Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-57677

Summary
Assigner-Patchstack
Assigner Org ID-21595511-bba5-4825-b968-b78d1f9984a3
Published At-02 Jul, 2026 | 11:15
Updated At-02 Jul, 2026 | 12:09
Rejected At-
Credits

WordPress Novalnet Payment Gateway for WooCommerce plugin <= 12.10.3 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Novalnet Payment Gateway for WooCommerce <= 12.10.3 versions.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Patchstack
Assigner Org ID:21595511-bba5-4825-b968-b78d1f9984a3
Published At:02 Jul, 2026 | 11:15
Updated At:02 Jul, 2026 | 12:09
Rejected At:
▼CVE Numbering Authority (CNA)
WordPress Novalnet Payment Gateway for WooCommerce plugin <= 12.10.3 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Novalnet Payment Gateway for WooCommerce <= 12.10.3 versions.

Affected Products
Vendor
Novalnet
Product
Novalnet Payment Gateway for WooCommerce
Default Status
unaffected
Versions
Affected
  • From n/a through 12.10.3 (custom)
    • -> unaffectedfrom12.10.4
Problem Types
TypeCWE IDDescription
CWECWE-502CWE-502 Deserialization of Untrusted Data
Type: CWE
CWE ID: CWE-502
Description: CWE-502 Deserialization of Untrusted Data
Metrics
VersionBase scoreBase severityVector
3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-586CAPEC-586 Object Injection
CAPEC ID: CAPEC-586
Description: CAPEC-586 Object Injection
Solutions

Update the WordPress Novalnet Payment Gateway for WooCommerce Plugin to the latest available version (at least 12.10.4).

Configurations

Workarounds

Exploits

Credits

finder
qdtad | Patchstack Bug Bounty Program
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://patchstack.com/database/wordpress/plugin/woocommerce-novalnet-gateway/vulnerability/wordpress-novalnet-payment-gateway-for-woocommerce-plugin-12-10-3-php-object-injection-vulnerability?_s_id=cve
vdb-entry
Hyperlink: https://patchstack.com/database/wordpress/plugin/woocommerce-novalnet-gateway/vulnerability/wordpress-novalnet-payment-gateway-for-woocommerce-plugin-12-10-3-php-object-injection-vulnerability?_s_id=cve
Resource:
vdb-entry
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:audit@patchstack.com
Published At:02 Jul, 2026 | 12:17
Updated At:02 Jul, 2026 | 13:58

Unauthenticated PHP Object Injection in Novalnet Payment Gateway for WooCommerce <= 12.10.3 versions.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
N/A
Type: Secondary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-502Primaryaudit@patchstack.com
CWE ID: CWE-502
Type: Primary
Source: audit@patchstack.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://patchstack.com/database/wordpress/plugin/woocommerce-novalnet-gateway/vulnerability/wordpress-novalnet-payment-gateway-for-woocommerce-plugin-12-10-3-php-object-injection-vulnerability?_s_id=cveaudit@patchstack.com
N/A
Hyperlink: https://patchstack.com/database/wordpress/plugin/woocommerce-novalnet-gateway/vulnerability/wordpress-novalnet-payment-gateway-for-woocommerce-plugin-12-10-3-php-object-injection-vulnerability?_s_id=cve
Source: audit@patchstack.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

1000Records found

CVE-2025-39551
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.43% / 34.64%
||
7 Day CHG~0.00%
Published-17 Apr, 2025 | 15:46
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress FluentBoards plugin <= 1.47 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in Mahmudul Hasan Arif FluentBoards fluent-boards allows Object Injection.This issue affects FluentBoards: from n/a through <= 1.47.

Action-Not Available
Vendor-Mahmudul Hasan Arif
Product-FluentBoards
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-39495
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.50% / 39.31%
||
7 Day CHG~0.00%
Published-23 May, 2025 | 12:43
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Avantage Theme <= 2.4.9 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in BoldThemes Avantage avantage allows Object Injection.This issue affects Avantage: from n/a through <= 2.4.9.

Action-Not Available
Vendor-BoldThemes
Product-Avantage
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-39480
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.50% / 39.31%
||
7 Day CHG~0.00%
Published-23 May, 2025 | 12:43
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Car Dealer theme < 1.6.8 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in ThemeMakers Car Dealer cardealer allows Object Injection.This issue affects Car Dealer: from n/a through < 1.6.8.

Action-Not Available
Vendor-ThemeMakers
Product-Car Dealer
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2019-17206
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.16% / 86.40%
||
7 Day CHG~0.00%
Published-05 Oct, 2019 | 22:01
Updated-05 Aug, 2024 | 01:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Uncontrolled deserialization of a pickled object in models.py in Frost Ming rediswrapper (aka Redis Wrapper) before 0.3.0 allows attackers to execute arbitrary scripts.

Action-Not Available
Vendor-redis_wrapper_projectn/a
Product-redis_wrappern/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-47065
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-0.47% / 37.14%
||
7 Day CHG+0.10%
Published-03 Jun, 2026 | 09:39
Updated-30 Jun, 2026 | 19:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache MINA: Critical Deserialization Allow-list Bypass via resolveProxyClass - ZDRES-232

ZDRES-232: resolveProxyClass Not Overridden - acceptMatchers Filter Bypass via java.lang.reflect.Proxy Assessment: Fully addressed. When the serialised stream contains a TC_PROXYCLASSDESC (the marker for a java.lang.reflect.Proxy ), JDK’s ObjectInputStream.readProxyDesc() is dispatched. JDK then calls the default ObjectInputStream.resolveProxyClass(interfaces) implementation, which performs Class.forName(intf, false, latestUserDefinedLoader()) for EACH interface name and constructs the proxy class — bypassing the accepted classes list . ZDRES-233: Class.forName(name, initialize=true, classLoader) in readClassDescriptor Triggers Static Initialiser of Allow-Listed Classes Assessment: Fully addressed. For ANY class on the allow-list, deserialising a stream that names it triggers the class’s (static initialiser) BEFORE any instance is constructed. This means an attacker who supplies a class name on the allow-list (e.g., the developer wrote accept(“com.myapp.*") , attacker supplies com.myapp.SomeClass ) causes <clinit> of SomeClass — and many real-world classes have side-effecting static initialisers Both issues have been fixed.

Action-Not Available
Vendor-The Apache Software Foundation
Product-minaApache MINA
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-39588
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.41% / 32.71%
||
7 Day CHG~0.00%
Published-17 Apr, 2025 | 15:46
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Ultimate Store Kit Elementor Addons plugin <= 2.4.0 - Deserialization of untrusted data Vulnerability

Deserialization of Untrusted Data vulnerability in bdthemes Ultimate Store Kit Elementor Addons ultimate-store-kit allows Object Injection.This issue affects Ultimate Store Kit Elementor Addons: from n/a through <= 2.4.0.

Action-Not Available
Vendor-BdThemes
Product-Ultimate Store Kit Elementor Addons
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-39485
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.50% / 39.31%
||
7 Day CHG~0.00%
Published-23 May, 2025 | 12:43
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress GrandTour theme <= 5.6 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Tour grandtour allows Object Injection.This issue affects Grand Tour: from n/a through <= 5.6.

Action-Not Available
Vendor-themegoodsThemeGoods
Product-grand_tourGrand Tour
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2019-18283
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-9.8||CRITICAL
EPSS-5.43% / 91.74%
||
7 Day CHG~0.00%
Published-12 Dec, 2019 | 19:08
Updated-05 Aug, 2024 | 01:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in SPPA-T3000 Application Server (All versions < Service Pack R8.2 SP2). The AdminService is available without authentication on the Application Server. An attacker can gain remote code execution by sending specifically crafted objects to one of its functions. Please note that an attacker needs to have access to the Application Highway in order to exploit this vulnerability. At the time of advisory publication no public exploitation of this security vulnerability was known.

Action-Not Available
Vendor-Siemens AG
Product-sppa-t3000_application_serverSPPA-T3000 Application Server
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-39410
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.41% / 32.71%
||
7 Day CHG~0.00%
Published-19 May, 2025 | 18:58
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Smart Sections Theme Builder - WPBakery Page Builder Addon plugin <= 1.7.8 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in themegusta Smart Sections Theme Builder - WPBakery Page Builder Addon.This issue affects Smart Sections Theme Builder - WPBakery Page Builder Addon: from n/a through 1.7.8.

Action-Not Available
Vendor-themegusta
Product-Smart Sections Theme Builder - WPBakery Page Builder Addon
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2019-17531
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-5.33% / 91.62%
||
7 Day CHG~0.00%
Published-12 Oct, 2019 | 20:07
Updated-05 Aug, 2024 | 01:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.

Action-Not Available
Vendor-n/aDebian GNU/LinuxOracle CorporationFasterXML, LLC.NetApp, Inc.Red Hat, Inc.
Product-enterprise_linux_serverretail_sales_auditcommunications_cloud_native_core_network_slice_selection_functioncommunications_billing_and_revenue_managementsiebel_engineering_-_installer_\&_deploymentjd_edwards_enterpriseone_orchestratorprimavera_gatewaybanking_platformoncommand_workflow_automationretail_merchandising_systemglobal_lifecycle_management_nextgen_oui_frameworksteelstore_cloud_integrated_storagedebian_linuxweblogic_serverjackson-databindcommunications_calendar_servertrace_file_analyzercommunications_evolved_communications_application_servergoldengate_application_adapterswebcenter_sitesjboss_enterprise_application_platformjd_edwards_enterpriseone_toolswebcenter_portaln/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-39354
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.40% / 31.59%
||
7 Day CHG~0.00%
Published-19 May, 2025 | 19:48
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Grand Conference theme <= 5.3 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Conference grandconference allows Object Injection.This issue affects Grand Conference: from n/a through <= 5.3.

Action-Not Available
Vendor-themegoodsThemeGoods
Product-grand_conferenceGrand Conference
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-45247
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-9.3||CRITICAL
EPSS-27.55% / 97.83%
||
7 Day CHG~0.00%
Published-26 May, 2026 | 14:15
Updated-04 Jun, 2026 | 03:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2026-06-06||Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Mirasvit Cache Warmer for Magento < 1.11.12 PHP Object Injection

Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted call to PHP's native unserialize() function combined with gadget chains available in Magento and its dependencies to execute arbitrary code on the server.

Action-Not Available
Vendor-mirasvitMirasvitMirasvit
Product-full_page_cache_warmerFull Page Cache Warmer for Magento 2Mirasvit Full Page Cache Warmer
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2019-17556
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-3.62% / 88.11%
||
7 Day CHG~0.00%
Published-04 Dec, 2019 | 16:59
Updated-05 Aug, 2024 | 01:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case.

Action-Not Available
Vendor-The Apache Software Foundation
Product-olingoOlingo
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-10915
Matching Score-4
Assigner-Zero Day Initiative
ShareView Details
Matching Score-4
Assigner-Zero Day Initiative
CVSS Score-9.8||CRITICAL
EPSS-86.62% / 99.72%
||
7 Day CHG~0.00%
Published-22 Apr, 2020 | 20:51
Updated-04 Aug, 2024 | 11:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to execute arbitrary code on affected installations of VEEAM One Agent 9.5.4.4587. Authentication is not required to exploit this vulnerability. The specific flaw exists within the HandshakeResult method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-10401.

Action-Not Available
Vendor-Veeam Software Group GmbH
Product-oneOne Agent
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-56057
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.43% / 34.26%
||
7 Day CHG~0.00%
Published-26 Jun, 2026 | 14:52
Updated-26 Jun, 2026 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Uncanny Automator Pro plugin <= 7.3.0.6 - PHP Object Injection vulnerability

Subscriber PHP Object Injection in Uncanny Automator Pro <= 7.3.0.6 versions.

Action-Not Available
Vendor-Uncanny Owl Inc.
Product-Uncanny Automator Pro
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-35051
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
CVSS Score-7.7||HIGH
EPSS-0.77% / 51.15%
||
7 Day CHG~0.00%
Published-09 Oct, 2025 | 20:19
Updated-26 Apr, 2026 | 19:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Newforma Project Center Server (NPCS) .NET unauthenticated deserialization

Newforma Project Center Server (NPCS) accepts serialized .NET data via the '/ProjectCenter.rem' endpoint on 9003/tcp, allowing a remote, unauthenticated attacker to execute arbitrary code with 'NT AUTHORITY\NetworkService' privileges. According to the recommended architecture, the vulnerable NPCS endpoint is only accessible on an internal network. To mitigate this vulnerability, restrict network access to NPCS.

Action-Not Available
Vendor-newformaNewforma
Product-project_centerProject Center
CWE ID-CWE-306
Missing Authentication for Critical Function
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-35050
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
CVSS Score-9.3||CRITICAL
EPSS-0.84% / 53.39%
||
7 Day CHG~0.00%
Published-09 Oct, 2025 | 20:19
Updated-09 Jan, 2026 | 18:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Newforma Info Exchange (NIX) .NET unauthenticated deserialization

Newforma Info Exchange (NIX) accepts serialized .NET data via the '/remoteweb/remote.rem' endpoint, allowing a remote, unauthenticated attacker to execute arbitrary code with 'NT AUTHORITY\NetworkService' privileges. The vulnerable endpoint is used by Newforma Project Center Server (NPCS), so a compromised NIX system can be used to attack an associated NPCS system. To mitigate this vulnerability, restrict network access to the '/remoteweb/remote.rem' endpoint, for example using the IIS URL Rewrite Module.

Action-Not Available
Vendor-newformaNewforma
Product-project_centerProject Center
CWE ID-CWE-306
Missing Authentication for Critical Function
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-36038
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-9||CRITICAL
EPSS-8.02% / 94.07%
||
7 Day CHG~0.00%
Published-25 Jun, 2025 | 20:38
Updated-26 Feb, 2026 | 17:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM WebSphere Application Server code execution

IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially crafted sequence of serialized objects.

Action-Not Available
Vendor-IBM CorporationLinux Kernel Organization, IncOracle CorporationHP Inc.Microsoft Corporation
Product-linux_kernelwindowswebsphere_application_serveraixsolarishp-uxiz\/osWebSphere Application Server
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-33255
Matching Score-4
Assigner-NVIDIA Corporation
ShareView Details
Matching Score-4
Assigner-NVIDIA Corporation
CVSS Score-7.5||HIGH
EPSS-0.57% / 42.78%
||
7 Day CHG~0.00%
Published-20 May, 2026 | 02:58
Updated-21 May, 2026 | 00:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

NVIDIA TRT-LLM for any platform contains a vulnerability in MPI server, where an attacker could cause an unsafe deserialization. A successful exploit of this vulnerability might lead to code execution, denial of service, data tampering, and information disclosure.

Action-Not Available
Vendor-NVIDIA Corporation
Product-tensorrt_llmTensorRT-LLM
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-53914
Matching Score-4
Assigner-JetBrains s.r.o.
ShareView Details
Matching Score-4
Assigner-JetBrains s.r.o.
CVSS Score-6.7||MEDIUM
EPSS-0.20% / 9.47%
||
7 Day CHG~0.00%
Published-26 Jun, 2026 | 13:01
Updated-27 Jun, 2026 | 19:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains Kotlin before 2.4.20 code execution was possible via unsafe deserialization in the build cache metadata

Action-Not Available
Vendor-JetBrains s.r.o.
Product-kotlinKotlin
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-32607
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.78% / 51.56%
||
7 Day CHG+0.07%
Published-11 Apr, 2025 | 08:42
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WpBookingly plugin <= 1.3.0 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in magepeopleteam WpBookingly service-booking-manager allows Object Injection.This issue affects WpBookingly: from n/a through <= 1.3.0.

Action-Not Available
Vendor-MagePeople
Product-WpBookingly
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-32292
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.50% / 39.32%
||
7 Day CHG~0.00%
Published-23 May, 2025 | 12:43
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Jarvis – Night Club, Concert, Festival WordPress theme <= 1.8.11 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in AncoraThemes Jarvis – Night Club, Concert, Festival WordPress jarvis allows Object Injection.This issue affects Jarvis – Night Club, Concert, Festival WordPress: from n/a through <= 1.8.11.

Action-Not Available
Vendor-AncoraThemes
Product-Jarvis – Night Club, Concert, Festival WordPress
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2019-17564
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-35.56% / 98.26%
||
7 Day CHG~0.00%
Published-01 Apr, 2020 | 21:17
Updated-05 Aug, 2024 | 01:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. This issue affected Apache Dubbo 2.7.0 to 2.7.4, 2.6.0 to 2.6.7, and all 2.5.x versions.

Action-Not Available
Vendor-The Apache Software Foundation
Product-dubboApache Dubbo
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-32928
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.40% / 31.59%
||
7 Day CHG~0.00%
Published-19 May, 2025 | 19:53
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Altair theme <= 5.2.2 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in ThemeGoods Altair altair allows Object Injection.This issue affects Altair: from n/a through <= 5.2.2.

Action-Not Available
Vendor-themegoodsThemeGoods
Product-altairAltair
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-32434
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.3||CRITICAL
EPSS-1.88% / 76.87%
||
7 Day CHG~0.00%
Published-18 Apr, 2025 | 15:48
Updated-01 Dec, 2025 | 07:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PyTorch: `torch.load` with `weights_only=True` leads to remote code execution

PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd system. In version 2.5.1 and prior, a Remote Command Execution (RCE) vulnerability exists in PyTorch when loading a model using torch.load with weights_only=True. This issue has been patched in version 2.6.0.

Action-Not Available
Vendor-pytorchThe Linux Foundation
Product-pytorchpytorch
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-69872
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.51% / 39.69%
||
7 Day CHG-0.04%
Published-11 Feb, 2026 | 00:00
Updated-03 Jul, 2026 | 12:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

DiskCache (python-diskcache) through 5.6.3 uses Python pickle for serialization by default. An attacker with write access to the cache directory can achieve arbitrary code execution when a victim application reads from the cache.

Action-Not Available
Vendor-n/aRed Hat, Inc.
Product-n/aRed Hat AI Inference ServerRed Hat Satellite 6Red Hat OpenShift AI 3.3Red Hat OpenShift AI (RHOAI)Red Hat Enterprise Linux AI (RHEL AI) 3
CWE ID-CWE-502
Deserialization of Untrusted Data
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2025-32927
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.40% / 31.59%
||
7 Day CHG~0.00%
Published-19 May, 2025 | 19:54
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress FoodBakery plugin <= 3.3 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in Chimpstudio FoodBakery wp-foodbakery allows Object Injection.This issue affects FoodBakery: from n/a through <= 3.3.

Action-Not Available
Vendor-chimpgroupChimpstudio
Product-foodbakeryFoodBakery
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2019-17267
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.59% / 90.50%
||
7 Day CHG~0.00%
Published-06 Oct, 2019 | 23:08
Updated-05 Aug, 2024 | 01:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.

Action-Not Available
Vendor-n/aDebian GNU/LinuxOracle CorporationFasterXML, LLC.NetApp, Inc.Red Hat, Inc.
Product-debian_linuxweblogic_serveroncommand_api_servicesjackson-databindenterprise_linuxactive_iq_unified_managercustomer_management_and_segmentation_foundationgoldengate_application_adaptersoncommand_workflow_automationservice_level_managerjboss_enterprise_application_platformretail_customer_management_and_segmentation_foundationsteelstore_cloud_integrated_storagen/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-43208
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-82.71% / 99.63%
||
7 Day CHG~0.00%
Published-26 Oct, 2023 | 00:00
Updated-31 Oct, 2025 | 14:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2024-06-10||Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

NextGen Healthcare Mirth Connect before version 4.4.1 is vulnerable to unauthenticated remote code execution. Note that this vulnerability is caused by the incomplete patch of CVE-2023-37679.

Action-Not Available
Vendor-nextgenn/aNextGen Healthcare
Product-mirth_connectn/aMirth Connect
CWE ID-CWE-502
Deserialization of Untrusted Data
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-32444
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-10||CRITICAL
EPSS-1.48% / 70.73%
||
7 Day CHG+0.01%
Published-30 Apr, 2025 | 00:25
Updated-28 May, 2025 | 19:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
vLLM Vulnerable to Remote Code Execution via Mooncake Integration

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Versions starting from 0.6.5 and prior to 0.8.5, having vLLM integration with mooncake, are vulnerable to remote code execution due to using pickle based serialization over unsecured ZeroMQ sockets. The vulnerable sockets were set to listen on all network interfaces, increasing the likelihood that an attacker is able to reach the vulnerable ZeroMQ sockets to carry out an attack. vLLM instances that do not make use of the mooncake integration are not vulnerable. This issue has been patched in version 0.8.5.

Action-Not Available
Vendor-vllmvllm-project
Product-vllmvllm
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-32375
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-45.77% / 98.65%
||
7 Day CHG+1.96%
Published-09 Apr, 2025 | 15:30
Updated-22 Apr, 2025 | 16:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insecure Deserialization leads to RCE in BentoML's runner server

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.8, there was an insecure deserialization in BentoML's runner server. By setting specific headers and parameters in the POST request, it is possible to execute any unauthorized arbitrary code on the server, which will grant the attackers to have the initial access and information disclosure on the server. This vulnerability is fixed in 1.4.8.

Action-Not Available
Vendor-bentomlbentoml
Product-bentomlBentoML
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2019-18364
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.48% / 87.68%
||
7 Day CHG~0.00%
Published-31 Oct, 2019 | 14:54
Updated-05 Aug, 2024 | 01:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains TeamCity before 2019.1.4, insecure Java Deserialization could potentially allow remote code execution.

Action-Not Available
Vendor-n/aJetBrains s.r.o.
Product-teamcityn/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2019-17571
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-69.06% / 99.27%
||
7 Day CHG~0.00%
Published-20 Dec, 2019 | 16:01
Updated-28 May, 2026 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

Action-Not Available
Vendor-Oracle CorporationNetApp, Inc.openSUSECanonical Ltd.The Apache Software FoundationDebian GNU/Linux
Product-application_testing_suiteendeca_information_discovery_studiooncommand_workflow_automationretail_extract_transform_and_loadleaprapid_planningdebian_linuxweblogic_serverubuntu_linuxoncommand_system_managercommunications_network_integrityfinancial_services_lending_and_leasingprimavera_gatewaylog4jmysql_enterprise_monitorretail_service_backbonebookkeeperLog4j
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-32569
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.78% / 51.59%
||
7 Day CHG+0.07%
Published-11 Apr, 2025 | 08:42
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress TableOn plugin <= 1.0.4.3 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in RealMag777 TableOn posts-table-filterable allows Object Injection.This issue affects TableOn: from n/a through <= 1.0.4.3.

Action-Not Available
Vendor-PluginUs.Net (RealMag777)
Product-TableOn
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-41330
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-1.88% / 76.86%
||
7 Day CHG~0.00%
Published-06 Sep, 2023 | 17:33
Updated-30 Sep, 2024 | 15:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unsafe deserialization in knplabs/knp-snappy

knplabs/knp-snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. ## Issue On March 17th the vulnerability CVE-2023-28115 was disclosed, allowing an attacker to gain remote code execution through PHAR deserialization. Version 1.4.2 added a check `if (\strpos($filename, 'phar://') === 0)` in the `prepareOutput` function to resolve this CVE, however if the user is able to control the second parameter of the `generateFromHtml()` function of Snappy, it will then be passed as the `$filename` parameter in the `prepareOutput()` function. In the original vulnerability, a file name with a `phar://` wrapper could be sent to the `fileExists()` function, equivalent to the `file_exists()` PHP function. This allowed users to trigger a deserialization on arbitrary PHAR files. To fix this issue, the string is now passed to the `strpos()` function and if it starts with `phar://`, an exception is raised. However, PHP wrappers being case insensitive, this patch can be bypassed using `PHAR://` instead of `phar://`. A successful exploitation of this vulnerability allows executing arbitrary code and accessing the underlying filesystem. The attacker must be able to upload a file and the server must be running a PHP version prior to 8. This issue has been addressed in commit `d3b742d61a` which has been included in version 1.4.3. Users are advised to upgrade. Users unable to upgrade should ensure that only trusted users may submit data to the `AbstractGenerator->generate(...)` function.

Action-Not Available
Vendor-knplabsKnpLabs
Product-snappysnappy
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-32568
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.78% / 51.59%
||
7 Day CHG+0.07%
Published-11 Apr, 2025 | 08:42
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress EmpikPlace for Woocommerce Plugin <= 1.4.3 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in empik EmpikPlace for Woocommerce empik-for-woocommerce allows Object Injection.This issue affects EmpikPlace for Woocommerce: from n/a through <= 1.4.3.

Action-Not Available
Vendor-empik
Product-EmpikPlace for Woocommerce
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-32897
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-1.68% / 74.16%
||
7 Day CHG~0.00%
Published-28 Jun, 2025 | 18:25
Updated-30 Mar, 2026 | 09:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Seata (incubating): Deserialization of untrusted Data in Apache Seata Server

Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This security vulnerability is the same as CVE-2024-47552, but the version range described in the CVE-2024-47552 definition is too narrow. This issue affects Apache Seata (incubating): from 2.0.0 before 2.3.0. Severity Justification: The Apache Seata security team assesses the severity of this vulnerability as "Low" due to stringent real-world mitigating factors. First, the vulnerability is strictly isolated to the Raft cluster mode, an optional and non-default feature introduced in v2.0.0, while most users rely on the unaffected traditional architecture. Second, Seata is an internal middleware; communication between TC and RM/TM occurs entirely within trusted internal networks. An attacker would require prior, unauthorized access to the Intranet to exploit this, making external exploitation highly improbable. Users are recommended to upgrade to version 2.3.0, which fixes the issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-seataApache Seata (incubating)
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-31429
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.50% / 39.32%
||
7 Day CHG~0.00%
Published-09 Jun, 2025 | 15:56
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress PressGrid - Frontend Publish Reaction & Multimedia Theme <= 1.3.1 - Deserialization of untrusted data Vulnerability

Deserialization of Untrusted Data vulnerability in themeton PressGrid - Frontend Publish Reaction & Multimedia Theme allows Object Injection. This issue affects PressGrid - Frontend Publish Reaction & Multimedia Theme: from n/a through 1.3.1.

Action-Not Available
Vendor-themeton
Product-PressGrid - Frontend Publish Reaction & Multimedia Theme
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-31927
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.50% / 39.31%
||
7 Day CHG~0.00%
Published-23 May, 2025 | 12:44
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Acerola <= 1.6.5 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in themeton Acerola allows Object Injection. This issue affects Acerola: from n/a through 1.6.5.

Action-Not Available
Vendor-themeton
Product-Acerola
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-31049
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.51% / 39.56%
||
7 Day CHG~0.00%
Published-23 May, 2025 | 12:44
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Dash <= 1.3 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in themeton Dash allows Object Injection. This issue affects Dash: from n/a through 1.3.

Action-Not Available
Vendor-themeton
Product-Dash
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2019-17570
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-49.29% / 98.75%
||
7 Day CHG~0.00%
Published-23 Jan, 2020 | 00:00
Updated-05 Aug, 2024 | 01:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed.

Action-Not Available
Vendor-Canonical Ltd.The Apache Software FoundationRed Hat, Inc.Fedora ProjectDebian GNU/Linux
Product-ubuntu_linuxdebian_linuxsoftware_collectionsfedoraenterprise_linuxxml-rpcApache XML-RPC
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-31631
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.50% / 39.31%
||
7 Day CHG~0.00%
Published-23 May, 2025 | 12:44
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Fish House theme <= 1.2.7 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in AncoraThemes Fish House fish-house allows Object Injection.This issue affects Fish House: from n/a through <= 1.2.7.

Action-Not Available
Vendor-AncoraThemes
Product-Fish House
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-30985
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.41% / 33.01%
||
7 Day CHG~0.00%
Published-15 Apr, 2025 | 11:59
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress GNUCommerce plugin <= 1.5.4 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in kagla GNUCommerce gnucommerce allows Object Injection.This issue affects GNUCommerce: from n/a through <= 1.5.4.

Action-Not Available
Vendor-kagla
Product-GNUCommerce
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-31430
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.50% / 39.31%
||
7 Day CHG~0.00%
Published-23 May, 2025 | 12:44
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress The Business <= 1.6.1 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in themeton The Business allows Object Injection. This issue affects The Business: from n/a through 1.6.1.

Action-Not Available
Vendor-themeton
Product-The Business
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-31398
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.50% / 39.31%
||
7 Day CHG~0.00%
Published-09 Jun, 2025 | 15:56
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress PIMP - Creative MultiPurpose <= 1.7 - Deserialization of untrusted data Vulnerability

Deserialization of Untrusted Data vulnerability in themeton PIMP - Creative MultiPurpose allows Object Injection. This issue affects PIMP - Creative MultiPurpose: from n/a through 1.7.

Action-Not Available
Vendor-themeton
Product-PIMP - Creative MultiPurpose
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-31052
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.49% / 38.47%
||
7 Day CHG~0.00%
Published-09 Jun, 2025 | 15:56
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress The Fashion - Model Agency One Page Beauty Theme plugin <= 1.4.4 - Deserialization of untrusted data Vulnerability

Deserialization of Untrusted Data vulnerability in themeton The Fashion - Model Agency One Page Beauty Theme nrgfashion allows Object Injection.This issue affects The Fashion - Model Agency One Page Beauty Theme: from n/a through <= 1.4.4.

Action-Not Available
Vendor-themeton
Product-The Fashion - Model Agency One Page Beauty Theme
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-31919
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.46% / 36.75%
||
7 Day CHG~0.00%
Published-17 Jun, 2025 | 15:01
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Spare <= 1.7 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in themeton Spare allows Object Injection. This issue affects Spare: from n/a through 1.7.

Action-Not Available
Vendor-themeton
Product-Spare
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-31612
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.63% / 45.64%
||
7 Day CHG~0.00%
Published-01 Apr, 2025 | 20:58
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress CBX Poll plugin <= 2.0.4 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in Sabuj Kundu CBX Poll cbxpoll allows Object Injection.This issue affects CBX Poll: from n/a through <= 2.0.4.

Action-Not Available
Vendor-Sabuj Kundu
Product-CBX Poll
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-31084
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.63% / 45.69%
||
7 Day CHG~0.00%
Published-01 Apr, 2025 | 05:31
Updated-12 May, 2026 | 00:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Sunshine Photo Cart plugin <= 3.4.10 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart allows Object Injection.This issue affects Sunshine Photo Cart: from n/a through <= 3.4.10.

Action-Not Available
Vendor-sunshinephotocartsunshinephotocart
Product-sunshine_photo_cartSunshine Photo Cart
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-31069
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.50% / 39.31%
||
7 Day CHG~0.00%
Published-23 May, 2025 | 12:44
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress HotStar – Multi-Purpose Business Theme <= 1.4 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in themeton HotStar – Multi-Purpose Business Theme allows Object Injection. This issue affects HotStar – Multi-Purpose Business Theme: from n/a through 1.4.

Action-Not Available
Vendor-themeton
Product-HotStar – Multi-Purpose Business Theme
CWE ID-CWE-502
Deserialization of Untrusted Data
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 19
  • 20
  • Next
Details not found