deserialization filter, allowlist, or type restriction, causing the malicious object to be deserialized within the ZAP JVM when the Desktop UI renders the ViewState panel.

Affected Products
Vendor
zaproxy
Product
zap-extensions
Repo
https://github.com/zaproxy/zap-extensions
Default Status
affected
Versions
Affected
  • From 0 before 4 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-502Deserialization of Untrusted Data
Type: CWE
CWE ID: CWE-502
Description: Deserialization of Untrusted Data
Metrics
VersionBase scoreBase severityVector
4.08.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

finder
Neo by ProjectDiscovery
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.zaproxy.org/blog/2026-06-24-java-deserialization-vulnerability-in-zap-viewstate-addon/
technical-description
vendor-advisory
https://github.com/zaproxy/zap-extensions/releases/tag/viewstate-v4
release-notes
https://github.com/zaproxy/zap-extensions/pull/7481
issue-tracking
https://github.com/zaproxy/zap-extensions/commit/ac6c3f94d38505bc0facea286a4d3728044c6e5c
patch
https://www.vulncheck.com/advisories/zap-viewstate-add-on-insecure-deserialization-via-jsfviewstate-decode
third-party-advisory
Hyperlink: https://www.zaproxy.org/blog/2026-06-24-java-deserialization-vulnerability-in-zap-viewstate-addon/
Resource:
technical-description
vendor-advisory
Hyperlink: https://github.com/zaproxy/zap-extensions/releases/tag/viewstate-v4
Resource:
release-notes
Hyperlink: https://github.com/zaproxy/zap-extensions/pull/7481
Resource:
issue-tracking
Hyperlink: https://github.com/zaproxy/zap-extensions/commit/ac6c3f94d38505bc0facea286a4d3728044c6e5c
Resource:
patch
Hyperlink: https://www.vulncheck.com/advisories/zap-viewstate-add-on-insecure-deserialization-via-jsfviewstate-decode
Resource:
third-party-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:disclosure@vulncheck.com
Published At:26 Jun, 2026 | 15:16
Updated At:26 Jun, 2026 | 17:16

Zed Attack Proxy (ZAP) ViewState add-on before version 4 contains an insecure deserialization vulnerability that allows attackers who control a proxied web server to achieve arbitrary code execution by embedding a malicious serialized Java object in the javax.faces.ViewState HTTP response parameter. The JSFViewState.decode() method base64-decodes the ViewState value and passes it directly to ObjectInputStream.readObject() without a deserialization filter, allowlist, or type restriction, causing the malicious object to be deserialized within the ZAP JVM when the Desktop UI renders the ViewState panel.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.08.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Secondary3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
N/A
Type: Secondary
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-502Secondarydisclosure@vulncheck.com
CWE ID: CWE-502
Type: Secondary
Source: disclosure@vulncheck.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/zaproxy/zap-extensions/commit/ac6c3f94d38505bc0facea286a4d3728044c6e5cdisclosure@vulncheck.com
N/A
https://github.com/zaproxy/zap-extensions/pull/7481disclosure@vulncheck.com
N/A
https://github.com/zaproxy/zap-extensions/releases/tag/viewstate-v4disclosure@vulncheck.com
N/A
https://www.vulncheck.com/advisories/zap-viewstate-add-on-insecure-deserialization-via-jsfviewstate-decodedisclosure@vulncheck.com
N/A
https://www.zaproxy.org/blog/2026-06-24-java-deserialization-vulnerability-in-zap-viewstate-addon/disclosure@vulncheck.com
N/A
Hyperlink: https://github.com/zaproxy/zap-extensions/commit/ac6c3f94d38505bc0facea286a4d3728044c6e5c
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://github.com/zaproxy/zap-extensions/pull/7481
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://github.com/zaproxy/zap-extensions/releases/tag/viewstate-v4
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://www.vulncheck.com/advisories/zap-viewstate-add-on-insecure-deserialization-via-jsfviewstate-decode
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://www.zaproxy.org/blog/2026-06-24-java-deserialization-vulnerability-in-zap-viewstate-addon/
Source: disclosure@vulncheck.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

91Records found

CVE-2025-24357
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.69% / 48.44%
||
7 Day CHG~0.00%
Published-27 Jan, 2025 | 17:38
Updated-27 Jun, 2025 | 19:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
vLLM allows a malicious model RCE by torch.load in hf_model_weights_iterator

vLLM is a library for LLM inference and serving. vllm/model_executor/weight_utils.py implements hf_model_weights_iterator to load the model checkpoint, which is downloaded from huggingface. It uses the torch.load function and the weights_only parameter defaults to False. When torch.load loads malicious pickle data, it will execute arbitrary code during unpickling. This vulnerability is fixed in v0.7.0.

Action-Not Available
Vendor-vllmvllm-project
Product-vllmvllm
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-2485
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-0.54% / 41.34%
||
7 Day CHG+0.04%
Published-28 Mar, 2025 | 06:51
Updated-08 Apr, 2026 | 17:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.8.7 - Unauthenticated PHP Object Injection via PHAR to Arbitrary File Deletion

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8.7 via deserialization of untrusted input from the 'dnd_upload_cf7_upload' function. This makes it possible for attackers to inject a PHP Object through a PHAR file. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. This vulnerability may be exploited by unauthenticated attackers when a form is present on the site with the file upload action. The Flamingo plugin must be installed and activated in order to exploit the vulnerability. The vulnerability was partially patched in version 1.3.8.8.

Action-Not Available
Vendor-codedropzglenwpcoder
Product-drag_and_drop_multiple_file_upload_-_contact_form_7Drag and Drop Multiple File Upload for Contact Form 7
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2022-41779
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-8.8||HIGH
EPSS-1.05% / 60.21%
||
7 Day CHG~0.00%
Published-31 Oct, 2022 | 19:19
Updated-16 Apr, 2025 | 17:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Delta Electronics InfraSuite Device Master versions 00.00.01a and prior deserialize network packets without proper verification. If the device connects to an attacker-controlled server, the attacker could send maliciously crafted packets that would be deserialized and executed, leading to remote code execution.

Action-Not Available
Vendor-Delta Electronics, Inc.
Product-infrasuite_device_masterInfraSuite Device Master
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-57516
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.6||HIGH
EPSS-0.48% / 38.16%
||
7 Day CHG~0.00%
Published-01 Jul, 2026 | 16:36
Updated-02 Jul, 2026 | 18:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ray < 2.56.0 Unsafe Deserialization RCE via WebDataset Reader

Ray prior to 2.56.0 contains an unsafe deserialization vulnerability in the WebDataset reader that allows attackers to achieve remote code execution by supplying a malicious tar archive to the read_webdataset() function. The _default_decoder() function in webdataset_datasource.py unconditionally calls pickle.loads() on tar entries with .pkl/.pickle extensions and torch.load() with weights_only=False on .pt/.pth entries, executing arbitrary code inside Ray remote workers on every worker that processes the malicious archive.

Action-Not Available
Vendor-Anyscale, Inc
Product-Ray
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-14534
Matching Score-4
Assigner-aa17e1a1-c329-4d6e-a1ed-8d0188aea082
ShareView Details
Matching Score-4
Assigner-aa17e1a1-c329-4d6e-a1ed-8d0188aea082
CVSS Score-8.8||HIGH
EPSS-Not Assigned
Published-04 Jul, 2026 | 13:25
Updated-04 Jul, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Fickling check_safety() bypass via unlisted standard library modules (_posixsubprocess, site, atexit)

Trail of Bits fickling versions up to and including 0.1.10 do not include the Python standard library modules _posixsubprocess, site, and atexit in the UNSAFE_IMPORTS denylist (fickle.py). Because these modules are absent from the denylist, fickling's check_safety() function returns LIKELY_SAFE with zero findings for pickle payloads that invoke dangerous functions including _posixsubprocess.fork_exec (C-level process spawner capable of executing arbitrary binaries), site.execsitecustomize (executes arbitrary site customization code), and atexit._run_exitfuncs (triggers all registered exit handler callbacks). The fickling.load() API chains check_safety() into pickle.loads() as an explicit security gate; a LIKELY_SAFE verdict causes the payload to be deserialized and executed. This shares the same root cause as CVE-2026-22607 (cProfile), CVE-2025-67748 (pty), and CVE-2025-67747 (marshal/types). OvertlyBadEvals does not flag these modules because they are standard library imports. UnsafeImports does not flag them because they are not in the denylist. The UnusedVariables heuristic is defeated by the SETITEMS opcode pattern.

Action-Not Available
Vendor-trailofbits
Product-fickling
CWE ID-CWE-184
Incomplete List of Disallowed Inputs
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2022-3359
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-8.8||HIGH
EPSS-0.74% / 50.18%
||
7 Day CHG~0.00%
Published-12 Dec, 2022 | 17:54
Updated-22 Apr, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Shortcodes and extra features for Phlox theme < 2.10.7 - PHP Objection Injection

The Shortcodes and extra features for Phlox theme WordPress plugin before 2.10.7 unserializes the content of an imported file, which could lead to PHP object injection when a user imports (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.

Action-Not Available
Vendor-UnknownDepicter (Averta)
Product-shortcodes_and_extra_features_for_phlox_themeShortcodes and extra features for Phlox theme
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2022-3342
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-0.98% / 57.82%
||
7 Day CHG~0.00%
Published-20 Oct, 2023 | 07:29
Updated-08 Apr, 2026 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Jetpack CRM <= 5.3.1 - Cross-Site Request Forgery and PHAR Deserialization

The Jetpack CRM plugin for WordPress is vulnerable to PHAR deserialization via the ‘zbscrmcsvimpf’ parameter in the 'zeroBSCRM_CSVImporterLitehtml_app' function in versions up to, and including, 5.3.1. While the function performs a nonce check, steps 2 and 3 of the check do not take any action upon a failed check. These steps then perform a 'file_exists' check on the value of 'zbscrmcsvimpf'. If a phar:// archive is supplied, its contents will be deserialized and an object injected in the execution stream. This allows an unauthenticated attacker to obtain object injection if they are able to upload a phar archive (for instance if the site supports image uploads) and then trick an administrator into performing an action, such as clicking a link.

Action-Not Available
Vendor-Automattic Inc.
Product-jetpack_crmJetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2022-31115
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.8||HIGH
EPSS-1.50% / 71.18%
||
7 Day CHG+0.21%
Published-30 Jun, 2022 | 21:55
Updated-22 Apr, 2025 | 17:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unsafe YAML deserialization in opensearch-ruby

opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. In versions prior to 2.0.1 the ruby `YAML.load` function was used instead of `YAML.safe_load`. As a result opensearch-ruby 2.0.0 and prior can lead to unsafe deserialization using YAML.load if the response is of type YAML. An attacker must be in control of an opensearch server and convince the victim to connect to it in order to exploit this vulnerability. The problem has been patched in opensearch-ruby gem version 2.0.1. Users are advised to upgrade. There are no known workarounds for this issue.

Action-Not Available
Vendor-amazonopensearch-project
Product-opensearchopensearch-ruby
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2022-2886
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5||MEDIUM
EPSS-0.58% / 43.36%
||
7 Day CHG~0.00%
Published-19 Aug, 2022 | 12:00
Updated-15 Apr, 2025 | 13:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Laravel deserialization

A vulnerability, which was classified as critical, was found in Laravel 5.1. Affected is an unknown function. The manipulation leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-206688.

Action-Not Available
Vendor-laravelunspecified
Product-laravelLaravel
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2022-2434
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-1.21% / 64.61%
||
7 Day CHG~0.00%
Published-06 Sep, 2022 | 17:18
Updated-08 Apr, 2026 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
String Locator <= 2.5.0 - Cross-Site Request Forgery to PHAR Deserialization

The String Locator plugin for WordPress is vulnerable to deserialization of untrusted input via the 'string-locator-path' parameter in versions up to, and including 2.5.0. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they can trick a site administrator into performing an action such as clicking on a link, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.

Action-Not Available
Vendor-instawpinstawp
Product-string_locatorString locator
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2022-2433
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-1.18% / 63.90%
||
7 Day CHG~0.00%
Published-06 Sep, 2022 | 17:18
Updated-08 Apr, 2026 | 16:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Infinite Scroll – Ajax Load More <= 5.5.3 - Cross-Site Request Forgery to PHAR Deserialization

The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to deserialization of untrusted input via the 'alm_repeaters_export' parameter in versions up to, and including 5.5.3. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they can trick a site administrator into performing an action such as clicking on a link, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.

Action-Not Available
Vendor-connekthqdcooney
Product-ajax_load_moreAjax Load More – Infinite Scroll, Load More, & Lazy Load
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-8145
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.48% / 38.16%
||
7 Day CHG~0.00%
Published-20 Aug, 2025 | 01:44
Updated-08 Apr, 2026 | 16:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Redirection for Contact Form 7 <= 3.2.4 - Unauthenticated PHP Object Injection

The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the get_lead_fields function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in a Contact Form 7 plugin allows attackers to delete arbitrary files. Additionally, in certain server configurations, Remote Code Execution is possible

Action-Not Available
Vendor-Themeisle
Product-Redirection for Contact Form 7
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2019-19909
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.39% / 69.07%
||
7 Day CHG~0.00%
Published-19 Dec, 2019 | 18:07
Updated-05 Aug, 2024 | 02:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Public Knowledge Project (PKP) pkp-lib before 3.1.2-2, as used in Open Journal Systems (OJS) before 3.1.2-2. Code injection can occur in the OJS report generator if an authenticated Journal Manager user visits a crafted URL, because unserialize is used.

Action-Not Available
Vendor-sfun/a
Product-open_journal_systemn/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-37054
Matching Score-4
Assigner-HiddenLayer, Inc.
ShareView Details
Matching Score-4
Assigner-HiddenLayer, Inc.
CVSS Score-8.8||HIGH
EPSS-0.70% / 48.52%
||
7 Day CHG~0.00%
Published-04 Jun, 2024 | 12:00
Updated-03 Feb, 2025 | 14:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.9.0 or newer, enabling a maliciously uploaded PyFunc model to run arbitrary code on an end user’s system when interacted with.

Action-Not Available
Vendor-lfprojectsMLflowlfprojects
Product-mlflowMLflowmlflow
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-37053
Matching Score-4
Assigner-HiddenLayer, Inc.
ShareView Details
Matching Score-4
Assigner-HiddenLayer, Inc.
CVSS Score-8.8||HIGH
EPSS-0.62% / 45.26%
||
7 Day CHG~0.00%
Published-04 Jun, 2024 | 12:00
Updated-03 Feb, 2025 | 14:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with.

Action-Not Available
Vendor-lfprojectsMLflowlfprojects
Product-mlflowMLflowmlflow
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-37059
Matching Score-4
Assigner-HiddenLayer, Inc.
ShareView Details
Matching Score-4
Assigner-HiddenLayer, Inc.
CVSS Score-8.8||HIGH
EPSS-0.62% / 45.26%
||
7 Day CHG~0.00%
Published-04 Jun, 2024 | 12:01
Updated-03 Feb, 2025 | 14:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0 or newer, enabling a maliciously uploaded PyTorch model to run arbitrary code on an end user’s system when interacted with.

Action-Not Available
Vendor-lfprojectsMLflowmlflow
Product-mlflowMLflowmlflow
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-37056
Matching Score-4
Assigner-HiddenLayer, Inc.
ShareView Details
Matching Score-4
Assigner-HiddenLayer, Inc.
CVSS Score-8.8||HIGH
EPSS-0.62% / 45.26%
||
7 Day CHG~0.00%
Published-04 Jun, 2024 | 12:01
Updated-03 Feb, 2025 | 14:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.23.0 or newer, enabling a maliciously uploaded LightGBM scikit-learn model to run arbitrary code on an end user’s system when interacted with.

Action-Not Available
Vendor-lfprojectsMLflowlfprojects
Product-mlflowMLflowmlflow
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-37052
Matching Score-4
Assigner-HiddenLayer, Inc.
ShareView Details
Matching Score-4
Assigner-HiddenLayer, Inc.
CVSS Score-8.8||HIGH
EPSS-0.62% / 45.26%
||
7 Day CHG-0.01%
Published-04 Jun, 2024 | 11:59
Updated-03 Feb, 2025 | 14:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with.

Action-Not Available
Vendor-lfprojectsMLflowlfprojects
Product-mlflowMLflowmlflow
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-37060
Matching Score-4
Assigner-HiddenLayer, Inc.
ShareView Details
Matching Score-4
Assigner-HiddenLayer, Inc.
CVSS Score-8.8||HIGH
EPSS-0.77% / 51.06%
||
7 Day CHG~0.00%
Published-04 Jun, 2024 | 12:02
Updated-03 Feb, 2025 | 14:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.27.0 or newer, enabling a maliciously crafted Recipe to execute arbitrary code on an end user’s system when run.

Action-Not Available
Vendor-lfprojectsMLflowlfprojects
Product-mlflowMLflowmlflow
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-37057
Matching Score-4
Assigner-HiddenLayer, Inc.
ShareView Details
Matching Score-4
Assigner-HiddenLayer, Inc.
CVSS Score-8.8||HIGH
EPSS-0.62% / 45.26%
||
7 Day CHG~0.00%
Published-04 Jun, 2024 | 12:01
Updated-03 Feb, 2025 | 14:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.0.0rc0 or newer, enabling a maliciously uploaded Tensorflow model to run arbitrary code on an end user’s system when interacted with.

Action-Not Available
Vendor-lfprojectsMLflowlfprojects
Product-mlflowMLflowmlflow
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-37055
Matching Score-4
Assigner-HiddenLayer, Inc.
ShareView Details
Matching Score-4
Assigner-HiddenLayer, Inc.
CVSS Score-8.8||HIGH
EPSS-0.62% / 45.26%
||
7 Day CHG~0.00%
Published-04 Jun, 2024 | 12:00
Updated-03 Feb, 2025 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.24.0 or newer, enabling a maliciously uploaded pmdarima model to run arbitrary code on an end user’s system when interacted with.

Action-Not Available
Vendor-lfprojectsMLflowlfprojects
Product-mlflowMLflowmlflow
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-37058
Matching Score-4
Assigner-HiddenLayer, Inc.
ShareView Details
Matching Score-4
Assigner-HiddenLayer, Inc.
CVSS Score-8.8||HIGH
EPSS-0.62% / 45.26%
||
7 Day CHG~0.00%
Published-04 Jun, 2024 | 12:01
Updated-03 Feb, 2025 | 14:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.5.0 or newer, enabling a maliciously uploaded Langchain AgentExecutor model to run arbitrary code on an end user’s system when interacted with.

Action-Not Available
Vendor-lfprojectsMLflowlfprojects
Product-mlflowMLflowmlflow
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2019-11666
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
ShareView Details
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
CVSS Score-8.8||HIGH
EPSS-1.18% / 63.82%
||
7 Day CHG~0.00%
Published-17 Sep, 2019 | 18:52
Updated-04 Aug, 2024 | 23:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insecure deserialization of untrusted data in Micro Focus Service Manager product versions 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62. The vulnerability could be exploited to allow insecure deserialization of untrusted data.

Action-Not Available
Vendor-Micro Focus International Limited
Product-service_managerService Manager
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-27322
Matching Score-4
Assigner-HiddenLayer, Inc.
ShareView Details
Matching Score-4
Assigner-HiddenLayer, Inc.
CVSS Score-8.8||HIGH
EPSS-23.62% / 97.53%
||
7 Day CHG~0.00%
Published-29 Apr, 2024 | 13:02
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user’s system when interacted with.

Action-Not Available
Vendor-The R Projectr_project
Product-Rr
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-48101
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-0.30% / 22.27%
||
7 Day CHG~0.00%
Published-09 Sep, 2025 | 16:26
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Constant Contact for WordPress Plugin <= 4.1.1 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in webdevstudios Constant Contact for WordPress allows Object Injection. This issue affects Constant Contact for WordPress: from n/a through 4.1.1.

Action-Not Available
Vendor-webdevstudios
Product-Constant Contact for WordPress
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-24590
Matching Score-4
Assigner-HiddenLayer, Inc.
ShareView Details
Matching Score-4
Assigner-HiddenLayer, Inc.
CVSS Score-8||HIGH
EPSS-2.45% / 82.42%
||
7 Day CHG~0.00%
Published-06 Feb, 2024 | 14:40
Updated-17 Jun, 2025 | 21:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Deserialization of untrusted data can occur in versions 0.17.0 to 1.14.2 of the client SDK of Allegro AI’s ClearML platform, enabling a maliciously uploaded artifact to run arbitrary code on an end user’s system when interacted with.

Action-Not Available
Vendor-clearAllegro.AI
Product-clearmlClearML
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-10957
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.70% / 48.61%
||
7 Day CHG~0.00%
Published-04 Jan, 2025 | 13:41
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
UpdraftPlus: WP Backup & Migration Plugin 1.23.8 - 1.24.11 - Unauthenticated PHP Object Injection

The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to PHP Object Injection in all versions from 1.23.8 to 1.24.11 via deserialization of untrusted input in the 'recursive_unserialized_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. An administrator must perform a search and replace action to trigger the exploit.

Action-Not Available
Vendor-davidanderson
Product-UpdraftPlus: WP Backup & Migration Plugin
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-52751
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.6||HIGH
EPSS-0.71% / 49.01%
||
7 Day CHG~0.00%
Published-10 Jun, 2026 | 12:39
Updated-11 Jun, 2026 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ghidra < 12.1 - Remote Code Execution via Unfiltered RMI Deserialization in Shared Project Connection

Ghidra before 12.1 contains an unsafe deserialization vulnerability in client-side Shared-Project RMI connection code that allows unauthenticated remote code execution. Attackers can craft a malicious project file with a ghidra:// URL that, when opened via File → Open Project, deserializes untrusted objects using a Jython 2.7.4 gadget chain to execute arbitrary commands.

Action-Not Available
Vendor-nsanationalsecurityagency
Product-ghidraghidra
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-11394
Matching Score-4
Assigner-Zero Day Initiative
ShareView Details
Matching Score-4
Assigner-Zero Day Initiative
CVSS Score-8.8||HIGH
EPSS-2.42% / 82.13%
||
7 Day CHG~0.00%
Published-22 Nov, 2024 | 21:23
Updated-10 Feb, 2025 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Hugging Face Transformers Trax Model Deserialization of Untrusted Data Remote Code Execution Vulnerability

Hugging Face Transformers Trax Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25012.

Action-Not Available
Vendor-huggingfaceHugging Face
Product-transformersTransformers
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-11392
Matching Score-4
Assigner-Zero Day Initiative
ShareView Details
Matching Score-4
Assigner-Zero Day Initiative
CVSS Score-7.5||HIGH
EPSS-6.90% / 93.29%
||
7 Day CHG~0.00%
Published-22 Nov, 2024 | 21:23
Updated-10 Feb, 2025 | 22:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Hugging Face Transformers MobileViTV2 Deserialization of Untrusted Data Remote Code Execution Vulnerability

Hugging Face Transformers MobileViTV2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of configuration files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-24322.

Action-Not Available
Vendor-huggingfaceHugging Facehuggingface
Product-transformersTransformerstransformers
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-10962
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.64% / 46.01%
||
7 Day CHG~0.00%
Published-14 Nov, 2024 | 13:54
Updated-08 Apr, 2026 | 17:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Migration, Backup, Staging – WPvivid <= 0.9.107 - Unauthenticated PHP Object Injection

The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 0.9.107 via deserialization of untrusted input in the 'replace_row_data' and 'replace_serialize_data' functions. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must create a staging site to trigger the exploit.

Action-Not Available
Vendor-wpvividpluginswpvividplugins
Product-WPvivid — Backup, Migration & Stagingmigration_backup_staging_wpvivd_backup_and_migration
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-10932
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.79% / 51.79%
||
7 Day CHG~0.00%
Published-04 Jan, 2025 | 07:24
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Backup Migration <= 1.4.6 - Unauthenticated PHP Object Injection via 'recursive_unserialize_replace'

The Backup Migration plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.6 via deserialization of untrusted input in the 'recursive_unserialize_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must create a staging site in order to trigger the exploit.

Action-Not Available
Vendor-inisev
Product-BackupBliss – Backup & Migration with Free Cloud Storage
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-10936
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-1.09% / 61.25%
||
7 Day CHG~0.00%
Published-21 Jan, 2025 | 08:21
Updated-08 Apr, 2026 | 16:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
String Locator <= 2.6.6 - Unauthenticated PHP Object Injection

The String locator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.6 via deserialization of untrusted input in the 'recursive_unserialize_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must perform a search and replace action to trigger the exploit.

Action-Not Available
Vendor-instawpinstawp
Product-string_locatorString locator
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-0936
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.67% / 47.39%
||
7 Day CHG~0.00%
Published-26 Jan, 2024 | 17:00
Updated-27 Aug, 2024 | 20:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
van_der_Schaar LAB TemporAI PKL File load_from_file deserialization

A vulnerability classified as critical was found in van_der_Schaar LAB TemporAI 0.0.3. Affected by this vulnerability is the function load_from_file of the component PKL File Handler. The manipulation leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-252181 was assigned to this vulnerability. NOTE: The vendor was contacted early and confirmed immediately the existence of the issue. A patch is planned to be released in February 2024.

Action-Not Available
Vendor-vanderschaarlabvan_der_Schaar LAB
Product-temporaiTemporAI
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2018-6496
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
ShareView Details
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
CVSS Score-7.5||HIGH
EPSS-0.74% / 50.17%
||
7 Day CHG~0.00%
Published-15 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 06:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MFSBGN03809 rev.1 - Universal CMDB, Deserialization Java Objects and CSRF

Remote Cross-site Request forgery (CSRF) potential has been identified in UCMBD Browser version 4.10, 4.11, 4.12, 4.13, 4.14, 4.15, 4.15.1 which could allow for remote unsafe deserialization and cross-site request forgery (CSRF).

Action-Not Available
Vendor-Micro Focus International Limited
Product-universal_cmbd_browserUCMDB Browser
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2018-6497
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
ShareView Details
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
CVSS Score-7.5||HIGH
EPSS-0.58% / 43.38%
||
7 Day CHG~0.00%
Published-15 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 06:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MFSBGN03810 rev.1 - Universal CMDB, Deserialization Java Objects and CSRF

Remote Cross-site Request forgery (CSRF) potential has been identified in UCMBD Server version DDM Content Pack V 10.20, 10.21, 10.22, 10.22 CUP7, 10.30, 10.31, 10.32, 10.33, 10.33 CUP2, 11.0 and CMS Server version 2018.05 BACKGROUND which could allow for remote unsafe deserialization and cross-site request forgery (CSRF).

Action-Not Available
Vendor-Micro Focus International Limited
Product-universal_cmbd_servercms_serverUniversal CMDB ServerCMS Server
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-27130
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-6.3||MEDIUM
EPSS-0.43% / 34.57%
||
7 Day CHG+0.03%
Published-01 Apr, 2025 | 08:57
Updated-08 Jul, 2025 | 17:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Welcart e-Commerce 2.11.6 and earlier versions contains an untrusted data deserialization vulnerability. If this vulnerability is exploited, arbitrary code may be executed by a remote unauthenticated attacker who can access websites created using the product.

Action-Not Available
Vendor-welcartWelcart Inc.
Product-welcart_e-commerceWelcart e-Commerce
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-50222
Matching Score-4
Assigner-Zero Day Initiative
ShareView Details
Matching Score-4
Assigner-Zero Day Initiative
CVSS Score-8.8||HIGH
EPSS-1.15% / 62.84%
||
7 Day CHG~0.00%
Published-03 May, 2024 | 02:14
Updated-12 Mar, 2025 | 14:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Inductive Automation Ignition ResponseParser Notification Deserialization of Untrusted Data Remote Code Execution Vulnerability

Inductive Automation Ignition ResponseParser Notification Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. User interaction is required to exploit this vulnerability in that the target must connect to a malicious server. The specific flaw exists within the ResponseParser method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22067.

Action-Not Available
Vendor-inductiveautomationInductive Automationinductiveautomation
Product-ignitionIgnitionignition
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-50221
Matching Score-4
Assigner-Zero Day Initiative
ShareView Details
Matching Score-4
Assigner-Zero Day Initiative
CVSS Score-8.8||HIGH
EPSS-1.15% / 62.84%
||
7 Day CHG~0.00%
Published-03 May, 2024 | 02:14
Updated-12 Mar, 2025 | 14:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Inductive Automation Ignition ResponseParser SerializedResponse Deserialization of Untrusted Data Remote Code Execution Vulnerability

Inductive Automation Ignition ResponseParser SerializedResponse Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. User interaction is required to exploit this vulnerability in that the target must connect to a malicious server. The specific flaw exists within the ResponseParser method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-21926.

Action-Not Available
Vendor-inductiveautomationInductive Automationinductiveautomation
Product-ignitionIgnitionignition
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-41486
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.9||HIGH
EPSS-0.47% / 37.52%
||
7 Day CHG~0.00%
Published-08 May, 2026 | 21:46
Updated-18 May, 2026 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ray: Remote Code Execution via Parquet Arrow Extension Type Deserialization

Ray is an AI compute engine. From version 2.54.0 to before version 2.55.0, Ray Data registers custom Arrow extension types (ray.data.arrow_tensor, ray.data.arrow_tensor_v2, ray.data.arrow_variable_shaped_tensor) globally in PyArrow. When PyArrow reads a Parquet file containing one of these extension types, it calls __arrow_ext_deserialize__ on the field's metadata bytes. Ray's implementation passes these bytes directly to cloudpickle.loads(), achieving arbitrary code execution during schema parsing, before any row data is read. This issue has been patched in version 2.55.0.

Action-Not Available
Vendor-anyscaleray-project
Product-rayray
CWE ID-CWE-502
Deserialization of Untrusted Data
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2018-19296
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-2.21% / 80.44%
||
7 Day CHG~0.00%
Published-16 Nov, 2018 | 09:00
Updated-05 Aug, 2024 | 11:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.

Action-Not Available
Vendor-phpmailer_projectn/aDebian GNU/LinuxWordPress.orgFedora Project
Product-debian_linuxphpmailerwordpressfedoran/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2024-11393
Matching Score-4
Assigner-Zero Day Initiative
ShareView Details
Matching Score-4
Assigner-Zero Day Initiative
CVSS Score-8.8||HIGH
EPSS-2.89% / 85.22%
||
7 Day CHG~0.00%
Published-22 Nov, 2024 | 21:23
Updated-10 Feb, 2025 | 22:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Hugging Face Transformers MaskFormer Model Deserialization of Untrusted Data Remote Code Execution Vulnerability

Hugging Face Transformers MaskFormer Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25191.

Action-Not Available
Vendor-huggingfaceHugging Face
Product-transformersTransformers
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-32484
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-0.28% / 19.80%
||
7 Day CHG~0.00%
Published-25 Mar, 2026 | 16:14
Updated-29 Apr, 2026 | 10:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress weForms plugin <= 1.6.26 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in BoldGrid weForms weforms allows Object Injection.This issue affects weForms: from n/a through <= 1.6.26.

Action-Not Available
Vendor-BoldGrid (InMotion Hosting, Inc.)
Product-weForms
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-45394
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.58% / 72.54%
||
7 Day CHG~0.00%
Published-18 Jan, 2022 | 11:15
Updated-04 Aug, 2024 | 04:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Spipu HTML2PDF before 5.2.4. Attackers can trigger deserialization of arbitrary data via the injection of a malicious <link> tag in the converted HTML document.

Action-Not Available
Vendor-html2pdf_projectn/a
Product-html2pdfn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-51545
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.6||CRITICAL
EPSS-0.27% / 18.59%
||
7 Day CHG~0.00%
Published-29 Dec, 2023 | 12:48
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Job Manager & Career Plugin <= 1.4.4 is vulnerable to Cross Site Request Forgery (CSRF) leading to PHP Object Injection

Cross-Site Request Forgery (CSRF), Deserialization of Untrusted Data vulnerability in ThemeHigh Job Manager & Career – Manage job board listings, and recruitments.This issue affects Job Manager & Career – Manage job board listings, and recruitments: from n/a through 1.4.4.

Action-Not Available
Vendor-themehighThemeHigh
Product-job_manager_\&_careerJob Manager & Career – Manage job board listings, and recruitments
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-31221
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.39% / 30.47%
||
7 Day CHG~0.00%
Published-12 May, 2026 | 00:00
Updated-15 May, 2026 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

PyTorch-Lightning versions 2.6.0 and earlier contain an insecure deserialization vulnerability (CWE-502) in the checkpoint loading mechanism. The LightningModule.load_from_checkpoint() method, which is commonly used to load saved model states, internally calls torch.load() without setting the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the Pickle module. A remote attacker can exploit this by providing a maliciously crafted checkpoint file, leading to arbitrary code execution on the victim's system when the file is loaded.

Action-Not Available
Vendor-lightningain/a
Product-pytorch_lightningn/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-31222
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.39% / 31.19%
||
7 Day CHG~0.00%
Published-12 May, 2026 | 00:00
Updated-15 May, 2026 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability (CWE-502) in the Trainer.load() method of the Trainer class. The method loads model checkpoint files using torch.load() without enabling the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the Pickle module. A remote attacker can exploit this by providing a maliciously crafted model file, leading to arbitrary code execution on the victim's system when the file is loaded via the vulnerable method.

Action-Not Available
Vendor-snorkeln/a
Product-snorkeln/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-31223
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.39% / 31.19%
||
7 Day CHG~0.00%
Published-12 May, 2026 | 00:00
Updated-15 May, 2026 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The snorkel library thru v0.10.0 contains a critical insecure deserialization vulnerability (CWE-502) in the BaseLabeler.load() method of the BaseLabeler class. The method loads serialized labeler models using the unsafe pickle.load() function on user-supplied file paths without any validation or security controls. Python's pickle module is inherently dangerous for deserializing untrusted data, as it can execute arbitrary code during the deserialization process. A remote attacker can exploit this by providing a maliciously crafted pickle file, leading to arbitrary code execution on the victim's system when the file is loaded via the vulnerable method.

Action-Not Available
Vendor-snorkeln/a
Product-snorkeln/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-31224
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.39% / 31.20%
||
7 Day CHG~0.00%
Published-12 May, 2026 | 00:00
Updated-13 May, 2026 | 14:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability (CWE-502) in the MultitaskClassifier.load() method of the MultitaskClassifier class. The method loads model weight files using torch.load() without enabling the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the Pickle module. A remote attacker can exploit this by providing a maliciously crafted model file, leading to arbitrary code execution on the victim's system when the file is loaded via the vulnerable method.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-31232
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.46% / 36.52%
||
7 Day CHG~0.00%
Published-12 May, 2026 | 00:00
Updated-14 May, 2026 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The CosyVoice project thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its model loading process. When loading model files (.pt) from a user-specified directory (via the --model_dir argument), the code uses torch.load() without the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the Pickle module. An attacker can exploit this by providing a maliciously crafted model directory containing .pt files with embedded pickle payloads. When a victim loads this directory using CosyVoice's web interface, the malicious payload is executed, leading to remote code execution on the victim's system.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-502
Deserialization of Untrusted Data
  • Previous
  • 1
  • 2
  • Next
Details not found