Monthly
NVIDIA TensorRT for contains a vulnerability where a user might cause a deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution.
NVIDIA TensorRT-LLM for any platform contains a vulnerability in visual gen server, where an attacker could cause an unsafe deserialization by unauthorized zeroMQ deserialization. A successful exploit of this vulnerability might lead to code execution.
Local privilege-context deserialization in NVIDIA TensorRT-LLM lets an attacker who already has same-user access to a host running the inference stack abuse its inter-process communication layer to trigger unsafe object deserialization (CWE-502), potentially yielding code execution, information disclosure, data tampering, and denial of service. The flaw is vendor-reported by NVIDIA and carries a CVSS 3.1 base of 7.8 (AV:L), meaning it is not remotely reachable but converts existing local access into full compromise of the model-serving process. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Insecure deserialization in NVIDIA TensorRT-LLM for Linux lets a local, low-privileged attacker abuse a weakness in the restricted unpickler that handles model-weight loading, potentially achieving code execution, privilege escalation, data tampering, and information disclosure. The flaw (CWE-502, CVSS 8.4) affects the GPU LLM-inference library and stems from the restricted unpickler failing to fully constrain what can be deserialized from an untrusted model artifact. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local code execution in Microsoft .NET 8.0 and 9.0 (and bundled Visual Studio 2022/2026 toolchains) arises from unsafe deserialization of untrusted data (CWE-502), letting an unprivileged local attacker run arbitrary code in the context of the targeted process once a user is lured into opening or processing a malicious serialized payload. The CVSS 3.1 base score is 7.8 with high impact to confidentiality, integrity, and availability, but the vector (AV:L/UI:R) confines it to local attacks that require user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote code execution in Microsoft Dynamics NAV 2018 allows an unauthorized, network-based attacker to run arbitrary code by submitting maliciously crafted serialized data that the application deserializes without validation (CWE-502). With a CVSS 9.8 vector requiring no authentication and no user interaction, successful exploitation grants full compromise of the ERP host. Microsoft has released a patch via MSRC; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Windows Wireless Wide Area Network Service (WwanSvc) lets an authenticated low-privileged user elevate to SYSTEM by delivering crafted serialized data that the service deserializes unsafely (CWE-502). Reported by Microsoft, it affects a broad range of Windows 10, Windows 11, and Windows Server builds and carries CVSS 7.8 with high confidentiality, integrity, and availability impact. No public exploit is identified at time of analysis and it is not in CISA KEV, but a vendor patch is available.
Denial of service in Microsoft Azure Active Directory (now Entra ID) allows a remote, unauthenticated attacker to disrupt service availability by sending crafted serialized data that triggers unsafe deserialization (CWE-502). The flaw carries a CVSS 7.5 (High) with a fully network-reachable, no-privilege, no-interaction vector, but impact is confined to availability - confidentiality and integrity are not affected. Microsoft has released a fix via MSRC; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Remote code execution in Microsoft SharePoint (Enterprise Server 2016, Server 2019, and Server Subscription Edition) allows an unauthenticated network attacker to run arbitrary code on the server by submitting maliciously crafted serialized data (CWE-502). The CVSS 3.1 base score is 9.8 with a fully remote, no-interaction, no-privilege vector (AV:N/AC:L/PR:N/UI:N), placing it among the most severe SharePoint flaws. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but insecure-deserialization RCE in SharePoint has historically been a high-value target for rapid weaponization.
Remote code execution in Microsoft SharePoint Server (2016, 2019, and Subscription Edition) lets an unauthenticated attacker run arbitrary code by sending a crafted serialized payload over the network. The flaw is an untrusted-data deserialization (CWE-502) rated CVSS 9.8 with PR:N/UI:N, meaning no credentials or user interaction are required. No public exploit identified at time of analysis, but the pre-auth network vector and SharePoint's long history as an attacker target make this a high-priority patch.
NVIDIA TensorRT for contains a vulnerability where a user might cause a deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution.
NVIDIA TensorRT-LLM for any platform contains a vulnerability in visual gen server, where an attacker could cause an unsafe deserialization by unauthorized zeroMQ deserialization. A successful exploit of this vulnerability might lead to code execution.
Local privilege-context deserialization in NVIDIA TensorRT-LLM lets an attacker who already has same-user access to a host running the inference stack abuse its inter-process communication layer to trigger unsafe object deserialization (CWE-502), potentially yielding code execution, information disclosure, data tampering, and denial of service. The flaw is vendor-reported by NVIDIA and carries a CVSS 3.1 base of 7.8 (AV:L), meaning it is not remotely reachable but converts existing local access into full compromise of the model-serving process. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Insecure deserialization in NVIDIA TensorRT-LLM for Linux lets a local, low-privileged attacker abuse a weakness in the restricted unpickler that handles model-weight loading, potentially achieving code execution, privilege escalation, data tampering, and information disclosure. The flaw (CWE-502, CVSS 8.4) affects the GPU LLM-inference library and stems from the restricted unpickler failing to fully constrain what can be deserialized from an untrusted model artifact. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local code execution in Microsoft .NET 8.0 and 9.0 (and bundled Visual Studio 2022/2026 toolchains) arises from unsafe deserialization of untrusted data (CWE-502), letting an unprivileged local attacker run arbitrary code in the context of the targeted process once a user is lured into opening or processing a malicious serialized payload. The CVSS 3.1 base score is 7.8 with high impact to confidentiality, integrity, and availability, but the vector (AV:L/UI:R) confines it to local attacks that require user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote code execution in Microsoft Dynamics NAV 2018 allows an unauthorized, network-based attacker to run arbitrary code by submitting maliciously crafted serialized data that the application deserializes without validation (CWE-502). With a CVSS 9.8 vector requiring no authentication and no user interaction, successful exploitation grants full compromise of the ERP host. Microsoft has released a patch via MSRC; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Windows Wireless Wide Area Network Service (WwanSvc) lets an authenticated low-privileged user elevate to SYSTEM by delivering crafted serialized data that the service deserializes unsafely (CWE-502). Reported by Microsoft, it affects a broad range of Windows 10, Windows 11, and Windows Server builds and carries CVSS 7.8 with high confidentiality, integrity, and availability impact. No public exploit is identified at time of analysis and it is not in CISA KEV, but a vendor patch is available.
Denial of service in Microsoft Azure Active Directory (now Entra ID) allows a remote, unauthenticated attacker to disrupt service availability by sending crafted serialized data that triggers unsafe deserialization (CWE-502). The flaw carries a CVSS 7.5 (High) with a fully network-reachable, no-privilege, no-interaction vector, but impact is confined to availability - confidentiality and integrity are not affected. Microsoft has released a fix via MSRC; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Remote code execution in Microsoft SharePoint (Enterprise Server 2016, Server 2019, and Server Subscription Edition) allows an unauthenticated network attacker to run arbitrary code on the server by submitting maliciously crafted serialized data (CWE-502). The CVSS 3.1 base score is 9.8 with a fully remote, no-interaction, no-privilege vector (AV:N/AC:L/PR:N/UI:N), placing it among the most severe SharePoint flaws. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but insecure-deserialization RCE in SharePoint has historically been a high-value target for rapid weaponization.
Remote code execution in Microsoft SharePoint Server (2016, 2019, and Subscription Edition) lets an unauthenticated attacker run arbitrary code by sending a crafted serialized payload over the network. The flaw is an untrusted-data deserialization (CWE-502) rated CVSS 9.8 with PR:N/UI:N, meaning no credentials or user interaction are required. No public exploit identified at time of analysis, but the pre-auth network vector and SharePoint's long history as an attacker target make this a high-priority patch.