Deserialization
Monthly
NVIDIA TensorRT for contains a vulnerability where a user might cause a deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution.
NVIDIA TensorRT-LLM for any platform contains a vulnerability in visual gen server, where an attacker could cause an unsafe deserialization by unauthorized zeroMQ deserialization. A successful exploit of this vulnerability might lead to code execution.
Heap-based buffer overflow in NVIDIA TensorRT-LLM's tensor deserialization path lets an adjacent, unauthenticated attacker corrupt heap memory by supplying a crafted serialized tensor, potentially causing information disclosure, data tampering, or denial of service. All platforms running affected TensorRT-LLM versions are impacted. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV; NVIDIA rates exploitation as high-complexity (AC:H).
Local privilege-context deserialization in NVIDIA TensorRT-LLM lets an attacker who already has same-user access to a host running the inference stack abuse its inter-process communication layer to trigger unsafe object deserialization (CWE-502), potentially yielding code execution, information disclosure, data tampering, and denial of service. The flaw is vendor-reported by NVIDIA and carries a CVSS 3.1 base of 7.8 (AV:L), meaning it is not remotely reachable but converts existing local access into full compromise of the model-serving process. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Insecure deserialization in NVIDIA TensorRT-LLM for Linux lets a local, low-privileged attacker abuse a weakness in the restricted unpickler that handles model-weight loading, potentially achieving code execution, privilege escalation, data tampering, and information disclosure. The flaw (CWE-502, CVSS 8.4) affects the GPU LLM-inference library and stems from the restricted unpickler failing to fully constrain what can be deserialized from an untrusted model artifact. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local code execution in Microsoft .NET 8.0 and 9.0 (and bundled Visual Studio 2022/2026 toolchains) arises from unsafe deserialization of untrusted data (CWE-502), letting an unprivileged local attacker run arbitrary code in the context of the targeted process once a user is lured into opening or processing a malicious serialized payload. The CVSS 3.1 base score is 7.8 with high impact to confidentiality, integrity, and availability, but the vector (AV:L/UI:R) confines it to local attacks that require user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote code execution in Microsoft Dynamics NAV 2018 allows an unauthorized, network-based attacker to run arbitrary code by submitting maliciously crafted serialized data that the application deserializes without validation (CWE-502). With a CVSS 9.8 vector requiring no authentication and no user interaction, successful exploitation grants full compromise of the ERP host. Microsoft has released a patch via MSRC; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Windows Wireless Wide Area Network Service (WwanSvc) lets an authenticated low-privileged user elevate to SYSTEM by delivering crafted serialized data that the service deserializes unsafely (CWE-502). Reported by Microsoft, it affects a broad range of Windows 10, Windows 11, and Windows Server builds and carries CVSS 7.8 with high confidentiality, integrity, and availability impact. No public exploit is identified at time of analysis and it is not in CISA KEV, but a vendor patch is available.
Denial of service in Microsoft Azure Active Directory (now Entra ID) allows a remote, unauthenticated attacker to disrupt service availability by sending crafted serialized data that triggers unsafe deserialization (CWE-502). The flaw carries a CVSS 7.5 (High) with a fully network-reachable, no-privilege, no-interaction vector, but impact is confined to availability - confidentiality and integrity are not affected. Microsoft has released a fix via MSRC; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Remote code execution in Microsoft SharePoint (Enterprise Server 2016, Server 2019, and Server Subscription Edition) allows an unauthenticated network attacker to run arbitrary code on the server by submitting maliciously crafted serialized data (CWE-502). The CVSS 3.1 base score is 9.8 with a fully remote, no-interaction, no-privilege vector (AV:N/AC:L/PR:N/UI:N), placing it among the most severe SharePoint flaws. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but insecure-deserialization RCE in SharePoint has historically been a high-value target for rapid weaponization.
Remote code execution in Microsoft SharePoint Server (2016, 2019, and Subscription Edition) lets an unauthenticated attacker run arbitrary code by sending a crafted serialized payload over the network. The flaw is an untrusted-data deserialization (CWE-502) rated CVSS 9.8 with PR:N/UI:N, meaning no credentials or user interaction are required. No public exploit identified at time of analysis, but the pre-auth network vector and SharePoint's long history as an attacker target make this a high-priority patch.
Remote code execution in Microsoft SQL Server (2016 SP3 through 2025) allows an authenticated, low-privileged attacker to run arbitrary code on the database server by sending crafted data that the engine deserializes unsafely (CWE-502). Any account able to submit queries or data over the network to a vulnerable instance can achieve full compromise of confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CVSS 8.8 rating and the RCE-with-low-privilege profile make it a high-priority patch.
Remote code execution in Microsoft SQL Server 2025 (CU6 and the x64 GDR branch) lets an authenticated attacker run arbitrary code across the network by supplying maliciously crafted serialized data that the server deserializes without validation (CWE-502). The flaw was reported by Microsoft, carries a CVSS 3.1 base score of 8.8, and a vendor patch is available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in Microsoft Exchange Server (2016 CU23, 2019 CU14/CU15, and Subscription Edition RTM) allows an already-authenticated attacker with low privileges to elevate to higher privileges by abusing unsafe deserialization of untrusted data. Microsoft reported the flaw and has released a patch; no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS 3.1 base score is 7.8 (High), reflecting full confidentiality, integrity, and availability impact on the affected host.
Unauthenticated PHP object injection in the Newsletters WordPress plugin before 4.15 lets remote attackers deserialize attacker-controlled data submitted through a public-facing form, then leverage a property-oriented gadget chain bundled inside the plugin itself to write arbitrary files and achieve remote code execution on the host. Publicly available exploit code exists (published via WPScan), though there is no public exploit identified as being used in active attacks and the flaw is not listed in CISA KEV. The self-contained gadget chain removes the usual dependency on third-party gadgets, making reliable exploitation notably more achievable than typical POI bugs.
Insecure deserialization in the SAP Change and Transport System Attach Tool (ctsattach) lets an authenticated, low-privileged attacker achieve remote code execution by supplying a crafted archive that a victim then processes through the tool's library. Successful exploitation yields high confidentiality and integrity impact - attackers can read sensitive data and take control of the host and its processes - with low availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CWE-502 root cause and 7.6 CVSS make this a meaningful patch priority for SAP landscapes.
Denial-of-service in the Storable module for Perl (versions before 3.41) allows remote attackers to abort deserialization by supplying a crafted SX_HOOK record whose item count equals I32_MAX. The signed 32-bit count plus one wraps to a negative value, which av_extend rejects with a fatal panic, terminating any thaw() or retrieve() call on attacker-controlled data. No public exploit identified at time of analysis; despite the assigned CVSS of 9.8 (C:H/I:H/A:H), the documented outcome is a controlled abort rather than memory corruption or code execution.
PHP Object Injection in the ShapedPlugin Real Testimonials (testimonial-free) WordPress plugin affects all versions up to and including 3.1.15, allowing a high-privileged authenticated user to inject serialized PHP objects that the plugin unsafely deserializes. Depending on gadget chains present in WordPress core, other active plugins, or themes, this can escalate to arbitrary code execution, data disclosure, or site compromise. Reported by Patchstack; no public exploit identified at time of analysis and it is not listed in CISA KEV.
PHP Object Injection in the wpWax Directorist WordPress plugin (all versions through 8.8.2) lets remote attackers pass untrusted serialized data into a PHP deserialization sink, instantiating arbitrary objects that can trigger POP gadget chains for code execution, data theft, or site compromise. The flaw carries a critical 9.8 CVSS score with an unauthenticated network vector; it was disclosed by Patchstack. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
PHP Object Injection in the ThemeGoods Grand Photography WordPress theme (all versions up to and including 5.7.8) lets remote attackers deliver crafted serialized data to an unsafe unserialize() sink, potentially achieving code execution, file operations, or SQL injection through POP gadget chains. The CVSS 9.8 rating reflects unauthenticated network exploitation (PR:N/UI:N) with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
PHP Object Injection in the RT-Theme 18 | Extensions plugin (rt18-extensions) for WordPress affects all versions up to and including 2.5, allowing remote attackers to inject arbitrary PHP objects by supplying crafted serialized data to an unsafe deserialization sink. Because the CVSS vector reports PR:N/UI:N, exploitation does not require authentication or user interaction, and impact escalates to full compromise (confidentiality, integrity, availability all High) when a usable POP gadget chain is present in the WordPress stack. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; the 9.8 base score reflects worst-case object-injection potential rather than confirmed in-the-wild activity.
Remote PHP object injection in the axiomthemes '777' (triple-seven) WordPress theme allows attackers to instantiate arbitrary PHP objects by supplying crafted serialized data to a vulnerable unserialize() call, affecting all versions up to and including 1.13.0. With the reported CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) scoring 9.8, an unauthenticated network attacker can achieve high-impact compromise if a usable POP gadget chain is present. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Object injection in the Themeum Kirki WordPress customizer framework (all versions through 6.0.12) allows attackers to abuse PHP deserialization of untrusted data (CWE-502), potentially leading to arbitrary object instantiation and, given a suitable POP gadget chain, remote code execution or full site compromise. Reported by Patchstack with a maximum CVSS 9.8 rating; no public exploit identified at time of analysis and the flaw is not listed in CISA KEV. Because Kirki is a developer toolkit bundled into many premium WordPress themes, exposure depends on which theme/plugin code passes attacker-controllable input into its deserialization path.
PHP Object Injection in the WordPress Events Manager plugin (Marcus/@msykes) affects all versions up to and including 7.3.6, letting remote attackers deserialize untrusted data and instantiate arbitrary PHP objects. When paired with a suitable POP gadget chain present in the plugin, WordPress core, or another installed plugin, this can escalate to remote code execution, data theft, or site takeover. Reported by Patchstack with a CVSS of 8.8; there is no public exploit identified at time of analysis and it is not on CISA KEV, though the network vector combined with only requiring user interaction makes it a serious patch priority.
PHP Object Injection in the WPJAM Basic WordPress plugin (denishua) affects all versions up to and including 7.0, allowing an authenticated attacker to inject crafted serialized objects that are deserialized by the plugin. Reported by Patchstack and rated CVSS 8.8, it can lead to high-impact compromise (confidentiality, integrity, and availability) of the WordPress site, though exploitation requires at least low-level authenticated access. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
PHP object injection in the 'Database for Contact Form 7, WPforms, Elementor forms' WordPress plugin (all versions before 1.5.2) permits unauthenticated attackers to embed malicious serialized PHP objects via the entry-editor file-field path, which are instantiated server-side when an administrator views the stored form entry. This is an incomplete remediation of two prior CVEs (CVE-2025-7384 and CVE-2026-2599) - earlier patches hardened other deserialization paths within the same plugin while this specific code route was overlooked. A publicly available exploit exists; no active exploitation is confirmed by CISA KEV at time of analysis.
Unsafe deserialization in AkariAsai self-rag's `Indexer.deserialize_from` function exposes any deployment that processes externally supplied FAISS index files to potential arbitrary code execution. The vulnerability resides in `retrieval_lm/src/index.py` and is triggered when the `index_meta.faiss` argument is manipulated with a crafted payload - a classic CWE-502 pattern where Python's serialization routines (typically pickle) blindly instantiate attacker-controlled objects. A publicly available proof-of-concept exists per GitHub issue #105, elevating the practical risk beyond the moderate CVSS 4.0 score of 5.3. No active exploitation has been confirmed by CISA KEV, and the project maintainer had not formally responded to the disclosure at time of reporting.
Unsafe deserialization in HashNeRF-pytorch's Checkpoint File Handler allows a local low-privileged attacker to achieve arbitrary code execution by supplying a malicious file via the `ckpt_path` argument to `torch.load()` in `run_nerf.py`. All commits up to 82885e698295982504eb6a26d060a6b2473e3706 are affected; a fix exists as an unmerged pull request (PR #50). A public exploit has been disclosed via GitHub issue #49, though no CISA KEV listing has been identified, indicating no confirmed widespread active exploitation at time of analysis.
Unsafe deserialization in pyod 3.5.0-3.5.2 exposes the `pyod.utils.persistence.load` function to remote exploitation by authenticated low-privilege users who can manipulate the `path` argument. Rooted in CWE-502 (Deserialization of Untrusted Data), the flaw allows a crafted serialized payload supplied via the path parameter to be deserialized without adequate validation, potentially yielding code execution or data manipulation within the running process. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists; an upstream fix is available as GitHub PR #698, though a formally versioned PyPI release incorporating the patch has not been independently confirmed.
Remote code execution in Microsoft Edge (Chromium-based) lets an unauthenticated network attacker run arbitrary code by luring a victim into interacting with crafted content that triggers unsafe deserialization (CWE-502). The flaw carries CVSS 8.3 with a scope change, meaning successful exploitation can break out of the browser's security boundary, though there is no public exploit identified at time of analysis and Microsoft has already shipped a fix.
Remote code execution in Spinnaker's Rosco bakery service allows an authenticated user to run arbitrary code on Rosco pods by supplying a manifest that abuses unsafe YAML tag processing during Kustomize bake operations. The flaw (CWE-502 unsafe deserialization) affects release lines prior to 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4, and grants full compromise of the affected pod (C:H/I:H/A:H). No public exploit identified at time of analysis and it is not listed in CISA KEV, but the vendor-published GitHub Security Advisory (GHSA-p68j-q7hf-3qcp) and multiple fix commits confirm the issue is real and patched.
Unauthenticated remote code execution in the PrestaShop ps_facetedsearch (layered navigation) module versions 3.0.0 through 4.0.3 allows a single crafted front-office request to fully compromise the shop and its underlying server. The module rebuilds price/weight slider filter values from the request URL and later reads them back through a native unserialize(), enabling PHP object injection whose gadget chain writes a PHP webshell into the module directory. No public exploit is identified at time of analysis, but the flaw is trivially reachable and rated CVSS 10.0.
Arbitrary Python code execution in BabelDOC (funstory-ai, pip package `babeldoc`) prior to 0.6.3 allows an attacker to run code in the context of the translation process by having a victim process a crafted PDF. The vendored pdfminer CMap loader (`cmapdb.py::_load_data`) strips only NUL bytes from a PDF-controlled CMap/Encoding name and passes it to `pickle.loads()`, so a hex-encoded absolute path in the PDF's `/Encoding` name redirects deserialization to an attacker-planted `.pickle.gz` file. A detailed, working proof-of-concept exists (publicly available exploit code exists); there is no CISA KEV listing and no public evidence of active exploitation at time of analysis.
Remote command execution in Dell Unisphere for PowerMax versions 10.3.0.5 and prior allows a low-privileged authenticated user to run arbitrary OS commands with root privileges by abusing unsafe deserialization of untrusted data (CWE-502). Because the CVSS vector is AV:N/AC:L/PR:L, any account with minimal access on the management interface can escalate to full root control of the storage-management appliance. There is no public exploit identified at time of analysis and the CVE is not in CISA KEV, but the low attack complexity and full CIA impact make it a high-priority patch for storage administrators.
PHP object injection in YesWiki's BazaR import feature allows an attacker to reach an unsafe unserialize() sink in tools/bazar/services/CSVManager.php, where attacker-supplied base64 data is deserialized without allowed_classes=false, instantiating arbitrary classes and triggering magic methods (__destruct, and __toString via array_map('strval')). Because the importentries mode lacks CSRF protection (the assigned root cause CWE-352), a remote attacker can host an auto-POSTing HTML page that, when visited by a logged-in wiki admin, drives the deserialization using the admin's session - chaining published Doctrine PHPGGC gadgets into remote code execution on the host. Publicly available exploit code exists demonstrating the object-injection primitive, but no full end-to-end RCE chain is published and this is not confirmed actively exploited (not in CISA KEV).
{tag} endpoint. An attacker plants a page whose tag contains a SQL-breakout payload (the INSERT escapes it but stores the literal quote), makes the page non-orphaned via an {{include}} link, then triggers deletePage(), where the stored tag is concatenated unescaped into a DELETE FROM _links WHERE to_tag='$tag' query. A detailed proof-of-concept with confirmed time-based blind extraction exists; the flaw enables reading password hashes, ACLs, and private page bodies, acting as a low-priv-to-admin escalation primitive. No public evidence of active exploitation was identified at time of analysis.
Remote code execution in Metabase's H2 database driver allows an authenticated user with native-query privileges to run arbitrary Java on the server. When Metabase returns H2 result columns of type OTHER (JDBC JAVA_OBJECT), it deserializes the embedded Java object without validation, so a crafted native H2 query triggers CWE-502 unsafe deserialization and full server compromise. It affects any instance using an H2 connection, including the default bundled sample database. No public exploit is identified at time of analysis (SSVC exploitation: none; EPSS 0.45%), though the upstream fix commit and vendor advisory GHSA-w95f-x9v9-wv36 are public.
Improper input validation in the snap7 library (versions up to 1.4.3) allows adjacent-network attackers to trigger a deserialization flaw via crafted ReadVar requests processed by TS7Worker::PerformFunctionRead in the S7 server component. Exploitation results in partial confidentiality, integrity, and availability impact against the snap7 server process - a concern in industrial OT environments where PLC communication libraries may interface with safety-relevant systems. No vendor-released patch exists as the maintainer has not responded to disclosure, and a publicly available proof-of-concept exploit lowers the barrier to exploitation.
The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin through 1.1.28 does not validate data before passing it to a PHP deserialization function, allowing unauthenticated attackers to inject arbitrary PHP objects; where a suitable gadget chain is present on the site this can be leveraged to achieve remote code execution.
Remote code execution in Apache Airflow before 3.3.0 lets a DAG author embed a malicious trigger whose attacker-controlled class path is loaded via an unrestricted import_string() when the Scheduler or API Server deserializes the serialized DAG, executing arbitrary code in those privileged processes and breaking the core Airflow boundary that DAG-author code must never run in the Scheduler/API Server. Reported by Apache with a fix in 3.3.0, it currently has no public exploit identified and a low EPSS of 0.69% (48th percentile), and it is not listed in CISA KEV. The practical severity depends heavily on how much a deployment trusts its DAG authors, since exploitation requires the ability to submit a DAG.
Untrusted Java deserialization in Apache OpenNLP's SvmDoccatModel (libsvm document categorization module, versions 3.0.0-M1 through before 3.0.0-M4) lets an attacker who supplies a crafted serialized stream to the public static SvmDoccatModel.deserialize(InputStream) trigger deserialization of an arbitrary object graph before the SvmDoccatModel cast occurs. Where a usable gadget chain exists on the consuming application's classpath, this yields remote code execution in the loading JVM; OpenNLP ships no gadget itself, so realistic risk falls on downstream apps that embed the module alongside vulnerable transitive dependencies. No public exploit identified at time of analysis and the flaw is not in CISA KEV, though the SSVC assessment marks it automatable with partial technical impact.
Untrusted JMS deserialization in Apache Camel's JMS-family components (camel-jms, camel-sjms, camel-sjms2, camel-amqp, camel-activemq, camel-activemq6) lets an attacker who can publish an ObjectMessage to a consumed queue or topic inject arbitrary Exchange state - body, IN/OUT headers, properties, variables, exchange id and exception - into a Camel route. It affects 3.0.0 through 4.14.7, 4.15.0 through 4.18.2, and 4.19.0 through 4.20.x when mapJmsMessage (the default) is enabled and Camel acts as a JMS consumer. This is a bypass of the earlier CVE-2026-40860 hardening, requires no gadget chain (only java.lang/java.util types), carries CVSS 7.3, and has no public exploit identified at time of analysis (EPSS 0.18%).
Java object deserialization in the Apache Camel camel-pqc component allows code execution in the key-management application when an attacker who can write to the backing AWS Secrets Manager secret stores a malicious serialized payload. The flaw affects Apache Camel 4.18.0-4.18.2 and 4.19.0-4.20.x, where AwsSecretsManagerKeyLifecycleManager.deserializeMetadata() calls a raw ObjectInputStream.readObject() with no class filter, so gadget side effects fire before the KeyMetadata cast. Rated CVSS 9.8 by Apache, but exploitation genuinely requires IAM write access to the specific secret; there is no public exploit identified at time of analysis and EPSS is low at 0.19% (8th percentile).
Remote code execution via unsafe Java deserialization affects the camel-pqc component of Apache Camel 4.18.0-4.18.2 and 4.19.0-4.20.x. The HashiCorp Vault and AWS Secrets Manager KeyLifecycleManager implementations (and a legacy-migration path in the file-based manager) read post-quantum key metadata back with a raw ObjectInputStream.readObject() lacking any ObjectInputFilter or allow-list, so a principal able to write to the key backend can plant a gadget object that executes during normal key-lifecycle operations. No public exploit has been identified at time of analysis and EPSS is low (0.19%), but SSVC rates technical impact as total; this is an incomplete-remediation follow-on to CVE-2026-40048.
Remote code execution in the Apache Camel camel-hazelcast component allows an attacker who can join or reach the Hazelcast cluster to run arbitrary code on every Camel node. The flaw exists because Camel-created Hazelcast instances apply no Java deserialization filter by default, so crafted serialized objects sent over the cluster protocol are deserialized (ObjectInputStream.readObject) before Camel processes them. It affects Camel 4.0.0-4.14.7, 4.15.0-4.18.2, and 4.19.0-4.20.x whenever a hazelcast consumer or repository uses Camel's own default configuration; there is no public exploit identified at time of analysis and EPSS is low (0.49%, 39th percentile).
Blind out-of-band data exfiltration in Apache Camel 4.14.0-4.20.x arises because the default ObjectInputFilter pattern bundled with several components ('java.**;javax.**;org.apache.camel.**;!*') uses a recursive java.** glob that allow-lists java.net.URL and java.net.InetAddress. Remote attackers who can deliver a Java-serialized payload to an affected Camel consumer - most notably the camel-jms family, where JmsBinding.extractBodyFromJms calls ObjectMessage.getObject() by default (mapJmsMessage=true) - can force the JVM to issue DNS queries to an attacker-controlled host during deserialization side-effects, yielding an observable out-of-band channel. Reported by Apache; there is no public exploit identified at time of analysis, EPSS is low (0.31%, 23rd percentile), and it is not listed in CISA KEV.
Remote code execution in Apache Camel's camel-vertx-http component (4.0.0-4.14.7, 4.15.0-4.18.2, 4.19.0) arises when a producer endpoint deserializes 5xx HTTP response bodies marked application/x-java-serialized-object through a raw java.io.ObjectInputStream with no class filtering. Exploitation is limited to non-default deployments where transferException=true or allowJavaSerializedObject=true is set and throwExceptionOnFailure remains true, letting an attacker who controls or intercepts the backend deliver a malicious serialized object and, given a gadget chain on the classpath, run code on the Camel host. This is a vendor-reported (Apache) issue with a publicly available advisory; there is no public exploit identified at time of analysis and EPSS is low at 0.39% (31st percentile).
Unsafe deserialization in AD-Security AD_Miner 1.9.0 allows a local low-privilege attacker to achieve code execution by supplying a crafted serialized payload as the sys.argv[1] argument to the Cache Handler's request_a function in analyse_cache.py. The attack is strictly local with no network exposure, and impacts confidentiality, integrity, and availability at a low level within the vulnerable process. No public exploit has been identified; an upstream fix exists as GitHub PR #239 but awaits acceptance, meaning no released patched version is currently available.
PHP object injection in kirilkirkov's Ecommerce-CodeIgniter-Bootstrap allows remote unauthenticated attackers to pass attacker-controlled data into the getCartItems() function of application/libraries/ShoppingCart.php, which deserializes the shopping_cart argument (CWE-502). Depending on available gadget chains in the CodeIgniter application, this can lead to code execution or denial of service. Publicly available exploit code exists (VulDB, GHSA-9g5q-g6m3-v5cr), but there is no public exploit identified as being used in active attacks and the item is not in CISA KEV; EPSS was not provided.
Security-control bypass in Trail of Bits fickling (≤0.1.11) neuters its MLAllowlist analysis pass so that malicious pickle files pass fickling's check_safety() gate as LIKELY_SAFE, enabling arbitrary code execution when fickling.load() deserializes them. Because UnsafeImportsML pre-registers every import in the shared reported_shortened_code set, MLAllowlist always short-circuits and never validates imports against the known-safe ML ecosystem, so any standard-library module outside the UNSAFE_IMPORTS denylist can be smuggled through. Publicly available exploit code exists (SSVC 'poc'); it is not listed in CISA KEV and EPSS is low (0.30%), consistent with a demonstrated-but-not-yet-widespread threat.
Malicious code execution via scanner bypass affects picklescan before 0.0.34, a security tool used to vet pickle files for unsafe deserialization before loading ML model artifacts. The scanner fails to flag the _operator.methodcaller built-in, so an attacker can craft a pickle that passes picklescan's malware check yet executes arbitrary code the moment a victim calls pickle.load(). No public exploit has been identified at time of analysis, and the flaw is not on CISA KEV; the fix landed in version 0.0.34.
Security-scanner bypass in Picklescan before 0.0.33 lets attackers smuggle arbitrary-code-execution payloads past its safety checks by abusing the numpy.f2py.crackfortran.getlincoef gadget inside a pickle __reduce__ method, which the scanner fails to flag as dangerous. Because Picklescan is used to vet shared machine-learning model files, a malicious pickle passes as 'clean' and then executes attacker-controlled Python when the trusting downstream consumer deserializes it. No public exploit is identified at time of analysis, and it is not listed in CISA KEV; the CVSS 4.0 score is 7.6 and the attack depends on a victim actually loading the file.
Safety-check bypass in picklescan before 0.0.28 allows attackers to smuggle malicious pickle files past the scanner by abusing torch.utils.data.datapipes.utils.decoder.basichandlers as a reduce gadget, so a payload the tool reports as clean still executes arbitrary code when the victim deserializes it. Because picklescan is a defensive scanner used to vet untrusted ML models (notably in Hugging Face workflows), this blind spot converts a trusted safety gate into a false sense of security. No public exploit identified at time of analysis, and it is not on CISA KEV; CVSS 4.0 base score is 7.6.
Security-scanner detection bypass in picklescan before 0.0.34 lets attackers slip malicious pickle files past its checks by invoking _operator.attrgetter inside a reduce method, so a file the scanner reports as clean still executes arbitrary code when pickle.load() deserializes it. The flaw affects ML/AI supply-chain pipelines that rely on picklescan to vet untrusted model files. No public exploit identified at time of analysis; the issue was reported by VulnCheck and fixed in 0.0.34.
Security-scanner evasion in picklescan before 0.0.28 lets attackers slip malicious pickle files past its safety checks by abusing the torch.utils.bottleneck.__main__.run_cprofile call, which the scanner's blocklist does not recognize as dangerous. Any ML pipeline or platform that relies on picklescan to vet untrusted models will therefore approve a weaponized file, and the embedded code runs with arbitrary execution when the victim deserializes it. No public exploit identified at time of analysis; not listed in CISA KEV, but VulnCheck published a dedicated advisory and the technique is fully documented.
Detection bypass in picklescan before 0.0.30 lets a crafted pickle smuggle the asyncio.unix_events._UnixSubprocessTransport._start built-in past the scanner's malicious-opcode checks, so a model or pickle that picklescan reports as safe actually executes arbitrary OS commands when a victim deserializes it. Because picklescan is a security scanner used to vet untrusted ML artifacts (e.g. in AI model supply chains), this false-negative turns a trusted safety gate into a blind spot. No public exploit identified at time of analysis and it is not on CISA KEV, but the technique is fully described in the VulnCheck advisory.
Malicious-pickle detection bypass in picklescan before 0.0.33 lets attackers smuggle arbitrary code past the scanner by abusing numpy.f2py.crackfortran functions that call eval() on attacker-controlled strings. Because picklescan is itself the security tool meant to vet untrusted pickle/model files, this evasion causes a weaponized pickle to be marked safe, so the embedded code executes when the file is later deserialized. Reported by VulnCheck with a CVSS 4.0 score of 7.6; no public exploit identified at time of analysis and it is not in CISA KEV.
Security-control bypass in picklescan before 0.0.29 lets attackers craft malicious pickle files that evade its malware scanner by hiding a reduce-method payload behind Python's idlelib.calltip.get_entity function, so a file the scanner reports as clean executes arbitrary commands when a victim deserializes it. Affected are ML/AI pipelines and users relying on picklescan to vet untrusted model artifacts. No public exploit or CISA KEV listing is identified at time of analysis, though the technique and a GitHub Security Advisory (GHSA-9xph-j2h6-g47v) are documented by VulnCheck.
Detection bypass in picklescan before 0.0.29 lets attackers slip malicious pickle payloads past the scanner by abusing lib2to3.pgen2.grammar.Grammar.loads inside a pickle reduce method, resulting in remote code execution when the file is later deserialized with pickle.load(). Because picklescan is trusted as a safety gate for machine-learning model files, a bypass converts a 'scanned and clean' verdict into silent arbitrary code execution. No public exploit has been identified at time of analysis and the flaw is not listed in CISA KEV, though the technique is concretely described in the VulnCheck advisory.
Security scanner bypass in picklescan before 0.0.28 allows attackers to smuggle arbitrary code past the tool's malware detection by abusing torch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression, which is not on picklescan's dangerous-globals blocklist. Because picklescan is a defensive tool used to vet untrusted ML pickle files (notably in the Hugging Face ecosystem), a bypass causes a malicious model to be marked safe and then execute remote code when the victim deserializes it. There is no public exploit identified at time of analysis and this CVE is not listed in CISA KEV, but the technique is fully described in the VulnCheck advisory.
Detection bypass in picklescan before 0.0.28 lets attackers smuggle malicious pickle files past the scanner by abusing the torch._dynamo.guards.GuardBuilder.get gadget inside a __reduce__ method, so a file that picklescan reports as safe still executes arbitrary commands when deserialized (e.g. via torch.load). This undermines the security control that ML pipelines and model hubs rely on to vet untrusted model artifacts, turning a trusted-scan result into a false negative. Reported by VulnCheck with a vendor GHSA advisory; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Security-scanner evasion in picklescan before 0.0.33 lets attackers smuggle malicious pickle files past its detection engine by abusing the numpy.f2py.crackfortran.param_eval function inside a pickle reduce method, so a payload the scanner declares safe still triggers arbitrary code execution when the application deserializes it. This defeats the exact protection picklescan exists to provide, endangering ML pipelines that rely on it to vet untrusted model/pickle files (e.g., Hugging Face-style workflows). No public exploit is identified at time of analysis and it is not in CISA KEV, though VulnCheck published an advisory.
Malicious-pickle detection bypass in picklescan before 0.0.30 allows attackers to smuggle undetected remote code execution payloads past the scanner by abusing the torch.utils.bottleneck.__main__.run_autograd_prof gadget, which was absent from picklescan's dangerous-import blocklist. Because picklescan is used as a security gate to vet untrusted ML model files, a false-negative here means a crafted model passes as safe and executes arbitrary code when subsequently deserialized. Reported by VulnCheck via GHSA-4whj-rm5r-c2v8; no public exploit identified at time of analysis, and it is not on CISA KEV.
Detection bypass in picklescan before 0.0.30 lets attackers smuggle malicious pickle files past the scanner by abusing lib2to3.pgen2.pgen.ParserGenerator.make_label as a reduce callable, so a file that picklescan clears still runs arbitrary commands when downstream code calls pickle.load(). picklescan is the security control itself - a static scanner used to vet ML model artifacts - so this weakness undermines the exact protection teams rely on to catch unsafe pickles. No public exploit identified at time of analysis and it is not on CISA KEV, but the technique is documented in VulnCheck and vendor advisories.
Malicious pickle detection bypass in picklescan before 0.0.30 lets attackers hide code that runs during pickle.load, because the scanner does not flag the idlelib.run.Executive.runcode primitive used in a reduce method. Since picklescan is a security tool relied upon to vet PyTorch/ML model files, this bypass turns a trusted safety check into a false 'clean' verdict, enabling remote code execution and supply-chain attacks against anyone loading an attacker-supplied model. Reported by VulnCheck; no public exploit identified at time of analysis and not listed in CISA KEV.
Arbitrary code execution in keras-team/keras 3.14.0 lets remote attackers run OS-level commands by supplying a malicious serialized `Lambda` layer that is deserialized without an active `SafeModeScope`. The root cause is `_raise_for_lambda_deserialization()` treating a `None` `safe_mode` (the default when `from_config()` runs outside a `SafeModeScope`) as if it were an explicit `False`, so the safe-mode guard is skipped and attacker-controlled `marshal` bytecode executes. SSVC rates technical impact as total with a proof-of-concept available; EPSS is modest at 0.40% (32nd percentile), and the flaw is not in CISA KEV.
Denial-of-service in WatchGuard Fireware OS Management Web UI allows an authenticated administrator to crash the management service by submitting crafted input to the put_data endpoint, which performs unsafe deserialization of attacker-controlled data (CWE-502). The CVSS 4.0 vector (PR:H, VA:H) confirms that exploitation is restricted to administrator-level accounts and results in availability loss only - no confidentiality or integrity impact. No public exploit code and no CISA KEV listing have been identified at time of analysis, placing this firmly in the insider-threat and compromised-credential risk category.
PHP Object Injection in the Themify Popup WordPress plugin (all versions through 1.4.3) lets an authenticated attacker pass attacker-controlled serialized data into an unsafe deserialization sink (CWE-502), instantiating arbitrary PHP objects. Combined with a suitable gadget chain in the plugin, WordPress core, or other installed code, this can escalate to remote code execution, data theft, or site takeover. Reported by Patchstack; no public exploit is identified at time of analysis and it is not on CISA KEV.
Unauthenticated PHP Object Injection in the Novalnet Payment Gateway for WooCommerce WordPress plugin (versions 12.10.3 and earlier) lets remote attackers submit crafted serialized objects that the plugin deserializes, per CVSS enabling full compromise of confidentiality, integrity, and availability. The flaw is network-reachable without authentication or user interaction and carries a critical 9.8 CVSS score. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.
Unauthenticated PHP Object Injection in the Booktics WordPress plugin (by Arraytics) affects all versions up to and including 1.0.21, letting remote attackers with no authentication inject arbitrary PHP objects into the application. If a suitable POP (property-oriented programming) gadget chain exists in the plugin, WordPress core, or another active plugin, this can escalate to remote code execution, data theft, or full site takeover. Reported by Patchstack and rated CVSS 9.8; no public exploit identified at time of analysis and it is not listed in CISA KEV.
PHP Object Injection in the Werkstatt WordPress theme (fuelthemes) through version 4.8.3 lets a Contributor-level user pass attacker-controlled data into an unsafe deserialization routine, enabling instantiation of arbitrary PHP objects. With the right POP gadget chain present in WordPress core, another plugin, or the theme itself, this can escalate to file operations, SQL manipulation, or remote code execution. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the 8.8 CVSS reflects the low-privilege network-exploitable path with high confidentiality, integrity, and availability impact.
Authenticated PHP object injection in the ARMember Premium WordPress membership plugin (all versions through 7.0) lets low-privileged Contributor-level users pass attacker-controlled serialized data into a PHP unserialize() sink, potentially chaining with POP gadgets to achieve high-impact compromise. With a CVSS of 8.8 and network vector, a user holding only a Contributor account can reach confidentiality, integrity, and availability impacts. No public exploit has been identified at time of analysis and it is not on CISA KEV, but the vulnerability class is well understood and reliably weaponizable where a suitable gadget chain exists.
Insecure JNDI object instantiation in mchange-commons-java before 0.6.0 lets attackers who can influence deserialized data or JNDI Reference resolution coerce the library's JavaBeanObjectFactory into constructing arbitrary classes and setting their JavaBean properties, enabling JNDI injection and deserialization-gadget attacks. Because this library underpins mchange projects such as the c3p0 connection pool, any Java application that deserializes attacker-controlled objects or dereferences untrusted JNDI References through it is exposed; a demonstrated path abuses a Swing JEditorPane to force outbound HTTP requests from a trusted security domain. No public exploit identified at time of analysis and it is not in CISA KEV, so treat it as a patch-now supply-chain issue rather than an actively exploited one.
Arbitrary code execution in Amazon's AWS Advanced JDBC Wrapper (versions 3.3.0 through 4.0.0) arises from the RemoteQueryCachePlugin deserializing cached query results from Redis or Valkey via a raw ObjectInputStream with no class filtering. An actor able to write to the shared cache can poison entries with a crafted serialized Java object, triggering gadget-chain execution on every application server that later reads that cache entry. No public exploit identified at time of analysis; risk is elevated because a single poisoned cache key fans out to all consuming app servers.
Remote code execution in Ray (the distributed compute/ML framework) before version 2.56.0 lets attackers run arbitrary code by feeding a malicious tar archive to the WebDataset reader. The read_webdataset() datasource invokes pickle.loads() on .pkl/.pickle entries and torch.load() with weights_only=False on .pt/.pth entries with no validation, so code executes inside every Ray remote worker that processes the archive. No public exploit has been identified at time of analysis, but the fix is available in Ray 2.56.0 and the issue is documented in a GitHub Security Advisory (GHSA-hhrp-gw25-jr43) and a VulnCheck advisory.
Deserialization of untrusted data in MediaWiki's wiki import subsystem and logging infrastructure exposes installations to PHP object injection, with high integrity impact on affected systems. Specifically, the WikiImporter, WikiRevision, and LogEntryBase components process attacker-controlled serialized data without sufficient validation, allowing a high-privileged authenticated user to trigger unintended object instantiation or code execution paths. No active exploitation (CISA KEV) or public proof-of-concept has been identified at time of analysis; however, vendor-confirmed patches are available in releases 1.43.9, 1.44.6, 1.45.4, and 1.46.0.
Local code execution and privilege escalation in NVIDIA Megatron Bridge (Linux) stems from unsafe handling of dynamically managed code resources, rooted in an insecure deserialization flaw (CWE-502). A low-privileged local user who can influence the data or model artifacts Megatron Bridge loads can achieve arbitrary code execution, escalate privileges, tamper with data, and disclose information. NVIDIA self-reported the issue with a CVSS 3.1 base score of 7.8; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation and code execution in NVIDIA Megatron Bridge for Linux stems from unsafe deserialization of attacker-controlled input (CWE-502), allowing a low-privileged local user to achieve arbitrary code execution, tamper with data, and disclose information. NVIDIA reported the flaw with no public exploit identified at time of analysis, and it is not listed in CISA KEV; no EPSS score was provided. Megatron Bridge is an ML/LLM training framework, so impact centers on shared GPU/training hosts rather than internet-facing services.
Deserialization of untrusted data in NVIDIA Megatron Bridge for Linux allows a low-privileged local attacker to achieve code execution, privilege escalation, data tampering, and information disclosure. Megatron Bridge is NVIDIA's model-interoperability tooling used to convert and load large-language-model checkpoints in the Megatron/PyTorch training stack, where unsafe object deserialization (CWE-94) lets attacker-controlled serialized data run arbitrary code in the process context. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CVSS 7.8 (High) rating with full C/I/A impact makes it a meaningful risk on shared or multi-tenant ML infrastructure.
Insecure deserialization in NVIDIA Megatron Bridge for Linux (CWE-502) lets an attacker who supplies a crafted serialized object achieve code execution, privilege escalation, data tampering, and information disclosure when a local user loads that data. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R) shows the attack is local and hinges on the victim opening attacker-controlled content, with no public exploit identified at time of analysis. Megatron Bridge is a specialized NVIDIA library for bridging large-language-model training frameworks, so exposure is concentrated in ML/AI training and research environments rather than general enterprise fleets.
Arbitrary code execution in NVIDIA Megatron Bridge for Linux arises from unsafe deserialization of untrusted data (CWE-502), allowing an attacker who tricks a user into loading a crafted serialized object to execute code, escalate privileges, tamper with data, and disclose information. The flaw affects the Megatron Bridge model-conversion/training tooling and is locally exploitable but hinges on victim interaction (UI:R). No public exploit code has been identified and the issue is not in CISA KEV, so there is currently no evidence of active exploitation.
Arbitrary code execution and privilege escalation in NVIDIA Megatron Bridge on Linux arises from unsafe deserialization of untrusted data, allowing a local attacker who convinces a user to load a malicious serialized object to run code, tamper with data, and disclose information. NVIDIA (the reporting vendor) rates it 7.8 (High); the CVSS vector requires local access and user interaction, so exploitation is not remote-unauthenticated. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Arbitrary code execution in NVIDIA Megatron Bridge (all versions per the NVIDIA advisory) arises from unsafe deserialization of untrusted data (CWE-502), where an attacker supplies a crafted serialized object — typically a malicious model checkpoint or configuration artifact — that a user loads locally, yielding code execution, privilege escalation, data tampering, and information disclosure. The CVSS 3.1 base score is 7.8 (High) with a local vector requiring user interaction (AV:L/UI:R) and no attacker privileges. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; no EPSS score was provided.
Deserialization of untrusted data in NVIDIA Megatron Bridge for Linux (CWE-502) can lead to arbitrary code execution, privilege escalation, data tampering, and information disclosure when a user loads attacker-controlled data. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R) indicates a local attack requiring the victim to open or process a malicious artifact — consistent with unsafe deserialization of a model checkpoint, config, or serialized object. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV; EPSS was not provided.
Server-side object injection in BMC Control-M/Server and Control-M/Enterprise Manager 9.0.20.x (and potentially earlier) lets an authenticated attacker abuse the messaging consumer to deserialize untrusted, type-unrestricted objects, triggering unintended server-side behavior that can escalate to full compromise of the automation server. The affected releases are already out of support, and the CVSS 4.0 base score is 8.9 (High) with high privileges and high attack complexity required. There is no public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Remote code execution in Pivotal CRM 6.6.4.08 (Aurea) arises from insecure deserialization in the Pivotal.Engine.Client.Services.Conversion.dll component, letting remote attackers run arbitrary code on the server. This is a bypass of the incomplete fix for CVE-2026-39253, and it remains exploitable on systems that only applied the earlier patch-ghi-15381-cwe-502-20251225.zip. No public exploit code has been identified, though public advisories exist for both this issue and its predecessor; EPSS is modest at 0.57% (43rd percentile) and it is not in CISA KEV.
Remote code execution risk in c3p0 versions prior to 0.14.0 arises from the library serving as an essential 'sink' in Java deserialization gadget chains. c3p0's DataSource and ConnectionPoolDataSource objects conform to JavaBean's getXXX() naming convention, causing commons-beanutils and similar libraries to invoke JDBC connection methods as though they were safe property accessors during deserialization - triggering arbitrary JDBC driver execution under attacker control. No public exploit code or CISA KEV listing has been identified at time of analysis; the CVSS 4.0 vector scores this at 6.3, largely due to the partial attack requirements (AT:P), though real-world impact when prerequisites are met can substantially exceed that rating.
Arbitrary code execution in Grav CMS before 2.0.0-beta.2 stems from three distinct flaw classes: PHP object injection via unsafe unserialize() of attacker-controllable data in the Scheduler JobQueue, FileCache adapter, and Session components, an OS command injection in the plugin/theme InstallCommand git clone routine, and a Twig sandbox blocklist bypass enabling server-side template injection. An attacker who can influence the serialized input can chain available gadgets to run arbitrary PHP, while the command-injection path is reachable by authenticated administrators through plugin/theme installation. No public exploit identified at time of analysis; the issues were privately reported by VulnCheck and are fixed in 2.0.0-beta.2.
Arbitrary code execution bypass in picklescan before 0.0.29 lets attackers smuggle malicious Python pickle files past the scanner by abusing the built-in profile.Profile.run function inside a pickle __reduce__ method, which picklescan's blocklist fails to flag. Because picklescan is a defensive ML supply-chain tool meant to certify pickle/model files as safe, the flaw is a security-control evasion: a file marked 'clean' executes attacker code on deserialization. No public exploit is identified at time of analysis, and it is not in CISA KEV; the CVSS 4.0 base score is 7.6 (High).
Malicious-pickle detection bypass in picklescan before 0.0.29 lets attackers smuggle weaponized pickle files past the scanner by abusing `code.InteractiveInterpreter.runcode` inside a `__reduce__` method, leading to arbitrary code execution when the file is later deserialized with `pickle.load()`. picklescan is a security scanner specifically meant to flag dangerous pickles (e.g. in ML model files), so a gap in its blocklist directly defeats the control users rely on. Reported by VulnCheck with an assigned CVSS 4.0 score of 7.6; no public exploit and no CISA KEV listing identified at time of analysis.
NVIDIA TensorRT for contains a vulnerability where a user might cause a deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution.
NVIDIA TensorRT-LLM for any platform contains a vulnerability in visual gen server, where an attacker could cause an unsafe deserialization by unauthorized zeroMQ deserialization. A successful exploit of this vulnerability might lead to code execution.
Heap-based buffer overflow in NVIDIA TensorRT-LLM's tensor deserialization path lets an adjacent, unauthenticated attacker corrupt heap memory by supplying a crafted serialized tensor, potentially causing information disclosure, data tampering, or denial of service. All platforms running affected TensorRT-LLM versions are impacted. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV; NVIDIA rates exploitation as high-complexity (AC:H).
Local privilege-context deserialization in NVIDIA TensorRT-LLM lets an attacker who already has same-user access to a host running the inference stack abuse its inter-process communication layer to trigger unsafe object deserialization (CWE-502), potentially yielding code execution, information disclosure, data tampering, and denial of service. The flaw is vendor-reported by NVIDIA and carries a CVSS 3.1 base of 7.8 (AV:L), meaning it is not remotely reachable but converts existing local access into full compromise of the model-serving process. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Insecure deserialization in NVIDIA TensorRT-LLM for Linux lets a local, low-privileged attacker abuse a weakness in the restricted unpickler that handles model-weight loading, potentially achieving code execution, privilege escalation, data tampering, and information disclosure. The flaw (CWE-502, CVSS 8.4) affects the GPU LLM-inference library and stems from the restricted unpickler failing to fully constrain what can be deserialized from an untrusted model artifact. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local code execution in Microsoft .NET 8.0 and 9.0 (and bundled Visual Studio 2022/2026 toolchains) arises from unsafe deserialization of untrusted data (CWE-502), letting an unprivileged local attacker run arbitrary code in the context of the targeted process once a user is lured into opening or processing a malicious serialized payload. The CVSS 3.1 base score is 7.8 with high impact to confidentiality, integrity, and availability, but the vector (AV:L/UI:R) confines it to local attacks that require user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote code execution in Microsoft Dynamics NAV 2018 allows an unauthorized, network-based attacker to run arbitrary code by submitting maliciously crafted serialized data that the application deserializes without validation (CWE-502). With a CVSS 9.8 vector requiring no authentication and no user interaction, successful exploitation grants full compromise of the ERP host. Microsoft has released a patch via MSRC; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Windows Wireless Wide Area Network Service (WwanSvc) lets an authenticated low-privileged user elevate to SYSTEM by delivering crafted serialized data that the service deserializes unsafely (CWE-502). Reported by Microsoft, it affects a broad range of Windows 10, Windows 11, and Windows Server builds and carries CVSS 7.8 with high confidentiality, integrity, and availability impact. No public exploit is identified at time of analysis and it is not in CISA KEV, but a vendor patch is available.
Denial of service in Microsoft Azure Active Directory (now Entra ID) allows a remote, unauthenticated attacker to disrupt service availability by sending crafted serialized data that triggers unsafe deserialization (CWE-502). The flaw carries a CVSS 7.5 (High) with a fully network-reachable, no-privilege, no-interaction vector, but impact is confined to availability - confidentiality and integrity are not affected. Microsoft has released a fix via MSRC; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Remote code execution in Microsoft SharePoint (Enterprise Server 2016, Server 2019, and Server Subscription Edition) allows an unauthenticated network attacker to run arbitrary code on the server by submitting maliciously crafted serialized data (CWE-502). The CVSS 3.1 base score is 9.8 with a fully remote, no-interaction, no-privilege vector (AV:N/AC:L/PR:N/UI:N), placing it among the most severe SharePoint flaws. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but insecure-deserialization RCE in SharePoint has historically been a high-value target for rapid weaponization.
Remote code execution in Microsoft SharePoint Server (2016, 2019, and Subscription Edition) lets an unauthenticated attacker run arbitrary code by sending a crafted serialized payload over the network. The flaw is an untrusted-data deserialization (CWE-502) rated CVSS 9.8 with PR:N/UI:N, meaning no credentials or user interaction are required. No public exploit identified at time of analysis, but the pre-auth network vector and SharePoint's long history as an attacker target make this a high-priority patch.
Remote code execution in Microsoft SQL Server (2016 SP3 through 2025) allows an authenticated, low-privileged attacker to run arbitrary code on the database server by sending crafted data that the engine deserializes unsafely (CWE-502). Any account able to submit queries or data over the network to a vulnerable instance can achieve full compromise of confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CVSS 8.8 rating and the RCE-with-low-privilege profile make it a high-priority patch.
Remote code execution in Microsoft SQL Server 2025 (CU6 and the x64 GDR branch) lets an authenticated attacker run arbitrary code across the network by supplying maliciously crafted serialized data that the server deserializes without validation (CWE-502). The flaw was reported by Microsoft, carries a CVSS 3.1 base score of 8.8, and a vendor patch is available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in Microsoft Exchange Server (2016 CU23, 2019 CU14/CU15, and Subscription Edition RTM) allows an already-authenticated attacker with low privileges to elevate to higher privileges by abusing unsafe deserialization of untrusted data. Microsoft reported the flaw and has released a patch; no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS 3.1 base score is 7.8 (High), reflecting full confidentiality, integrity, and availability impact on the affected host.
Unauthenticated PHP object injection in the Newsletters WordPress plugin before 4.15 lets remote attackers deserialize attacker-controlled data submitted through a public-facing form, then leverage a property-oriented gadget chain bundled inside the plugin itself to write arbitrary files and achieve remote code execution on the host. Publicly available exploit code exists (published via WPScan), though there is no public exploit identified as being used in active attacks and the flaw is not listed in CISA KEV. The self-contained gadget chain removes the usual dependency on third-party gadgets, making reliable exploitation notably more achievable than typical POI bugs.
Insecure deserialization in the SAP Change and Transport System Attach Tool (ctsattach) lets an authenticated, low-privileged attacker achieve remote code execution by supplying a crafted archive that a victim then processes through the tool's library. Successful exploitation yields high confidentiality and integrity impact - attackers can read sensitive data and take control of the host and its processes - with low availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CWE-502 root cause and 7.6 CVSS make this a meaningful patch priority for SAP landscapes.
Denial-of-service in the Storable module for Perl (versions before 3.41) allows remote attackers to abort deserialization by supplying a crafted SX_HOOK record whose item count equals I32_MAX. The signed 32-bit count plus one wraps to a negative value, which av_extend rejects with a fatal panic, terminating any thaw() or retrieve() call on attacker-controlled data. No public exploit identified at time of analysis; despite the assigned CVSS of 9.8 (C:H/I:H/A:H), the documented outcome is a controlled abort rather than memory corruption or code execution.
PHP Object Injection in the ShapedPlugin Real Testimonials (testimonial-free) WordPress plugin affects all versions up to and including 3.1.15, allowing a high-privileged authenticated user to inject serialized PHP objects that the plugin unsafely deserializes. Depending on gadget chains present in WordPress core, other active plugins, or themes, this can escalate to arbitrary code execution, data disclosure, or site compromise. Reported by Patchstack; no public exploit identified at time of analysis and it is not listed in CISA KEV.
PHP Object Injection in the wpWax Directorist WordPress plugin (all versions through 8.8.2) lets remote attackers pass untrusted serialized data into a PHP deserialization sink, instantiating arbitrary objects that can trigger POP gadget chains for code execution, data theft, or site compromise. The flaw carries a critical 9.8 CVSS score with an unauthenticated network vector; it was disclosed by Patchstack. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
PHP Object Injection in the ThemeGoods Grand Photography WordPress theme (all versions up to and including 5.7.8) lets remote attackers deliver crafted serialized data to an unsafe unserialize() sink, potentially achieving code execution, file operations, or SQL injection through POP gadget chains. The CVSS 9.8 rating reflects unauthenticated network exploitation (PR:N/UI:N) with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
PHP Object Injection in the RT-Theme 18 | Extensions plugin (rt18-extensions) for WordPress affects all versions up to and including 2.5, allowing remote attackers to inject arbitrary PHP objects by supplying crafted serialized data to an unsafe deserialization sink. Because the CVSS vector reports PR:N/UI:N, exploitation does not require authentication or user interaction, and impact escalates to full compromise (confidentiality, integrity, availability all High) when a usable POP gadget chain is present in the WordPress stack. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; the 9.8 base score reflects worst-case object-injection potential rather than confirmed in-the-wild activity.
Remote PHP object injection in the axiomthemes '777' (triple-seven) WordPress theme allows attackers to instantiate arbitrary PHP objects by supplying crafted serialized data to a vulnerable unserialize() call, affecting all versions up to and including 1.13.0. With the reported CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) scoring 9.8, an unauthenticated network attacker can achieve high-impact compromise if a usable POP gadget chain is present. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Object injection in the Themeum Kirki WordPress customizer framework (all versions through 6.0.12) allows attackers to abuse PHP deserialization of untrusted data (CWE-502), potentially leading to arbitrary object instantiation and, given a suitable POP gadget chain, remote code execution or full site compromise. Reported by Patchstack with a maximum CVSS 9.8 rating; no public exploit identified at time of analysis and the flaw is not listed in CISA KEV. Because Kirki is a developer toolkit bundled into many premium WordPress themes, exposure depends on which theme/plugin code passes attacker-controllable input into its deserialization path.
PHP Object Injection in the WordPress Events Manager plugin (Marcus/@msykes) affects all versions up to and including 7.3.6, letting remote attackers deserialize untrusted data and instantiate arbitrary PHP objects. When paired with a suitable POP gadget chain present in the plugin, WordPress core, or another installed plugin, this can escalate to remote code execution, data theft, or site takeover. Reported by Patchstack with a CVSS of 8.8; there is no public exploit identified at time of analysis and it is not on CISA KEV, though the network vector combined with only requiring user interaction makes it a serious patch priority.
PHP Object Injection in the WPJAM Basic WordPress plugin (denishua) affects all versions up to and including 7.0, allowing an authenticated attacker to inject crafted serialized objects that are deserialized by the plugin. Reported by Patchstack and rated CVSS 8.8, it can lead to high-impact compromise (confidentiality, integrity, and availability) of the WordPress site, though exploitation requires at least low-level authenticated access. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
PHP object injection in the 'Database for Contact Form 7, WPforms, Elementor forms' WordPress plugin (all versions before 1.5.2) permits unauthenticated attackers to embed malicious serialized PHP objects via the entry-editor file-field path, which are instantiated server-side when an administrator views the stored form entry. This is an incomplete remediation of two prior CVEs (CVE-2025-7384 and CVE-2026-2599) - earlier patches hardened other deserialization paths within the same plugin while this specific code route was overlooked. A publicly available exploit exists; no active exploitation is confirmed by CISA KEV at time of analysis.
Unsafe deserialization in AkariAsai self-rag's `Indexer.deserialize_from` function exposes any deployment that processes externally supplied FAISS index files to potential arbitrary code execution. The vulnerability resides in `retrieval_lm/src/index.py` and is triggered when the `index_meta.faiss` argument is manipulated with a crafted payload - a classic CWE-502 pattern where Python's serialization routines (typically pickle) blindly instantiate attacker-controlled objects. A publicly available proof-of-concept exists per GitHub issue #105, elevating the practical risk beyond the moderate CVSS 4.0 score of 5.3. No active exploitation has been confirmed by CISA KEV, and the project maintainer had not formally responded to the disclosure at time of reporting.
Unsafe deserialization in HashNeRF-pytorch's Checkpoint File Handler allows a local low-privileged attacker to achieve arbitrary code execution by supplying a malicious file via the `ckpt_path` argument to `torch.load()` in `run_nerf.py`. All commits up to 82885e698295982504eb6a26d060a6b2473e3706 are affected; a fix exists as an unmerged pull request (PR #50). A public exploit has been disclosed via GitHub issue #49, though no CISA KEV listing has been identified, indicating no confirmed widespread active exploitation at time of analysis.
Unsafe deserialization in pyod 3.5.0-3.5.2 exposes the `pyod.utils.persistence.load` function to remote exploitation by authenticated low-privilege users who can manipulate the `path` argument. Rooted in CWE-502 (Deserialization of Untrusted Data), the flaw allows a crafted serialized payload supplied via the path parameter to be deserialized without adequate validation, potentially yielding code execution or data manipulation within the running process. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists; an upstream fix is available as GitHub PR #698, though a formally versioned PyPI release incorporating the patch has not been independently confirmed.
Remote code execution in Microsoft Edge (Chromium-based) lets an unauthenticated network attacker run arbitrary code by luring a victim into interacting with crafted content that triggers unsafe deserialization (CWE-502). The flaw carries CVSS 8.3 with a scope change, meaning successful exploitation can break out of the browser's security boundary, though there is no public exploit identified at time of analysis and Microsoft has already shipped a fix.
Remote code execution in Spinnaker's Rosco bakery service allows an authenticated user to run arbitrary code on Rosco pods by supplying a manifest that abuses unsafe YAML tag processing during Kustomize bake operations. The flaw (CWE-502 unsafe deserialization) affects release lines prior to 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4, and grants full compromise of the affected pod (C:H/I:H/A:H). No public exploit identified at time of analysis and it is not listed in CISA KEV, but the vendor-published GitHub Security Advisory (GHSA-p68j-q7hf-3qcp) and multiple fix commits confirm the issue is real and patched.
Unauthenticated remote code execution in the PrestaShop ps_facetedsearch (layered navigation) module versions 3.0.0 through 4.0.3 allows a single crafted front-office request to fully compromise the shop and its underlying server. The module rebuilds price/weight slider filter values from the request URL and later reads them back through a native unserialize(), enabling PHP object injection whose gadget chain writes a PHP webshell into the module directory. No public exploit is identified at time of analysis, but the flaw is trivially reachable and rated CVSS 10.0.
Arbitrary Python code execution in BabelDOC (funstory-ai, pip package `babeldoc`) prior to 0.6.3 allows an attacker to run code in the context of the translation process by having a victim process a crafted PDF. The vendored pdfminer CMap loader (`cmapdb.py::_load_data`) strips only NUL bytes from a PDF-controlled CMap/Encoding name and passes it to `pickle.loads()`, so a hex-encoded absolute path in the PDF's `/Encoding` name redirects deserialization to an attacker-planted `.pickle.gz` file. A detailed, working proof-of-concept exists (publicly available exploit code exists); there is no CISA KEV listing and no public evidence of active exploitation at time of analysis.
Remote command execution in Dell Unisphere for PowerMax versions 10.3.0.5 and prior allows a low-privileged authenticated user to run arbitrary OS commands with root privileges by abusing unsafe deserialization of untrusted data (CWE-502). Because the CVSS vector is AV:N/AC:L/PR:L, any account with minimal access on the management interface can escalate to full root control of the storage-management appliance. There is no public exploit identified at time of analysis and the CVE is not in CISA KEV, but the low attack complexity and full CIA impact make it a high-priority patch for storage administrators.
PHP object injection in YesWiki's BazaR import feature allows an attacker to reach an unsafe unserialize() sink in tools/bazar/services/CSVManager.php, where attacker-supplied base64 data is deserialized without allowed_classes=false, instantiating arbitrary classes and triggering magic methods (__destruct, and __toString via array_map('strval')). Because the importentries mode lacks CSRF protection (the assigned root cause CWE-352), a remote attacker can host an auto-POSTing HTML page that, when visited by a logged-in wiki admin, drives the deserialization using the admin's session - chaining published Doctrine PHPGGC gadgets into remote code execution on the host. Publicly available exploit code exists demonstrating the object-injection primitive, but no full end-to-end RCE chain is published and this is not confirmed actively exploited (not in CISA KEV).
{tag} endpoint. An attacker plants a page whose tag contains a SQL-breakout payload (the INSERT escapes it but stores the literal quote), makes the page non-orphaned via an {{include}} link, then triggers deletePage(), where the stored tag is concatenated unescaped into a DELETE FROM _links WHERE to_tag='$tag' query. A detailed proof-of-concept with confirmed time-based blind extraction exists; the flaw enables reading password hashes, ACLs, and private page bodies, acting as a low-priv-to-admin escalation primitive. No public evidence of active exploitation was identified at time of analysis.
Remote code execution in Metabase's H2 database driver allows an authenticated user with native-query privileges to run arbitrary Java on the server. When Metabase returns H2 result columns of type OTHER (JDBC JAVA_OBJECT), it deserializes the embedded Java object without validation, so a crafted native H2 query triggers CWE-502 unsafe deserialization and full server compromise. It affects any instance using an H2 connection, including the default bundled sample database. No public exploit is identified at time of analysis (SSVC exploitation: none; EPSS 0.45%), though the upstream fix commit and vendor advisory GHSA-w95f-x9v9-wv36 are public.
Improper input validation in the snap7 library (versions up to 1.4.3) allows adjacent-network attackers to trigger a deserialization flaw via crafted ReadVar requests processed by TS7Worker::PerformFunctionRead in the S7 server component. Exploitation results in partial confidentiality, integrity, and availability impact against the snap7 server process - a concern in industrial OT environments where PLC communication libraries may interface with safety-relevant systems. No vendor-released patch exists as the maintainer has not responded to disclosure, and a publicly available proof-of-concept exploit lowers the barrier to exploitation.
The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin through 1.1.28 does not validate data before passing it to a PHP deserialization function, allowing unauthenticated attackers to inject arbitrary PHP objects; where a suitable gadget chain is present on the site this can be leveraged to achieve remote code execution.
Remote code execution in Apache Airflow before 3.3.0 lets a DAG author embed a malicious trigger whose attacker-controlled class path is loaded via an unrestricted import_string() when the Scheduler or API Server deserializes the serialized DAG, executing arbitrary code in those privileged processes and breaking the core Airflow boundary that DAG-author code must never run in the Scheduler/API Server. Reported by Apache with a fix in 3.3.0, it currently has no public exploit identified and a low EPSS of 0.69% (48th percentile), and it is not listed in CISA KEV. The practical severity depends heavily on how much a deployment trusts its DAG authors, since exploitation requires the ability to submit a DAG.
Untrusted Java deserialization in Apache OpenNLP's SvmDoccatModel (libsvm document categorization module, versions 3.0.0-M1 through before 3.0.0-M4) lets an attacker who supplies a crafted serialized stream to the public static SvmDoccatModel.deserialize(InputStream) trigger deserialization of an arbitrary object graph before the SvmDoccatModel cast occurs. Where a usable gadget chain exists on the consuming application's classpath, this yields remote code execution in the loading JVM; OpenNLP ships no gadget itself, so realistic risk falls on downstream apps that embed the module alongside vulnerable transitive dependencies. No public exploit identified at time of analysis and the flaw is not in CISA KEV, though the SSVC assessment marks it automatable with partial technical impact.
Untrusted JMS deserialization in Apache Camel's JMS-family components (camel-jms, camel-sjms, camel-sjms2, camel-amqp, camel-activemq, camel-activemq6) lets an attacker who can publish an ObjectMessage to a consumed queue or topic inject arbitrary Exchange state - body, IN/OUT headers, properties, variables, exchange id and exception - into a Camel route. It affects 3.0.0 through 4.14.7, 4.15.0 through 4.18.2, and 4.19.0 through 4.20.x when mapJmsMessage (the default) is enabled and Camel acts as a JMS consumer. This is a bypass of the earlier CVE-2026-40860 hardening, requires no gadget chain (only java.lang/java.util types), carries CVSS 7.3, and has no public exploit identified at time of analysis (EPSS 0.18%).
Java object deserialization in the Apache Camel camel-pqc component allows code execution in the key-management application when an attacker who can write to the backing AWS Secrets Manager secret stores a malicious serialized payload. The flaw affects Apache Camel 4.18.0-4.18.2 and 4.19.0-4.20.x, where AwsSecretsManagerKeyLifecycleManager.deserializeMetadata() calls a raw ObjectInputStream.readObject() with no class filter, so gadget side effects fire before the KeyMetadata cast. Rated CVSS 9.8 by Apache, but exploitation genuinely requires IAM write access to the specific secret; there is no public exploit identified at time of analysis and EPSS is low at 0.19% (8th percentile).
Remote code execution via unsafe Java deserialization affects the camel-pqc component of Apache Camel 4.18.0-4.18.2 and 4.19.0-4.20.x. The HashiCorp Vault and AWS Secrets Manager KeyLifecycleManager implementations (and a legacy-migration path in the file-based manager) read post-quantum key metadata back with a raw ObjectInputStream.readObject() lacking any ObjectInputFilter or allow-list, so a principal able to write to the key backend can plant a gadget object that executes during normal key-lifecycle operations. No public exploit has been identified at time of analysis and EPSS is low (0.19%), but SSVC rates technical impact as total; this is an incomplete-remediation follow-on to CVE-2026-40048.
Remote code execution in the Apache Camel camel-hazelcast component allows an attacker who can join or reach the Hazelcast cluster to run arbitrary code on every Camel node. The flaw exists because Camel-created Hazelcast instances apply no Java deserialization filter by default, so crafted serialized objects sent over the cluster protocol are deserialized (ObjectInputStream.readObject) before Camel processes them. It affects Camel 4.0.0-4.14.7, 4.15.0-4.18.2, and 4.19.0-4.20.x whenever a hazelcast consumer or repository uses Camel's own default configuration; there is no public exploit identified at time of analysis and EPSS is low (0.49%, 39th percentile).
Blind out-of-band data exfiltration in Apache Camel 4.14.0-4.20.x arises because the default ObjectInputFilter pattern bundled with several components ('java.**;javax.**;org.apache.camel.**;!*') uses a recursive java.** glob that allow-lists java.net.URL and java.net.InetAddress. Remote attackers who can deliver a Java-serialized payload to an affected Camel consumer - most notably the camel-jms family, where JmsBinding.extractBodyFromJms calls ObjectMessage.getObject() by default (mapJmsMessage=true) - can force the JVM to issue DNS queries to an attacker-controlled host during deserialization side-effects, yielding an observable out-of-band channel. Reported by Apache; there is no public exploit identified at time of analysis, EPSS is low (0.31%, 23rd percentile), and it is not listed in CISA KEV.
Remote code execution in Apache Camel's camel-vertx-http component (4.0.0-4.14.7, 4.15.0-4.18.2, 4.19.0) arises when a producer endpoint deserializes 5xx HTTP response bodies marked application/x-java-serialized-object through a raw java.io.ObjectInputStream with no class filtering. Exploitation is limited to non-default deployments where transferException=true or allowJavaSerializedObject=true is set and throwExceptionOnFailure remains true, letting an attacker who controls or intercepts the backend deliver a malicious serialized object and, given a gadget chain on the classpath, run code on the Camel host. This is a vendor-reported (Apache) issue with a publicly available advisory; there is no public exploit identified at time of analysis and EPSS is low at 0.39% (31st percentile).
Unsafe deserialization in AD-Security AD_Miner 1.9.0 allows a local low-privilege attacker to achieve code execution by supplying a crafted serialized payload as the sys.argv[1] argument to the Cache Handler's request_a function in analyse_cache.py. The attack is strictly local with no network exposure, and impacts confidentiality, integrity, and availability at a low level within the vulnerable process. No public exploit has been identified; an upstream fix exists as GitHub PR #239 but awaits acceptance, meaning no released patched version is currently available.
PHP object injection in kirilkirkov's Ecommerce-CodeIgniter-Bootstrap allows remote unauthenticated attackers to pass attacker-controlled data into the getCartItems() function of application/libraries/ShoppingCart.php, which deserializes the shopping_cart argument (CWE-502). Depending on available gadget chains in the CodeIgniter application, this can lead to code execution or denial of service. Publicly available exploit code exists (VulDB, GHSA-9g5q-g6m3-v5cr), but there is no public exploit identified as being used in active attacks and the item is not in CISA KEV; EPSS was not provided.
Security-control bypass in Trail of Bits fickling (≤0.1.11) neuters its MLAllowlist analysis pass so that malicious pickle files pass fickling's check_safety() gate as LIKELY_SAFE, enabling arbitrary code execution when fickling.load() deserializes them. Because UnsafeImportsML pre-registers every import in the shared reported_shortened_code set, MLAllowlist always short-circuits and never validates imports against the known-safe ML ecosystem, so any standard-library module outside the UNSAFE_IMPORTS denylist can be smuggled through. Publicly available exploit code exists (SSVC 'poc'); it is not listed in CISA KEV and EPSS is low (0.30%), consistent with a demonstrated-but-not-yet-widespread threat.
Malicious code execution via scanner bypass affects picklescan before 0.0.34, a security tool used to vet pickle files for unsafe deserialization before loading ML model artifacts. The scanner fails to flag the _operator.methodcaller built-in, so an attacker can craft a pickle that passes picklescan's malware check yet executes arbitrary code the moment a victim calls pickle.load(). No public exploit has been identified at time of analysis, and the flaw is not on CISA KEV; the fix landed in version 0.0.34.
Security-scanner bypass in Picklescan before 0.0.33 lets attackers smuggle arbitrary-code-execution payloads past its safety checks by abusing the numpy.f2py.crackfortran.getlincoef gadget inside a pickle __reduce__ method, which the scanner fails to flag as dangerous. Because Picklescan is used to vet shared machine-learning model files, a malicious pickle passes as 'clean' and then executes attacker-controlled Python when the trusting downstream consumer deserializes it. No public exploit is identified at time of analysis, and it is not listed in CISA KEV; the CVSS 4.0 score is 7.6 and the attack depends on a victim actually loading the file.
Safety-check bypass in picklescan before 0.0.28 allows attackers to smuggle malicious pickle files past the scanner by abusing torch.utils.data.datapipes.utils.decoder.basichandlers as a reduce gadget, so a payload the tool reports as clean still executes arbitrary code when the victim deserializes it. Because picklescan is a defensive scanner used to vet untrusted ML models (notably in Hugging Face workflows), this blind spot converts a trusted safety gate into a false sense of security. No public exploit identified at time of analysis, and it is not on CISA KEV; CVSS 4.0 base score is 7.6.
Security-scanner detection bypass in picklescan before 0.0.34 lets attackers slip malicious pickle files past its checks by invoking _operator.attrgetter inside a reduce method, so a file the scanner reports as clean still executes arbitrary code when pickle.load() deserializes it. The flaw affects ML/AI supply-chain pipelines that rely on picklescan to vet untrusted model files. No public exploit identified at time of analysis; the issue was reported by VulnCheck and fixed in 0.0.34.
Security-scanner evasion in picklescan before 0.0.28 lets attackers slip malicious pickle files past its safety checks by abusing the torch.utils.bottleneck.__main__.run_cprofile call, which the scanner's blocklist does not recognize as dangerous. Any ML pipeline or platform that relies on picklescan to vet untrusted models will therefore approve a weaponized file, and the embedded code runs with arbitrary execution when the victim deserializes it. No public exploit identified at time of analysis; not listed in CISA KEV, but VulnCheck published a dedicated advisory and the technique is fully documented.
Detection bypass in picklescan before 0.0.30 lets a crafted pickle smuggle the asyncio.unix_events._UnixSubprocessTransport._start built-in past the scanner's malicious-opcode checks, so a model or pickle that picklescan reports as safe actually executes arbitrary OS commands when a victim deserializes it. Because picklescan is a security scanner used to vet untrusted ML artifacts (e.g. in AI model supply chains), this false-negative turns a trusted safety gate into a blind spot. No public exploit identified at time of analysis and it is not on CISA KEV, but the technique is fully described in the VulnCheck advisory.
Malicious-pickle detection bypass in picklescan before 0.0.33 lets attackers smuggle arbitrary code past the scanner by abusing numpy.f2py.crackfortran functions that call eval() on attacker-controlled strings. Because picklescan is itself the security tool meant to vet untrusted pickle/model files, this evasion causes a weaponized pickle to be marked safe, so the embedded code executes when the file is later deserialized. Reported by VulnCheck with a CVSS 4.0 score of 7.6; no public exploit identified at time of analysis and it is not in CISA KEV.
Security-control bypass in picklescan before 0.0.29 lets attackers craft malicious pickle files that evade its malware scanner by hiding a reduce-method payload behind Python's idlelib.calltip.get_entity function, so a file the scanner reports as clean executes arbitrary commands when a victim deserializes it. Affected are ML/AI pipelines and users relying on picklescan to vet untrusted model artifacts. No public exploit or CISA KEV listing is identified at time of analysis, though the technique and a GitHub Security Advisory (GHSA-9xph-j2h6-g47v) are documented by VulnCheck.
Detection bypass in picklescan before 0.0.29 lets attackers slip malicious pickle payloads past the scanner by abusing lib2to3.pgen2.grammar.Grammar.loads inside a pickle reduce method, resulting in remote code execution when the file is later deserialized with pickle.load(). Because picklescan is trusted as a safety gate for machine-learning model files, a bypass converts a 'scanned and clean' verdict into silent arbitrary code execution. No public exploit has been identified at time of analysis and the flaw is not listed in CISA KEV, though the technique is concretely described in the VulnCheck advisory.
Security scanner bypass in picklescan before 0.0.28 allows attackers to smuggle arbitrary code past the tool's malware detection by abusing torch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression, which is not on picklescan's dangerous-globals blocklist. Because picklescan is a defensive tool used to vet untrusted ML pickle files (notably in the Hugging Face ecosystem), a bypass causes a malicious model to be marked safe and then execute remote code when the victim deserializes it. There is no public exploit identified at time of analysis and this CVE is not listed in CISA KEV, but the technique is fully described in the VulnCheck advisory.
Detection bypass in picklescan before 0.0.28 lets attackers smuggle malicious pickle files past the scanner by abusing the torch._dynamo.guards.GuardBuilder.get gadget inside a __reduce__ method, so a file that picklescan reports as safe still executes arbitrary commands when deserialized (e.g. via torch.load). This undermines the security control that ML pipelines and model hubs rely on to vet untrusted model artifacts, turning a trusted-scan result into a false negative. Reported by VulnCheck with a vendor GHSA advisory; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Security-scanner evasion in picklescan before 0.0.33 lets attackers smuggle malicious pickle files past its detection engine by abusing the numpy.f2py.crackfortran.param_eval function inside a pickle reduce method, so a payload the scanner declares safe still triggers arbitrary code execution when the application deserializes it. This defeats the exact protection picklescan exists to provide, endangering ML pipelines that rely on it to vet untrusted model/pickle files (e.g., Hugging Face-style workflows). No public exploit is identified at time of analysis and it is not in CISA KEV, though VulnCheck published an advisory.
Malicious-pickle detection bypass in picklescan before 0.0.30 allows attackers to smuggle undetected remote code execution payloads past the scanner by abusing the torch.utils.bottleneck.__main__.run_autograd_prof gadget, which was absent from picklescan's dangerous-import blocklist. Because picklescan is used as a security gate to vet untrusted ML model files, a false-negative here means a crafted model passes as safe and executes arbitrary code when subsequently deserialized. Reported by VulnCheck via GHSA-4whj-rm5r-c2v8; no public exploit identified at time of analysis, and it is not on CISA KEV.
Detection bypass in picklescan before 0.0.30 lets attackers smuggle malicious pickle files past the scanner by abusing lib2to3.pgen2.pgen.ParserGenerator.make_label as a reduce callable, so a file that picklescan clears still runs arbitrary commands when downstream code calls pickle.load(). picklescan is the security control itself - a static scanner used to vet ML model artifacts - so this weakness undermines the exact protection teams rely on to catch unsafe pickles. No public exploit identified at time of analysis and it is not on CISA KEV, but the technique is documented in VulnCheck and vendor advisories.
Malicious pickle detection bypass in picklescan before 0.0.30 lets attackers hide code that runs during pickle.load, because the scanner does not flag the idlelib.run.Executive.runcode primitive used in a reduce method. Since picklescan is a security tool relied upon to vet PyTorch/ML model files, this bypass turns a trusted safety check into a false 'clean' verdict, enabling remote code execution and supply-chain attacks against anyone loading an attacker-supplied model. Reported by VulnCheck; no public exploit identified at time of analysis and not listed in CISA KEV.
Arbitrary code execution in keras-team/keras 3.14.0 lets remote attackers run OS-level commands by supplying a malicious serialized `Lambda` layer that is deserialized without an active `SafeModeScope`. The root cause is `_raise_for_lambda_deserialization()` treating a `None` `safe_mode` (the default when `from_config()` runs outside a `SafeModeScope`) as if it were an explicit `False`, so the safe-mode guard is skipped and attacker-controlled `marshal` bytecode executes. SSVC rates technical impact as total with a proof-of-concept available; EPSS is modest at 0.40% (32nd percentile), and the flaw is not in CISA KEV.
Denial-of-service in WatchGuard Fireware OS Management Web UI allows an authenticated administrator to crash the management service by submitting crafted input to the put_data endpoint, which performs unsafe deserialization of attacker-controlled data (CWE-502). The CVSS 4.0 vector (PR:H, VA:H) confirms that exploitation is restricted to administrator-level accounts and results in availability loss only - no confidentiality or integrity impact. No public exploit code and no CISA KEV listing have been identified at time of analysis, placing this firmly in the insider-threat and compromised-credential risk category.
PHP Object Injection in the Themify Popup WordPress plugin (all versions through 1.4.3) lets an authenticated attacker pass attacker-controlled serialized data into an unsafe deserialization sink (CWE-502), instantiating arbitrary PHP objects. Combined with a suitable gadget chain in the plugin, WordPress core, or other installed code, this can escalate to remote code execution, data theft, or site takeover. Reported by Patchstack; no public exploit is identified at time of analysis and it is not on CISA KEV.
Unauthenticated PHP Object Injection in the Novalnet Payment Gateway for WooCommerce WordPress plugin (versions 12.10.3 and earlier) lets remote attackers submit crafted serialized objects that the plugin deserializes, per CVSS enabling full compromise of confidentiality, integrity, and availability. The flaw is network-reachable without authentication or user interaction and carries a critical 9.8 CVSS score. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.
Unauthenticated PHP Object Injection in the Booktics WordPress plugin (by Arraytics) affects all versions up to and including 1.0.21, letting remote attackers with no authentication inject arbitrary PHP objects into the application. If a suitable POP (property-oriented programming) gadget chain exists in the plugin, WordPress core, or another active plugin, this can escalate to remote code execution, data theft, or full site takeover. Reported by Patchstack and rated CVSS 9.8; no public exploit identified at time of analysis and it is not listed in CISA KEV.
PHP Object Injection in the Werkstatt WordPress theme (fuelthemes) through version 4.8.3 lets a Contributor-level user pass attacker-controlled data into an unsafe deserialization routine, enabling instantiation of arbitrary PHP objects. With the right POP gadget chain present in WordPress core, another plugin, or the theme itself, this can escalate to file operations, SQL manipulation, or remote code execution. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the 8.8 CVSS reflects the low-privilege network-exploitable path with high confidentiality, integrity, and availability impact.
Authenticated PHP object injection in the ARMember Premium WordPress membership plugin (all versions through 7.0) lets low-privileged Contributor-level users pass attacker-controlled serialized data into a PHP unserialize() sink, potentially chaining with POP gadgets to achieve high-impact compromise. With a CVSS of 8.8 and network vector, a user holding only a Contributor account can reach confidentiality, integrity, and availability impacts. No public exploit has been identified at time of analysis and it is not on CISA KEV, but the vulnerability class is well understood and reliably weaponizable where a suitable gadget chain exists.
Insecure JNDI object instantiation in mchange-commons-java before 0.6.0 lets attackers who can influence deserialized data or JNDI Reference resolution coerce the library's JavaBeanObjectFactory into constructing arbitrary classes and setting their JavaBean properties, enabling JNDI injection and deserialization-gadget attacks. Because this library underpins mchange projects such as the c3p0 connection pool, any Java application that deserializes attacker-controlled objects or dereferences untrusted JNDI References through it is exposed; a demonstrated path abuses a Swing JEditorPane to force outbound HTTP requests from a trusted security domain. No public exploit identified at time of analysis and it is not in CISA KEV, so treat it as a patch-now supply-chain issue rather than an actively exploited one.
Arbitrary code execution in Amazon's AWS Advanced JDBC Wrapper (versions 3.3.0 through 4.0.0) arises from the RemoteQueryCachePlugin deserializing cached query results from Redis or Valkey via a raw ObjectInputStream with no class filtering. An actor able to write to the shared cache can poison entries with a crafted serialized Java object, triggering gadget-chain execution on every application server that later reads that cache entry. No public exploit identified at time of analysis; risk is elevated because a single poisoned cache key fans out to all consuming app servers.
Remote code execution in Ray (the distributed compute/ML framework) before version 2.56.0 lets attackers run arbitrary code by feeding a malicious tar archive to the WebDataset reader. The read_webdataset() datasource invokes pickle.loads() on .pkl/.pickle entries and torch.load() with weights_only=False on .pt/.pth entries with no validation, so code executes inside every Ray remote worker that processes the archive. No public exploit has been identified at time of analysis, but the fix is available in Ray 2.56.0 and the issue is documented in a GitHub Security Advisory (GHSA-hhrp-gw25-jr43) and a VulnCheck advisory.
Deserialization of untrusted data in MediaWiki's wiki import subsystem and logging infrastructure exposes installations to PHP object injection, with high integrity impact on affected systems. Specifically, the WikiImporter, WikiRevision, and LogEntryBase components process attacker-controlled serialized data without sufficient validation, allowing a high-privileged authenticated user to trigger unintended object instantiation or code execution paths. No active exploitation (CISA KEV) or public proof-of-concept has been identified at time of analysis; however, vendor-confirmed patches are available in releases 1.43.9, 1.44.6, 1.45.4, and 1.46.0.
Local code execution and privilege escalation in NVIDIA Megatron Bridge (Linux) stems from unsafe handling of dynamically managed code resources, rooted in an insecure deserialization flaw (CWE-502). A low-privileged local user who can influence the data or model artifacts Megatron Bridge loads can achieve arbitrary code execution, escalate privileges, tamper with data, and disclose information. NVIDIA self-reported the issue with a CVSS 3.1 base score of 7.8; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation and code execution in NVIDIA Megatron Bridge for Linux stems from unsafe deserialization of attacker-controlled input (CWE-502), allowing a low-privileged local user to achieve arbitrary code execution, tamper with data, and disclose information. NVIDIA reported the flaw with no public exploit identified at time of analysis, and it is not listed in CISA KEV; no EPSS score was provided. Megatron Bridge is an ML/LLM training framework, so impact centers on shared GPU/training hosts rather than internet-facing services.
Deserialization of untrusted data in NVIDIA Megatron Bridge for Linux allows a low-privileged local attacker to achieve code execution, privilege escalation, data tampering, and information disclosure. Megatron Bridge is NVIDIA's model-interoperability tooling used to convert and load large-language-model checkpoints in the Megatron/PyTorch training stack, where unsafe object deserialization (CWE-94) lets attacker-controlled serialized data run arbitrary code in the process context. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CVSS 7.8 (High) rating with full C/I/A impact makes it a meaningful risk on shared or multi-tenant ML infrastructure.
Insecure deserialization in NVIDIA Megatron Bridge for Linux (CWE-502) lets an attacker who supplies a crafted serialized object achieve code execution, privilege escalation, data tampering, and information disclosure when a local user loads that data. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R) shows the attack is local and hinges on the victim opening attacker-controlled content, with no public exploit identified at time of analysis. Megatron Bridge is a specialized NVIDIA library for bridging large-language-model training frameworks, so exposure is concentrated in ML/AI training and research environments rather than general enterprise fleets.
Arbitrary code execution in NVIDIA Megatron Bridge for Linux arises from unsafe deserialization of untrusted data (CWE-502), allowing an attacker who tricks a user into loading a crafted serialized object to execute code, escalate privileges, tamper with data, and disclose information. The flaw affects the Megatron Bridge model-conversion/training tooling and is locally exploitable but hinges on victim interaction (UI:R). No public exploit code has been identified and the issue is not in CISA KEV, so there is currently no evidence of active exploitation.
Arbitrary code execution and privilege escalation in NVIDIA Megatron Bridge on Linux arises from unsafe deserialization of untrusted data, allowing a local attacker who convinces a user to load a malicious serialized object to run code, tamper with data, and disclose information. NVIDIA (the reporting vendor) rates it 7.8 (High); the CVSS vector requires local access and user interaction, so exploitation is not remote-unauthenticated. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Arbitrary code execution in NVIDIA Megatron Bridge (all versions per the NVIDIA advisory) arises from unsafe deserialization of untrusted data (CWE-502), where an attacker supplies a crafted serialized object — typically a malicious model checkpoint or configuration artifact — that a user loads locally, yielding code execution, privilege escalation, data tampering, and information disclosure. The CVSS 3.1 base score is 7.8 (High) with a local vector requiring user interaction (AV:L/UI:R) and no attacker privileges. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; no EPSS score was provided.
Deserialization of untrusted data in NVIDIA Megatron Bridge for Linux (CWE-502) can lead to arbitrary code execution, privilege escalation, data tampering, and information disclosure when a user loads attacker-controlled data. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R) indicates a local attack requiring the victim to open or process a malicious artifact — consistent with unsafe deserialization of a model checkpoint, config, or serialized object. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV; EPSS was not provided.
Server-side object injection in BMC Control-M/Server and Control-M/Enterprise Manager 9.0.20.x (and potentially earlier) lets an authenticated attacker abuse the messaging consumer to deserialize untrusted, type-unrestricted objects, triggering unintended server-side behavior that can escalate to full compromise of the automation server. The affected releases are already out of support, and the CVSS 4.0 base score is 8.9 (High) with high privileges and high attack complexity required. There is no public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Remote code execution in Pivotal CRM 6.6.4.08 (Aurea) arises from insecure deserialization in the Pivotal.Engine.Client.Services.Conversion.dll component, letting remote attackers run arbitrary code on the server. This is a bypass of the incomplete fix for CVE-2026-39253, and it remains exploitable on systems that only applied the earlier patch-ghi-15381-cwe-502-20251225.zip. No public exploit code has been identified, though public advisories exist for both this issue and its predecessor; EPSS is modest at 0.57% (43rd percentile) and it is not in CISA KEV.
Remote code execution risk in c3p0 versions prior to 0.14.0 arises from the library serving as an essential 'sink' in Java deserialization gadget chains. c3p0's DataSource and ConnectionPoolDataSource objects conform to JavaBean's getXXX() naming convention, causing commons-beanutils and similar libraries to invoke JDBC connection methods as though they were safe property accessors during deserialization - triggering arbitrary JDBC driver execution under attacker control. No public exploit code or CISA KEV listing has been identified at time of analysis; the CVSS 4.0 vector scores this at 6.3, largely due to the partial attack requirements (AT:P), though real-world impact when prerequisites are met can substantially exceed that rating.
Arbitrary code execution in Grav CMS before 2.0.0-beta.2 stems from three distinct flaw classes: PHP object injection via unsafe unserialize() of attacker-controllable data in the Scheduler JobQueue, FileCache adapter, and Session components, an OS command injection in the plugin/theme InstallCommand git clone routine, and a Twig sandbox blocklist bypass enabling server-side template injection. An attacker who can influence the serialized input can chain available gadgets to run arbitrary PHP, while the command-injection path is reachable by authenticated administrators through plugin/theme installation. No public exploit identified at time of analysis; the issues were privately reported by VulnCheck and are fixed in 2.0.0-beta.2.
Arbitrary code execution bypass in picklescan before 0.0.29 lets attackers smuggle malicious Python pickle files past the scanner by abusing the built-in profile.Profile.run function inside a pickle __reduce__ method, which picklescan's blocklist fails to flag. Because picklescan is a defensive ML supply-chain tool meant to certify pickle/model files as safe, the flaw is a security-control evasion: a file marked 'clean' executes attacker code on deserialization. No public exploit is identified at time of analysis, and it is not in CISA KEV; the CVSS 4.0 base score is 7.6 (High).
Malicious-pickle detection bypass in picklescan before 0.0.29 lets attackers smuggle weaponized pickle files past the scanner by abusing `code.InteractiveInterpreter.runcode` inside a `__reduce__` method, leading to arbitrary code execution when the file is later deserialized with `pickle.load()`. picklescan is a security scanner specifically meant to flag dangerous pickles (e.g. in ML model files), so a gap in its blocklist directly defeats the control users rely on. Reported by VulnCheck with an assigned CVSS 4.0 score of 7.6; no public exploit and no CISA KEV listing identified at time of analysis.