Skip to main content

Deserialization

2662 CVEs technique

Monthly

CVE-2025-54897 HIGH This Month

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Microsoft Sharepoint Server
NVD
CVSS 3.1
8.8
EPSS
8.5%
CVE-2025-53303 HIGH This Week

Deserialization of Untrusted Data vulnerability in ThemeMove ThemeMove Core allows Object Injection.4.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-48101 HIGH This Week

Deserialization of Untrusted Data vulnerability in webdevstudios Constant Contact for WordPress allows Object Injection.1.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-47579 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in ThemeGoods Photography.5.2. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.0
EPSS
0.1%
CVE-2025-41701 HIGH This Month

An unauthenticated attacker can trick a local user into executing arbitrary commands by opening a deliberately manipulated project file with an affected engineering tool. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2025-42944 CRITICAL This Week

Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Deserialization SAP Java
NVD
CVSS 3.1
10.0
EPSS
0.1%
CVE-2025-58757 PyPI HIGH POC PATCH GHSA This Week

MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Medical Open Network For Ai
NVD GitHub
CVSS 3.1
8.8
EPSS
0.6%
CVE-2025-58756 PyPI HIGH POC PATCH GHSA This Week

MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Medical Open Network For Ai
NVD GitHub
CVSS 3.1
8.8
EPSS
1.2%
CVE-2025-58782 Maven MEDIUM PATCH This Month

Deserialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Apache Jackrabbit Red Hat
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2025-58367 PyPI CRITICAL PATCH This Week

DeepDiff is a project focused on Deep Difference and search of any Python data. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Python RCE Deserialization Suse
NVD GitHub
CVSS 4.0
10.0
EPSS
0.2%
CVE-2025-49401 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in ExpressTech Systems Quiz And Survey Master allows Object Injection.2.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-58839 HIGH This Week

Deserialization of Untrusted Data vulnerability in aThemeArt Translations eDS Responsive Menu allows Object Injection.2. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-58815 HIGH This Week

Deserialization of Untrusted Data vulnerability in Rubel Miah Aitasi Coming Soon allows Object Injection.0.2. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-48535 HIGH PATCH This Week

In assertSafeToStartCustomActivity of AppRestrictionsFragment.java , there is a possible way to exploit a parcel mismatch resulting in a launch anywhere vulnerability due to unsafe deserialization. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Privilege Escalation Java Android Google
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2025-32312 HIGH PATCH This Month

In createIntentsList of PackageParser.java , there is a possible way to bypass lazy bundle hardening, allowing modified data to be passed to the next process due to unsafe deserialization. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Privilege Escalation Java Android Google
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2025-9365 HIGH This Week

Fuji Electric FRENIC-Loader 4 is vulnerable to a deserialization of untrusted data when importing a file through a specified window, which may allow an attacker to execute arbitrary code. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization
NVD
CVSS 4.0
8.4
EPSS
0.3%
CVE-2025-53690 CRITICAL POC KEV THREAT Act Now

Sitecore Experience Manager/Platform through version 9.0 contains a deserialization vulnerability enabling code injection through untrusted data processing.

Deserialization Experience Commerce Experience Manager Experience Platform Managed Cloud
NVD
CVSS 3.1
9.0
EPSS
9.3%
CVE-2025-58644 HIGH This Week

Deserialization of Untrusted Data vulnerability in enituretechnology LTL Freight Quotes - TQL Edition allows Object Injection.2.6. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-58643 HIGH This Week

Deserialization of Untrusted Data vulnerability in enituretechnology LTL Freight Quotes - Daylight Edition allows Object Injection.2.7. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-58642 HIGH This Week

Deserialization of Untrusted Data vulnerability in enituretechnology LTL Freight Quotes - Day & Ross Edition allows Object Injection.1.11. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-53691 HIGH POC This Week

Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Remote Code Execution (RCE).0 through 9.3, from 10.0 through 10.4;. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Experience Commerce Experience Manager Experience Platform +1
NVD
CVSS 3.1
8.8
EPSS
3.3%
CVE-2025-58163 HIGH POC PATCH This Week

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP Deserialization RCE Freescout
NVD GitHub
CVSS 4.0
8.6
EPSS
1.0%
CVE-2025-9260 MEDIUM This Month

The Fluent Forms - Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to PHP Object Injection in versions 5.1.16 to 6.1.1 via deserialization. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress PHP Deserialization RCE
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2025-7976 HIGH This Month

Anritsu ShockLine CHX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Shockline
NVD
CVSS 3.0
7.8
EPSS
0.4%
CVE-2025-9188 HIGH This Week

There is a deserialization of untrusted data vulnerability in Digilent DASYLab. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Dasylab
NVD
CVSS 4.0
8.5
EPSS
0.5%
CVE-2025-5662 CRITICAL This Week

A deserialization vulnerability exists in the H2O-3 REST API (POST /99/ImportSQLTable) that affects all versions up to 3.46.0.7. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization
NVD GitHub
CVSS 3.0
9.8
EPSS
1.4%
CVE-2024-28988 CRITICAL PATCH Act Now

SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization Java Web Help Desk
NVD
CVSS 3.1
9.8
EPSS
8.9%
CVE-2025-6507 CRITICAL This Week

A vulnerability in the h2oai/h2o-3 repository allows attackers to exploit deserialization of untrusted data, potentially leading to arbitrary code execution and reading of system files.47.0.99999. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization
NVD GitHub
CVSS 3.0
9.8
EPSS
0.3%
CVE-2025-54742 HIGH This Week

Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently allows Object Injection.4.8. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-53584 HIGH This Week

Deserialization of Untrusted Data vulnerability in emarket-design WP Ticket Customer Service Software & Support Ticket System allows Object Injection.0.2. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-53583 HIGH This Week

Deserialization of Untrusted Data vulnerability in emarket-design Employee Spotlight allows Object Injection.1.1. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-53572 HIGH This Week

Deserialization of Untrusted Data vulnerability in emarket-design WP Easy Contact allows Object Injection.0.1. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-53243 HIGH This Week

Deserialization of Untrusted Data vulnerability in emarket-design Employee Directory - Staff Listing & Team Directory Plugin for WordPress allows Object Injection.5.3. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

WordPress Deserialization
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-52761 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in manfcarlo WP Funnel Manager allows Object Injection.4.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2024-13980 CRITICAL This Week

H3C Intelligent Management Center (IMC) versions up to and including E0632H07 contains a remote command execution vulnerability in the /byod/index.xhtml endpoint. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD GitHub
CVSS 4.0
10.0
EPSS
2.8%
CVE-2025-58218 HIGH This Week

Deserialization of Untrusted Data vulnerability in enituretechnology Small Package Quotes - USPS Edition allows Object Injection.3.9. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-57773 HIGH POC PATCH This Week

DataEase is an open source business intelligence and data visualization tool. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Deserialization Code Injection Dataease
NVD GitHub
CVSS 4.0
8.2
EPSS
0.4%
CVE-2025-43960 PHP HIGH POC This Week

Adminer 4.8.1, when using Monolog for logging, allows a Denial of Service (memory consumption) via a crafted serialized payload (e.g., using s:1000000000), leading to a PHP Object Injection issue. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service PHP Deserialization Adminer Suse
NVD GitHub
CVSS 3.1
8.6
EPSS
0.5%
CVE-2022-45134 CRITICAL Act Now

Mahara 21.10 before 21.10.6, 22.04 before 22.04.4, and 22.10 before 22.10.1 deserializes user input unsafely during skin import. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Mahara
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-52287 HIGH POC This Week

OperaMasks SDK ELite Script Engine v0.5.0 was discovered to contain a deserialization vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Elite
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-54923 HIGH This Month

CWE-502: Deserialization of Untrusted Data vulnerability exists that could cause remote code execution and compromise of system integrity when authenticated users send crafted data to a network-exposed service that performs unsafe deserialization.

RCE Deserialization
NVD
CVSS 4.0
8.7
EPSS
1.4%
CVE-2025-54053 MEDIUM This Month

Deserialization of Untrusted Data vulnerability in Adrian Tobey Groundhogg allows Object Injection.2.2. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization
NVD
CVSS 3.1
6.6
EPSS
0.1%
CVE-2025-54014 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in QuanticaLabs MediCenter - Health Medical Clinic allows Object Injection.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-54012 HIGH This Week

Deserialization of Untrusted Data vulnerability in nanbu Welcart e-Commerce allows Object Injection.11.16. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-54007 HIGH This Week

Deserialization of Untrusted Data vulnerability in PickPlugins Post Grid and Gutenberg Blocks allows Object Injection.3.11. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-53560 HIGH This Week

Deserialization of Untrusted Data vulnerability in rascals Noisa allows Object Injection.6.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-53299 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in ThemeMakers ThemeMakers Visual Content Composer allows Object Injection.5.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-49438 HIGH This Week

Deserialization of Untrusted Data vulnerability in Max Chirkov Simple Login Log allows Object Injection.1.3. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-8289 HIGH This Month

The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

WordPress File Upload PHP Deserialization Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2025-8145 HIGH This Month

The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the get_lead_fields. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress PHP Deserialization RCE
NVD
CVSS 3.1
8.8
EPSS
1.5%
CVE-2025-50461 MEDIUM This Month

A deserialization vulnerability exists in Volcengine's verl 3.0.0, specifically in the scripts/model_merger.py script when using the "fsdp" backend. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Deserialization RCE
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-8875 CRITICAL KEV THREAT Act Now

N-able N-central before 2025.3.1 contains a deserialization vulnerability allowing local code execution through crafted serialized data.

Deserialization N Central
NVD
CVSS 4.0
9.4
EPSS
2.6%
CVE-2025-8963 MEDIUM POC This Month

A vulnerability was determined in jeecgboot JimuReport up to 2.1.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Jimureport
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2025-54686 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in scriptsbundle Exertio allows Object Injection.3.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-49869 HIGH This Week

Deserialization of Untrusted Data vulnerability in Arraytics Eventin allows Object Injection.0.31. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-47536 HIGH This Week

Deserialization of Untrusted Data vulnerability in keywordrush Content Egg allows Object Injection.0.0. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-23303 HIGH This Week

NVIDIA NeMo Framework for all platforms contains a vulnerability where a user could cause a deserialization of untrusted data by remote code execution. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Deserialization Nvidia Nemo
NVD
CVSS 3.1
7.8
EPSS
1.7%
CVE-2025-34153 CRITICAL This Week

Hyland OnBase versions prior to 17.0.2.87 (other versions may be affected) are vulnerable to unauthenticated remote code execution via insecure deserialization on the .NET Remoting TCP channel. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization
NVD GitHub
CVSS 4.0
10.0
EPSS
1.2%
CVE-2025-2180 MEDIUM This Month

An unsafe deserialization vulnerability in Palo Alto Networks Checkov by Prisma® Cloud allows an authenticated user to execute arbitrary code as a non administrative user by scanning a malicious. Rated medium severity (CVSS 4.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Paloalto RCE Deserialization Hashicorp
NVD
CVSS 4.0
4.8
EPSS
0.3%
CVE-2025-7384 CRITICAL Act Now

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.3 via deserialization of untrusted input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress PHP Deserialization RCE Denial Of Service
NVD
CVSS 3.1
9.8
EPSS
1.4%
CVE-2025-53772 HIGH This Month

Deserialization of untrusted data in Web Deploy allows an authorized attacker to execute code over a network. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Web Deploy 4 0
NVD
CVSS 3.1
8.8
EPSS
2.3%
CVE-2025-49712 HIGH This Month

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Microsoft Sharepoint Server
NVD
CVSS 3.1
8.8
EPSS
5.6%
CVE-2025-55010 CRITICAL POC PATCH Act Now

Kanboard is project management software that focuses on the Kanban methodology. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP Deserialization RCE Kanboard
NVD GitHub
CVSS 3.1
9.1
EPSS
3.9%
CVE-2025-40759 HIGH This Week

A vulnerability has been identified in SIMATIC S7-PLCSIM V17 (All versions), SIMATIC STEP 7 V17 (All versions < V17 Update 9), SIMATIC STEP 7 V18 (All versions), SIMATIC STEP 7 V19 (All versions <. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization
NVD
CVSS 4.0
8.5
EPSS
0.1%
CVE-2024-54678 HIGH This Week

A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions), SIMATIC PCS neo V6.0 (All versions), SIMATIC S7-PLCSIM V17 (All versions), SIMATIC. Rated high severity (CVSS 8.6), this vulnerability is low attack complexity. No vendor patch available.

RCE Deserialization Microsoft
NVD VulDB
CVSS 4.0
8.6
EPSS
0.1%
CVE-2025-45146 CRITICAL POC Act Now

ModelCache for LLM through v0.2.0 was discovered to contain an deserialization vulnerability via the component /manager/data_manager.py. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Modelcache
NVD GitHub
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-8747 PyPI HIGH PATCH GHSA This Month

A safe mode bypass vulnerability in the `Model.load_model` method in Keras versions 3.0.0 through 3.10.0 allows an attacker to achieve arbitrary code execution by convincing a user to load a. Rated high severity (CVSS 8.6), this vulnerability is low attack complexity. No vendor patch available.

RCE Deserialization Keras
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
CVE-2025-53606 Maven CRITICAL PATCH This Week

Deserialization of Untrusted Data vulnerability in Apache Seata (incubating).4.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Apache Seata
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2025-8708 LOW POC Monitor

A vulnerability was found in Antabot White-Jotter 0.22. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Deserialization Java
NVD GitHub VulDB
CVSS 4.0
1.3
EPSS
0.1%
CVE-2025-54886 PyPI HIGH PATCH This Month

skops is a Python library which helps users share and ship their scikit-learn based models. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Python RCE Deserialization Red Hat
NVD GitHub
CVSS 3.1
8.4
EPSS
0.3%
CVE-2025-55136 MEDIUM This Month

ERC (aka Emotion Recognition in Conversation) through 0.3 has insecure deserialization via a serialized object because jsonpickle is used. Rated medium severity (CVSS 5.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD GitHub
CVSS 3.1
5.7
EPSS
0.0%
CVE-2025-54785 HIGH This Month

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Deserialization Privilege Escalation Information Disclosure Suitecrm
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-54640 MEDIUM This Month

ParcelMismatch vulnerability in attribute deserialization. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Deserialization Harmonyos
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2025-54639 MEDIUM This Month

ParcelMismatch vulnerability in attribute deserialization. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Deserialization Harmonyos
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2025-54638 MEDIUM This Month

Issue of inconsistent read/write serialization in the ad module. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Deserialization Harmonyos
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2025-54620 MEDIUM This Month

Deserialization vulnerability of untrusted data in the ability module. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Deserialization Harmonyos
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2025-50472 CRITICAL This Week

The modelscope/ms-swift library thru 2.6.1 is vulnerable to arbitrary code execution through deserialization of untrusted data within the `load_model_meta()` function of the `ModelFileSystemCache()`. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2025-50460 PyPI CRITICAL PATCH This Week

A remote code execution (RCE) vulnerability exists in the ms-swift project version 3.3.0 due to unsafe deserialization in tests/run.py using yaml.load() from the PyYAML library (versions = 5.3.1). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python RCE Deserialization
NVD GitHub
CVSS 3.1
9.8
EPSS
3.1%
CVE-2025-25692 MEDIUM POC This Month

Unauthenticated remote code execution in PrestaShop 8.2.0 is achievable via PHAR deserialization in the _getHeaders function, triggered through a crafted POST request. The publicly available proof-of-concept lowers the bar for exploitation against unpatched storefronts. No active KEV listing exists, but the network-accessible attack surface of e-commerce deployments and the confirmed exploit code make this a meaningful priority for PrestaShop 8.2.0 operators despite a low EPSS score of 0.77%.

Command Injection Deserialization RCE Prestashop
NVD GitHub
CVSS 3.1
6.5
EPSS
0.8%
CVE-2025-25691 MEDIUM POC This Month

Remote code execution in PrestaShop 8.2.0 is achievable through a PHAR deserialization flaw in the theme import endpoint (/themes/import), where a crafted POST request containing a malicious PHP Archive triggers arbitrary code execution on the server. A publicly available proof-of-concept exploit exists on GitHub, lowering the technical barrier for skilled attackers. No active exploitation has been confirmed in CISA KEV, but the combination of a public POC and a targeted admin-facing endpoint warrants prompt remediation for any deployment on this version.

Command Injection Deserialization RCE Prestashop
NVD GitHub
CVSS 3.1
6.5
EPSS
0.8%
CVE-2025-8266 LOW POC Monitor

Unsafe deserialization in ChanCMS up to version 3.1.2 allows authenticated remote attackers to achieve limited confidentiality, integrity, and availability impact via manipulation of the targetUrl parameter in the getArticle function of app/modules/cms/controller/collect.js. The CVSS score of 2.1 reflects constrained impact (low severity across all impact categories), but the low EPSS percentile (71%) and publicly available exploit code indicate real-world risk despite authentication requirement. Upgrading to version 3.1.3 resolves the issue.

Deserialization Chancms
NVD VulDB
CVSS 4.0
2.1
EPSS
0.7%
CVE-2025-8227 LOW POC Monitor

Unsafe deserialization in ChanCMS up to version 3.1.2 allows authenticated remote attackers to trigger deserialization vulnerabilities via the taskUrl parameter in the /collect/getArticle endpoint, potentially leading to code execution. The vulnerability has limited confidentiality, integrity, and availability impact per CVSS 4.0 scoring (2.1 score). Publicly available exploit code exists, and the vendor has released patched version 3.1.3.

Deserialization Chancms
NVD VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2025-4393 MEDIUM This Month

Medtronic MyCareLink Patient Monitor has an internal service that deserializes data, which allows a local attacker to interact with the service by crafting a binary payload to crash the service or. Rated medium severity (CVSS 6.5). No vendor patch available.

Deserialization
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-7876 LOW POC Monitor

Remote code execution in Metasoft MetaCRM through 6.4.2 allows authenticated remote attackers to execute arbitrary code via unsafe deserialization of the 'p' parameter in the AnalyzeParam function of download.jsp. Publicly available exploit code exists; CVSS 2.1 score reflects required authentication (PR:L) and limited technical impact scope, but exploitation probability is marked as probable (E:P). Vendor did not respond to early disclosure notification.

Deserialization Metacrm
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-53770 CRITICAL POC KEV EUVD KEV THREAT CERT-EU Emergency

Microsoft SharePoint Server contains a deserialization vulnerability allowing unauthenticated remote code execution over the network, with active exploitation confirmed and patches pending full release.

Microsoft RCE Deserialization
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
90.5%
Threat
9.7
CVE-2025-31422 HIGH This Week

Object injection via unsafe deserialization in designthemes Visual Art | Gallery WordPress Theme (versions 2.4 and earlier) allows attackers to instantiate arbitrary PHP objects, potentially leading to remote code execution or information disclosure depending on available gadget chains in the WordPress environment. No CVSS vector is available, and exploitation probability is low at 0.16 EPSS percentile 36%, with no confirmed public exploit code or active exploitation reported at time of analysis.

WordPress Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-30973 CRITICAL Act Now

Deserialization of untrusted data in Codexpert Inc's CoSchool LMS WordPress plugin through version 1.4.3 enables PHP object injection attacks, potentially allowing remote code execution or arbitrary action execution by unauthenticated attackers. EPSS score of 0.13% (33rd percentile) indicates low measured exploitation probability at time of analysis, with no confirmed active exploitation or public exploit code identified.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-30949 CRITICAL Act Now

Deserialization of untrusted data in the Guru Team Site Chat on Telegram WordPress plugin through version 1.0.4 enables PHP object injection attacks. An attacker can inject malicious serialized objects that, when unserialized by the plugin, trigger arbitrary code execution or enable further exploitation via gadget chain abuse. No CVSS score is assigned and exploitation probability is low (EPSS 0.13%), but the vulnerability affects all installations of this plugin up to and including version 1.0.4.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-28961 CRITICAL Act Now

Deserialization of untrusted data in the exact-links WordPress plugin (versions up to 3.0.7) enables object injection attacks that could allow remote code execution or privilege escalation. The vulnerability stems from improper handling of serialized PHP objects without validation, permitting attackers to instantiate arbitrary objects and exploit magic methods for malicious purposes. While no CVSS vector or exploit proof-of-concept is publicly documented, the underlying deserialization flaw (CWE-502) represents a critical attack surface in WordPress environments.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-24779 HIGH This Week

Object injection via unsafe deserialization in NooTheme Yogi WordPress theme versions before 2.9.3 allows attackers to instantiate arbitrary PHP objects, potentially leading to remote code execution or data manipulation. The vulnerability affects all Yogi theme installations below version 2.9.3 and carries a low exploitation probability (EPSS 0.16%, percentile 36%), with no confirmed active exploitation at time of analysis.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.2%
EPSS 9% CVSS 8.8
HIGH This Month

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Microsoft Sharepoint Server
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in ThemeMove ThemeMove Core allows Object Injection.4.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in webdevstudios Constant Contact for WordPress allows Object Injection.1.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Deserialization
NVD
EPSS 0% CVSS 9.0
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in ThemeGoods Photography.5.2. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 7.8
HIGH This Month

An unauthenticated attacker can trick a local user into executing arbitrary commands by opening a deliberately manipulated project file with an affected engineering tool. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 10.0
CRITICAL This Week

Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Deserialization SAP +1
NVD
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Medical Open Network For Ai
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Medical Open Network For Ai
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Deserialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Apache +2
NVD
EPSS 0% CVSS 10.0
CRITICAL PATCH This Week

DeepDiff is a project focused on Deep Difference and search of any Python data. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Python RCE +2
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in ExpressTech Systems Quiz And Survey Master allows Object Injection.2.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Deserialization of Untrusted Data vulnerability in aThemeArt Translations eDS Responsive Menu allows Object Injection.2. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Deserialization of Untrusted Data vulnerability in Rubel Miah Aitasi Coming Soon allows Object Injection.0.2. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

In assertSafeToStartCustomActivity of AppRestrictionsFragment.java , there is a possible way to exploit a parcel mismatch resulting in a launch anywhere vulnerability due to unsafe deserialization. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Privilege Escalation Java +2
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Month

In createIntentsList of PackageParser.java , there is a possible way to bypass lazy bundle hardening, allowing modified data to be passed to the next process due to unsafe deserialization. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Privilege Escalation Java +2
NVD
EPSS 0% CVSS 8.4
HIGH This Week

Fuji Electric FRENIC-Loader 4 is vulnerable to a deserialization of untrusted data when importing a file through a specified window, which may allow an attacker to execute arbitrary code. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization
NVD
EPSS 9% CVSS 9.0
CRITICAL POC KEV THREAT Act Now

Sitecore Experience Manager/Platform through version 9.0 contains a deserialization vulnerability enabling code injection through untrusted data processing.

Deserialization Experience Commerce Experience Manager +2
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Deserialization of Untrusted Data vulnerability in enituretechnology LTL Freight Quotes - TQL Edition allows Object Injection.2.6. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Deserialization of Untrusted Data vulnerability in enituretechnology LTL Freight Quotes - Daylight Edition allows Object Injection.2.7. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Deserialization of Untrusted Data vulnerability in enituretechnology LTL Freight Quotes - Day & Ross Edition allows Object Injection.1.11. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 3% CVSS 8.8
HIGH POC This Week

Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Remote Code Execution (RCE).0 through 9.3, from 10.0 through 10.4;. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Experience Commerce +3
NVD
EPSS 1% CVSS 8.6
HIGH POC PATCH This Week

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP Deserialization RCE +1
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

The Fluent Forms - Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to PHP Object Injection in versions 5.1.16 to 6.1.1 via deserialization. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress PHP Deserialization +1
NVD
EPSS 0% CVSS 7.8
HIGH This Month

Anritsu ShockLine CHX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Shockline
NVD
EPSS 1% CVSS 8.5
HIGH This Week

There is a deserialization of untrusted data vulnerability in Digilent DASYLab. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Dasylab
NVD
EPSS 1% CVSS 9.8
CRITICAL This Week

A deserialization vulnerability exists in the H2O-3 REST API (POST /99/ImportSQLTable) that affects all versions up to 3.46.0.7. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization
NVD GitHub
EPSS 9% CVSS 9.8
CRITICAL PATCH Act Now

SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization Java +1
NVD
EPSS 0% CVSS 9.8
CRITICAL This Week

A vulnerability in the h2oai/h2o-3 repository allows attackers to exploit deserialization of untrusted data, potentially leading to arbitrary code execution and reading of system files.47.0.99999. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently allows Object Injection.4.8. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Deserialization of Untrusted Data vulnerability in emarket-design WP Ticket Customer Service Software & Support Ticket System allows Object Injection.0.2. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Deserialization of Untrusted Data vulnerability in emarket-design Employee Spotlight allows Object Injection.1.1. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Deserialization of Untrusted Data vulnerability in emarket-design WP Easy Contact allows Object Injection.0.1. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Deserialization of Untrusted Data vulnerability in emarket-design Employee Directory - Staff Listing &amp; Team Directory Plugin for WordPress allows Object Injection.5.3. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

WordPress Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in manfcarlo WP Funnel Manager allows Object Injection.4.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 3% CVSS 10.0
CRITICAL This Week

H3C Intelligent Management Center (IMC) versions up to and including E0632H07 contains a remote command execution vulnerability in the /byod/index.xhtml endpoint. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

Deserialization of Untrusted Data vulnerability in enituretechnology Small Package Quotes - USPS Edition allows Object Injection.3.9. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 8.2
HIGH POC PATCH This Week

DataEase is an open source business intelligence and data visualization tool. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Deserialization Code Injection +1
NVD GitHub
EPSS 0% CVSS 8.6
HIGH POC This Week

Adminer 4.8.1, when using Monolog for logging, allows a Denial of Service (memory consumption) via a crafted serialized payload (e.g., using s:1000000000), leading to a PHP Object Injection issue. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service PHP Deserialization +2
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Mahara 21.10 before 21.10.6, 22.04 before 22.04.4, and 22.10 before 22.10.1 deserializes user input unsafely during skin import. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Mahara
NVD
EPSS 0% CVSS 8.8
HIGH POC This Week

OperaMasks SDK ELite Script Engine v0.5.0 was discovered to contain a deserialization vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Elite
NVD GitHub
EPSS 1% CVSS 8.7
HIGH This Month

CWE-502: Deserialization of Untrusted Data vulnerability exists that could cause remote code execution and compromise of system integrity when authenticated users send crafted data to a network-exposed service that performs unsafe deserialization.

RCE Deserialization
NVD
EPSS 0% CVSS 6.6
MEDIUM This Month

Deserialization of Untrusted Data vulnerability in Adrian Tobey Groundhogg allows Object Injection.2.2. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in QuanticaLabs MediCenter - Health Medical Clinic allows Object Injection.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Deserialization of Untrusted Data vulnerability in nanbu Welcart e-Commerce allows Object Injection.11.16. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in PickPlugins Post Grid and Gutenberg Blocks allows Object Injection.3.11. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in rascals Noisa allows Object Injection.6.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in ThemeMakers ThemeMakers Visual Content Composer allows Object Injection.5.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Deserialization of Untrusted Data vulnerability in Max Chirkov Simple Login Log allows Object Injection.1.3. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 1% CVSS 7.5
HIGH This Month

The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

WordPress File Upload PHP +2
NVD
EPSS 2% CVSS 8.8
HIGH This Month

The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the get_lead_fields. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress PHP Deserialization +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

A deserialization vulnerability exists in Volcengine's verl 3.0.0, specifically in the scripts/model_merger.py script when using the "fsdp" backend. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Deserialization RCE
NVD GitHub
EPSS 3% CVSS 9.4
CRITICAL KEV THREAT Act Now

N-able N-central before 2025.3.1 contains a deserialization vulnerability allowing local code execution through crafted serialized data.

Deserialization N Central
NVD
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability was determined in jeecgboot JimuReport up to 2.1.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Jimureport
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in scriptsbundle Exertio allows Object Injection.3.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in Arraytics Eventin allows Object Injection.0.31. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Deserialization of Untrusted Data vulnerability in keywordrush Content Egg allows Object Injection.0.0. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 2% CVSS 7.8
HIGH This Week

NVIDIA NeMo Framework for all platforms contains a vulnerability where a user could cause a deserialization of untrusted data by remote code execution. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Deserialization Nvidia +1
NVD
EPSS 1% CVSS 10.0
CRITICAL This Week

Hyland OnBase versions prior to 17.0.2.87 (other versions may be affected) are vulnerable to unauthenticated remote code execution via insecure deserialization on the .NET Remoting TCP channel. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM This Month

An unsafe deserialization vulnerability in Palo Alto Networks Checkov by Prisma® Cloud allows an authenticated user to execute arbitrary code as a non administrative user by scanning a malicious. Rated medium severity (CVSS 4.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Paloalto RCE Deserialization +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.3 via deserialization of untrusted input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress PHP Deserialization +2
NVD
EPSS 2% CVSS 8.8
HIGH This Month

Deserialization of untrusted data in Web Deploy allows an authorized attacker to execute code over a network. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Web Deploy 4 0
NVD
EPSS 6% CVSS 8.8
HIGH This Month

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Microsoft Sharepoint Server
NVD
EPSS 4% CVSS 9.1
CRITICAL POC PATCH Act Now

Kanboard is project management software that focuses on the Kanban methodology. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP Deserialization RCE +1
NVD GitHub
EPSS 0% CVSS 8.5
HIGH This Week

A vulnerability has been identified in SIMATIC S7-PLCSIM V17 (All versions), SIMATIC STEP 7 V17 (All versions < V17 Update 9), SIMATIC STEP 7 V18 (All versions), SIMATIC STEP 7 V19 (All versions <. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization
NVD
EPSS 0% CVSS 8.6
HIGH This Week

A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions), SIMATIC PCS neo V6.0 (All versions), SIMATIC S7-PLCSIM V17 (All versions), SIMATIC. Rated high severity (CVSS 8.6), this vulnerability is low attack complexity. No vendor patch available.

RCE Deserialization Microsoft
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

ModelCache for LLM through v0.2.0 was discovered to contain an deserialization vulnerability via the component /manager/data_manager.py. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Modelcache
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Month

A safe mode bypass vulnerability in the `Model.load_model` method in Keras versions 3.0.0 through 3.10.0 allows an attacker to achieve arbitrary code execution by convincing a user to load a. Rated high severity (CVSS 8.6), this vulnerability is low attack complexity. No vendor patch available.

RCE Deserialization Keras
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH This Week

Deserialization of Untrusted Data vulnerability in Apache Seata (incubating).4.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Apache Seata
NVD
EPSS 0% CVSS 1.3
LOW POC Monitor

A vulnerability was found in Antabot White-Jotter 0.22. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Deserialization Java
NVD GitHub VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Month

skops is a Python library which helps users share and ship their scikit-learn based models. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Python RCE Deserialization +1
NVD GitHub
EPSS 0% CVSS 5.7
MEDIUM This Month

ERC (aka Emotion Recognition in Conversation) through 0.3 has insecure deserialization via a serialized object because jsonpickle is used. Rated medium severity (CVSS 5.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Month

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Deserialization Privilege Escalation +2
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

ParcelMismatch vulnerability in attribute deserialization. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Deserialization Harmonyos
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

ParcelMismatch vulnerability in attribute deserialization. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Deserialization Harmonyos
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Issue of inconsistent read/write serialization in the ad module. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Deserialization Harmonyos
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Deserialization vulnerability of untrusted data in the ability module. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Deserialization Harmonyos
NVD
EPSS 1% CVSS 9.8
CRITICAL This Week

The modelscope/ms-swift library thru 2.6.1 is vulnerable to arbitrary code execution through deserialization of untrusted data within the `load_model_meta()` function of the `ModelFileSystemCache()`. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL PATCH This Week

A remote code execution (RCE) vulnerability exists in the ms-swift project version 3.3.0 due to unsafe deserialization in tests/run.py using yaml.load() from the PyYAML library (versions = 5.3.1). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python RCE Deserialization
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC This Month

Unauthenticated remote code execution in PrestaShop 8.2.0 is achievable via PHAR deserialization in the _getHeaders function, triggered through a crafted POST request. The publicly available proof-of-concept lowers the bar for exploitation against unpatched storefronts. No active KEV listing exists, but the network-accessible attack surface of e-commerce deployments and the confirmed exploit code make this a meaningful priority for PrestaShop 8.2.0 operators despite a low EPSS score of 0.77%.

Command Injection Deserialization RCE +1
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC This Month

Remote code execution in PrestaShop 8.2.0 is achievable through a PHAR deserialization flaw in the theme import endpoint (/themes/import), where a crafted POST request containing a malicious PHP Archive triggers arbitrary code execution on the server. A publicly available proof-of-concept exploit exists on GitHub, lowering the technical barrier for skilled attackers. No active exploitation has been confirmed in CISA KEV, but the combination of a public POC and a targeted admin-facing endpoint warrants prompt remediation for any deployment on this version.

Command Injection Deserialization RCE +1
NVD GitHub
EPSS 1% CVSS 2.1
LOW POC Monitor

Unsafe deserialization in ChanCMS up to version 3.1.2 allows authenticated remote attackers to achieve limited confidentiality, integrity, and availability impact via manipulation of the targetUrl parameter in the getArticle function of app/modules/cms/controller/collect.js. The CVSS score of 2.1 reflects constrained impact (low severity across all impact categories), but the low EPSS percentile (71%) and publicly available exploit code indicate real-world risk despite authentication requirement. Upgrading to version 3.1.3 resolves the issue.

Deserialization Chancms
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Unsafe deserialization in ChanCMS up to version 3.1.2 allows authenticated remote attackers to trigger deserialization vulnerabilities via the taskUrl parameter in the /collect/getArticle endpoint, potentially leading to code execution. The vulnerability has limited confidentiality, integrity, and availability impact per CVSS 4.0 scoring (2.1 score). Publicly available exploit code exists, and the vendor has released patched version 3.1.3.

Deserialization Chancms
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Medtronic MyCareLink Patient Monitor has an internal service that deserializes data, which allows a local attacker to interact with the service by crafting a binary payload to crash the service or. Rated medium severity (CVSS 6.5). No vendor patch available.

Deserialization
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Remote code execution in Metasoft MetaCRM through 6.4.2 allows authenticated remote attackers to execute arbitrary code via unsafe deserialization of the 'p' parameter in the AnalyzeParam function of download.jsp. Publicly available exploit code exists; CVSS 2.1 score reflects required authentication (PR:L) and limited technical impact scope, but exploitation probability is marked as probable (E:P). Vendor did not respond to early disclosure notification.

Deserialization Metacrm
NVD GitHub VulDB
EPSS 91% 9.7 CVSS 9.8
CRITICAL POC KEV EUVD KEV THREAT Emergency

Microsoft SharePoint Server contains a deserialization vulnerability allowing unauthenticated remote code execution over the network, with active exploitation confirmed and patches pending full release.

Microsoft RCE Deserialization
NVD GitHub Exploit-DB
EPSS 0% CVSS 8.8
HIGH This Week

Object injection via unsafe deserialization in designthemes Visual Art | Gallery WordPress Theme (versions 2.4 and earlier) allows attackers to instantiate arbitrary PHP objects, potentially leading to remote code execution or information disclosure depending on available gadget chains in the WordPress environment. No CVSS vector is available, and exploitation probability is low at 0.16 EPSS percentile 36%, with no confirmed public exploit code or active exploitation reported at time of analysis.

WordPress Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of untrusted data in Codexpert Inc's CoSchool LMS WordPress plugin through version 1.4.3 enables PHP object injection attacks, potentially allowing remote code execution or arbitrary action execution by unauthenticated attackers. EPSS score of 0.13% (33rd percentile) indicates low measured exploitation probability at time of analysis, with no confirmed active exploitation or public exploit code identified.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of untrusted data in the Guru Team Site Chat on Telegram WordPress plugin through version 1.0.4 enables PHP object injection attacks. An attacker can inject malicious serialized objects that, when unserialized by the plugin, trigger arbitrary code execution or enable further exploitation via gadget chain abuse. No CVSS score is assigned and exploitation probability is low (EPSS 0.13%), but the vulnerability affects all installations of this plugin up to and including version 1.0.4.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of untrusted data in the exact-links WordPress plugin (versions up to 3.0.7) enables object injection attacks that could allow remote code execution or privilege escalation. The vulnerability stems from improper handling of serialized PHP objects without validation, permitting attackers to instantiate arbitrary objects and exploit magic methods for malicious purposes. While no CVSS vector or exploit proof-of-concept is publicly documented, the underlying deserialization flaw (CWE-502) represents a critical attack surface in WordPress environments.

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Object injection via unsafe deserialization in NooTheme Yogi WordPress theme versions before 2.9.3 allows attackers to instantiate arbitrary PHP objects, potentially leading to remote code execution or data manipulation. The vulnerability affects all Yogi theme installations below version 2.9.3 and carries a low exploitation probability (EPSS 0.16%, percentile 36%), with no confirmed active exploitation at time of analysis.

Deserialization
NVD
Prev Page 10 of 30 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy