Skip to main content

Deserialization

2662 CVEs technique

Monthly

CVE-2025-48287 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Pagaleve Pix 4x sem juros - Pagaleve allows Object Injection.6.9. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-47660 HIGH This Week

Deserialization of Untrusted Data vulnerability in Codexpert, Inc WC Affiliate allows Object Injection.9.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-47568 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in ZoomIt ZoomSounds allows Object Injection.91. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-47532 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in CoinPayments CoinPayments.net Payment Gateway for WooCommerce allows Object Injection.net Payment Gateway for WooCommerce: from n/a through 1.0.17. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-47530 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in WPFunnels WPFunnels allows Object Injection.5.18. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-39503 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in GoodLayers Goodlayers Hotel allows Object Injection.1.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-39500 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in GoodLayers Goodlayers Hostel allows Object Injection.1.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-39499 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in BoldThemes Medicare allows Object Injection.1.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-39495 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in BoldThemes Avantage allows Object Injection.4.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-39485 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Tour | Travel Agency WordPress allows Object Injection.5.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-39480 CRITICAL Act Now

A critical deserialization vulnerability in the ThemeMakers Car Dealer WordPress theme allows remote attackers to perform PHP object injection attacks without authentication. The vulnerability affects all versions of Car Dealer prior to 1.6.7 and enables complete system compromise with the ability to execute arbitrary code, steal data, or take over the website. With an EPSS score of 0.15% (35th percentile), while not currently in CISA KEV, the vulnerability presents moderate real-world exploitation risk given its network-accessible attack vector and lack of required authentication.

Deserialization
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-32293 HIGH This Week

Deserialization of Untrusted Data vulnerability in designthemes Finance Consultant allows Object Injection.8. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-32292 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in AncoraThemes Jarvis - Night Club, Concert, Festival WordPress allows Object Injection.8.11. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-32284 HIGH This Week

Deserialization of Untrusted Data vulnerability in designthemes Pet World allows Object Injection.8. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-31927 CRITICAL Act Now

PHP object injection in Acerola WordPress theme versions up to 1.6.5 enables remote unauthenticated attackers to execute arbitrary code, manipulate application data, or cause denial of service through deserialization of untrusted data. CVSS 9.8 reflects worst-case impact (network vector, no authentication required), though EPSS score of 0.37% (59th percentile) suggests limited active targeting to date. Reported by Patchstack audit team with vulnerability details published in their database, indicating researcher-identified rather than in-the-wild discovery. No CISA KEV listing confirms exploitation remains theoretical or limited in scope.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-31924 HIGH This Week

Deserialization of Untrusted Data vulnerability in designthemes Crafts & Arts allows Object Injection.5. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-31631 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in AncoraThemes Fish House allows Object Injection.2.7. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-31430 CRITICAL Act Now

PHP Object Injection in 'The Business' WordPress theme through version 1.6.1 allows remote unauthenticated attackers to execute arbitrary code, modify data, or cause denial of service via deserialization of untrusted data. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N), exploitation requires no authentication or user interaction. EPSS score of 0.37% suggests low observed exploitation probability despite critical severity, though no public exploit code or CISA KEV listing exists at time of analysis. Patchstack cataloged this vulnerability, indicating security researcher attention to WordPress theme supply chain risks.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-31423 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in AncoraThemes Umberto allows Object Injection.2.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-31069 CRITICAL Act Now

PHP object injection in HotStar WordPress theme (versions up to 1.4) allows remote unauthenticated attackers to achieve full system compromise through deserialization of untrusted data. The CVSS 9.8 critical rating reflects network-based exploitation requiring no authentication or user interaction, though EPSS scoring at 0.37% (59th percentile) indicates relatively low observed exploitation probability. Patchstack reported this vulnerability, and while no CISA KEV listing exists, the trivial attack complexity (AC:L) combined with the WordPress theme context suggests potential for automated scanning and exploitation if gadget chains are present in the target environment.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-31049 CRITICAL Act Now

Remote unauthenticated attackers can achieve arbitrary PHP object injection in Dash WordPress theme versions up to 1.3 by exploiting unsafe deserialization of user-controlled data. The CVSS 9.8 score reflects network-based attack with no authentication required and complete compromise potential (confidentiality, integrity, availability). Despite the critical severity, EPSS probability is relatively low (0.37%, 59th percentile), suggesting limited observed exploitation attempts. Reported by Patchstack security research team with public vulnerability database entry available. No CISA KEV listing indicates this is not confirmed as actively exploited in the wild, though the straightforward attack vector (AV:N/AC:L/PR:N) makes it attractive for mass WordPress scanning campaigns.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-48200 PHP CRITICAL PATCH This Week

The sr_feuser_register extension through 12.4.8 for TYPO3 allows Remote Code Execution. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization
NVD
CVSS 3.1
10.0
EPSS
2.2%
CVE-2025-4803 HIGH This Month

The Glossary by WPPedia - Best Glossary plugin for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.0 via deserialization of untrusted. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure WordPress PHP Deserialization
NVD GitHub
CVSS 3.1
7.2
EPSS
1.4%
CVE-2025-47277 PyPI CRITICAL POC PATCH GHSA Act Now

vLLM, an inference and serving engine for large language models (LLMs), has an issue in versions 0.6.5 through 0.8.4 that ONLY impacts environments using the `PyNcclPipe` KV cache transfer. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Vllm Pytorch AI / ML Red Hat
NVD GitHub
CVSS 3.1
9.8
EPSS
0.9%
CVE-2025-48018 HIGH This Month

An authenticated user can modify application state data. Rated high severity (CVSS 7.5). No vendor patch available.

Deserialization
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-39356 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Chimpstudio Foodbakery Sticky Cart allows Object Injection.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-39354 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Conference allows Object Injection.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-39349 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Potenzaglobalsolutions CiyaShop allows Object Injection.18.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-39348 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Restaurant WordPress allows Object Injection.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-32928 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in ThemeGoods Altair allows Object Injection.2.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-32927 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Chimpstudio FoodBakery allows Object Injection.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-47581 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Elbisnero WordPress Events Calendar Registration & Tickets allows Object Injection.6.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-39410 CRITICAL Act Now

PHP object injection in Smart Sections Theme Builder (WordPress plugin) through version 1.7.8 enables remote unauthenticated attackers to achieve arbitrary code execution via deserialization of untrusted data. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms network-based exploitation requiring no authentication or user interaction, creating a critical remotely exploitable condition. EPSS score of 0.37% (59th percentile) suggests moderate exploitation probability, though no CISA KEV listing or public exploit code has been identified at time of analysis. Patchstack database identifies this as a PHP Object Injection vulnerability affecting the WPBakery Page Builder addon.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-47582 CRITICAL Act Now

PHP object injection in WPBot Pro WordPress Chatbot versions up to 12.7.0 allows remote unauthenticated attackers to execute arbitrary code by exploiting unsafe deserialization of user-supplied data. The vulnerability achieves complete system compromise with CVSS 9.8 critical severity (network accessible, no authentication required, low complexity). No active exploitation confirmed in CISA KEV, but EPSS score of 0.37% (59th percentile) indicates moderate exploitation likelihood. Patchstack database confirms the vulnerability with technical details available to researchers.

WordPress Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-4905 MEDIUM POC Monitor

A vulnerability was found in iop-apl-uw basestation3 up to 3.0.4 and classified as problematic.py. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Basestation
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2025-48134 HIGH This Week

Deserialization of Untrusted Data vulnerability in ShapedPlugin LLC WP Tabs allows Object Injection.2.11. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.4%
CVE-2025-4742 MEDIUM Monitor

A vulnerability classified as problematic has been found in XU-YIJIE grpo-flat up to 9024b43f091e2eb9bac65802b120c0b35f9ba856. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.

Deserialization
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2025-4740 MEDIUM Monitor

A vulnerability was found in BeamCtrl Airiana up to 11.0. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.

Deserialization
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2025-47784 MEDIUM PATCH This Month

Emlog is an open source website building system. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Emlog
NVD GitHub
CVSS 4.0
6.6
EPSS
0.8%
CVE-2025-4701 MEDIUM This Month

A vulnerability, which was classified as problematic, has been found in VITA-MLLM Freeze-Omni up to 20250421.load of the file models/utils.py. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.

Deserialization
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2025-32363 CRITICAL This Week

mediDOK before 2.5.18.43 allows remote attackers to achieve remote code execution on a target system via deserialization of untrusted data. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Deserialization
NVD
CVSS 3.1
9.8
EPSS
1.9%
CVE-2025-47292 CRITICAL Act Now

Cap Collectif is an online decision making platform that integrates several tools. Rated critical severity (CVSS 9.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization
NVD GitHub
CVSS 4.0
9.5
EPSS
4.9%
CVE-2025-3623 CRITICAL PATCH Act Now

The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.4.0.1 via deserialization of untrusted input in the. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

WordPress PHP Deserialization Uncanny Automator
NVD
CVSS 3.1
9.1
EPSS
1.1%
CVE-2025-30384 HIGH This Week

Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code locally. Rated high severity (CVSS 7.4), this vulnerability is no authentication required. No vendor patch available.

Microsoft Deserialization Sharepoint Server
NVD
CVSS 3.1
7.4
EPSS
1.7%
CVE-2025-30382 HIGH This Week

Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code locally. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Microsoft Deserialization Sharepoint Server
NVD
CVSS 3.1
7.8
EPSS
1.4%
CVE-2025-30378 HIGH This Week

Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code locally. Rated high severity (CVSS 7.0), this vulnerability is no authentication required. No vendor patch available.

Microsoft Deserialization Sharepoint Server
NVD
CVSS 3.1
7.0
EPSS
0.7%
CVE-2025-42999 CRITICAL POC KEV THREAT Act Now

SAP NetWeaver Visual Composer allows privileged users to upload untrusted content that is deserialized on the server, enabling remote code execution. Companion to CVE-2025-31324.

SAP Deserialization Netweaver
NVD
CVSS 3.1
9.1
EPSS
67.8%
CVE-2025-30012 CRITICAL This Week

The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component, which allows an unauthenticated attacker to send malicious payload request in a. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Command Injection Deserialization Java Supplier Relationship Management
NVD
CVSS 3.1
10.0
EPSS
1.8%
CVE-2025-46738 MEDIUM This Month

An authenticated attacker can maliciously modify layout data files in the SEL-5033 installation directory to execute arbitrary code. Rated medium severity (CVSS 6.6). No vendor patch available.

RCE Deserialization
NVD
CVSS 3.1
6.6
EPSS
0.5%
CVE-2025-47732 HIGH This Month

Deserialization of untrusted data in Microsoft Dataverse allows an authorized attacker to execute code over a network. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Microsoft Deserialization Dataverse
NVD
CVSS 3.1
8.7
EPSS
2.7%
CVE-2025-47683 HIGH This Week

Deserialization of Untrusted Data vulnerability in Florent Maillefaud WP Maintenance allows Object Injection.1.9.7. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.4%
CVE-2025-47629 HIGH This Week

Deserialization of Untrusted Data vulnerability in Mario Peshev WP-CRM System allows Object Injection.4.1. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.4%
CVE-2025-0855 CRITICAL Act Now

The PGS Core plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.8.0 via deserialization of untrusted input in the 'import_header' function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure WordPress PHP Deserialization
NVD
CVSS 3.1
9.8
EPSS
2.6%
CVE-2025-30165 PyPI HIGH PATCH GHSA This Week

vLLM is an inference and serving engine for large language models. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

RCE Deserialization Vllm Red Hat
NVD GitHub
CVSS 3.1
8.0
EPSS
1.3%
CVE-2025-43852 HIGH This Week

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Retrieval Based Voice Conversion Webui
NVD GitHub
CVSS 4.0
8.9
EPSS
6.0%
CVE-2025-43851 HIGH This Week

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Retrieval Based Voice Conversion Webui
NVD GitHub
CVSS 4.0
8.9
EPSS
6.0%
CVE-2025-43850 HIGH This Week

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Retrieval Based Voice Conversion Webui
NVD GitHub
CVSS 4.0
8.9
EPSS
6.0%
CVE-2025-43849 HIGH This Week

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Retrieval Based Voice Conversion Webui
NVD GitHub
CVSS 4.0
8.9
EPSS
6.3%
CVE-2025-43848 HIGH This Week

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Retrieval Based Voice Conversion Webui
NVD GitHub
CVSS 4.0
8.9
EPSS
6.0%
CVE-2025-43847 HIGH This Week

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Retrieval Based Voice Conversion Webui
NVD GitHub
CVSS 4.0
8.9
EPSS
6.0%
CVE-2025-43846 HIGH This Week

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Retrieval Based Voice Conversion Webui
NVD GitHub
CVSS 4.0
8.9
EPSS
6.0%
CVE-2025-4260 MEDIUM POC This Month

A vulnerability was found in zhangyanbo2007 youkefu up to 4.2.0 and classified as problematic. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Youkefu
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.3%
CVE-2025-46567 PyPI MEDIUM POC PATCH This Month

LLama Factory enables fine-tuning of large language models. Rated medium severity (CVSS 6.1), this vulnerability is low attack complexity. Public exploit code available.

Deserialization Llama Factory
NVD GitHub
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-23254 HIGH This Week

NVIDIA TensorRT-LLM for any platform contains a vulnerability in python executor where an attacker may cause a data validation issue by local access to the TRTLLM server. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Deserialization Python RCE Nvidia
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2025-32444 PyPI CRITICAL POC PATCH Act Now

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Deserialization Vllm Red Hat
NVD GitHub
CVSS 3.1
10.0
EPSS
2.5%
CVE-2025-34491 HIGH POC This Week

GFI MailEssentials prior to version 21.8 is vulnerable to a .NET deserialization issue. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Mailessentials
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2025-34489 HIGH POC This Week

GFI MailEssentials prior to version 21.8 is vulnerable to a local privilege escalation issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Deserialization Mailessentials
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2023-35815 LOW Monitor

DevExpress before 23.1.3 has a data-source protection mechanism bypass during deserialization on XML data. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization Devexpress
NVD
CVSS 3.1
3.5
EPSS
0.2%
CVE-2023-35814 LOW Monitor

DevExpress before 23.1.3 does not properly protect XtraReport serialized data in ASP.NET web forms. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization Devexpress
NVD
CVSS 3.1
3.5
EPSS
0.6%
CVE-2025-2105 HIGH PATCH This Week

The Jupiter X Core plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.8.11 via deserialization of untrusted input from the 'file' parameter of the. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Information Disclosure WordPress PHP Deserialization Jupiter X Core
NVD
CVSS 3.1
8.1
EPSS
2.6%
CVE-2025-3935 HIGH KEV THREAT Act Now

ConnectWise ScreenConnect 25.2.3 and earlier may be susceptible to ViewState code injection when machine keys are compromised, enabling remote code execution through ASP.NET deserialization.

RCE Deserialization Screenconnect
NVD
CVSS 3.1
8.1
EPSS
15.5%
CVE-2025-46481 HIGH This Week

Deserialization of Untrusted Data vulnerability in Michael Cannon Flickr Shortcode Importer allows Object Injection.2.3. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.4%
CVE-2025-46473 HIGH This Week

Deserialization of Untrusted Data vulnerability in djjmz Social Counter allows Object Injection.0.5. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.4%
CVE-2025-46417 PyPI MEDIUM POC PATCH This Month

The unsafe globals in Picklescan before 0.0.25 do not include ssl. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Deserialization Picklescan
NVD GitHub
CVSS 4.0
6.8
EPSS
0.2%
CVE-2025-23249 HIGH This Week

NVIDIA NeMo Framework contains a vulnerability where a user could cause a deserialization of untrusted data by remote code execution. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Nvidia RCE Deserialization Nemo
NVD
CVSS 3.1
7.6
EPSS
1.4%
CVE-2025-3857 NuGet HIGH PATCH This Week

When reading binary Ion data through Amazon.IonDotnet using the RawBinaryReader class, Amazon.IonDotnet does not check the number of bytes read from the underlying stream while deserializing the. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Denial Of Service
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2025-32434 PyPI CRITICAL POC PATCH Act Now

PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd system. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Deserialization Pytorch AI / ML
NVD GitHub
CVSS 4.0
9.3
EPSS
1.2%
CVE-2025-29953 NuGet CRITICAL PATCH Act Now

Deserialization of Untrusted Data vulnerability in Apache ActiveMQ NMS OpenWire Client.1.1 when performing connections to untrusted servers. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache RCE Deserialization Activemq Nms Openwire
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2025-39588 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in bdthemes Ultimate Store Kit Elementor Addons allows Object Injection.4.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-39551 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Mahmudul Hasan Arif FluentBoards allows Object Injection.47. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-39550 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Shahjahan Jewel FluentCommunity allows Object Injection.2.15. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-39527 HIGH This Week

Deserialization of Untrusted Data vulnerability in bestwebsoft Rating by BestWebSoft allows Object Injection.7. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-32686 HIGH This Week

Deserialization of Untrusted Data vulnerability in WP Speedo Team Members allows Object Injection.4.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-32662 HIGH This Week

Deserialization of Untrusted Data vulnerability in Stylemix uListing allows Object Injection.2.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-32658 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in wpWax HelpGent allows Object Injection.2.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-32647 HIGH This Week

Deserialization of Untrusted Data vulnerability in PickPlugins Question Answer allows Object Injection.2.70. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-32572 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Climax Themes Kata Plus allows Object Injection.5.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-32571 HIGH This Week

Deserialization of Untrusted Data vulnerability in turitop TuriTop Booking System allows Object Injection.0.10. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-27287 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in ssvadim SS Quiz allows Object Injection.0.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-27286 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in saoshyant1994 Saoshyant Slider allows Object Injection.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Pagaleve Pix 4x sem juros - Pagaleve allows Object Injection.6.9. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in Codexpert, Inc WC Affiliate allows Object Injection.9.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in ZoomIt ZoomSounds allows Object Injection.91. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in CoinPayments CoinPayments.net Payment Gateway for WooCommerce allows Object Injection.net Payment Gateway for WooCommerce: from n/a through 1.0.17. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in WPFunnels WPFunnels allows Object Injection.5.18. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in GoodLayers Goodlayers Hotel allows Object Injection.1.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in GoodLayers Goodlayers Hostel allows Object Injection.1.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in BoldThemes Medicare allows Object Injection.1.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in BoldThemes Avantage allows Object Injection.4.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Tour | Travel Agency WordPress allows Object Injection.5.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

A critical deserialization vulnerability in the ThemeMakers Car Dealer WordPress theme allows remote attackers to perform PHP object injection attacks without authentication. The vulnerability affects all versions of Car Dealer prior to 1.6.7 and enables complete system compromise with the ability to execute arbitrary code, steal data, or take over the website. With an EPSS score of 0.15% (35th percentile), while not currently in CISA KEV, the vulnerability presents moderate real-world exploitation risk given its network-accessible attack vector and lack of required authentication.

Deserialization
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in designthemes Finance Consultant allows Object Injection.8. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in AncoraThemes Jarvis - Night Club, Concert, Festival WordPress allows Object Injection.8.11. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in designthemes Pet World allows Object Injection.8. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

PHP object injection in Acerola WordPress theme versions up to 1.6.5 enables remote unauthenticated attackers to execute arbitrary code, manipulate application data, or cause denial of service through deserialization of untrusted data. CVSS 9.8 reflects worst-case impact (network vector, no authentication required), though EPSS score of 0.37% (59th percentile) suggests limited active targeting to date. Reported by Patchstack audit team with vulnerability details published in their database, indicating researcher-identified rather than in-the-wild discovery. No CISA KEV listing confirms exploitation remains theoretical or limited in scope.

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in designthemes Crafts & Arts allows Object Injection.5. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in AncoraThemes Fish House allows Object Injection.2.7. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

PHP Object Injection in 'The Business' WordPress theme through version 1.6.1 allows remote unauthenticated attackers to execute arbitrary code, modify data, or cause denial of service via deserialization of untrusted data. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N), exploitation requires no authentication or user interaction. EPSS score of 0.37% suggests low observed exploitation probability despite critical severity, though no public exploit code or CISA KEV listing exists at time of analysis. Patchstack cataloged this vulnerability, indicating security researcher attention to WordPress theme supply chain risks.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in AncoraThemes Umberto allows Object Injection.2.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

PHP object injection in HotStar WordPress theme (versions up to 1.4) allows remote unauthenticated attackers to achieve full system compromise through deserialization of untrusted data. The CVSS 9.8 critical rating reflects network-based exploitation requiring no authentication or user interaction, though EPSS scoring at 0.37% (59th percentile) indicates relatively low observed exploitation probability. Patchstack reported this vulnerability, and while no CISA KEV listing exists, the trivial attack complexity (AC:L) combined with the WordPress theme context suggests potential for automated scanning and exploitation if gadget chains are present in the target environment.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote unauthenticated attackers can achieve arbitrary PHP object injection in Dash WordPress theme versions up to 1.3 by exploiting unsafe deserialization of user-controlled data. The CVSS 9.8 score reflects network-based attack with no authentication required and complete compromise potential (confidentiality, integrity, availability). Despite the critical severity, EPSS probability is relatively low (0.37%, 59th percentile), suggesting limited observed exploitation attempts. Reported by Patchstack security research team with public vulnerability database entry available. No CISA KEV listing indicates this is not confirmed as actively exploited in the wild, though the straightforward attack vector (AV:N/AC:L/PR:N) makes it attractive for mass WordPress scanning campaigns.

Deserialization
NVD
EPSS 2% CVSS 10.0
CRITICAL PATCH This Week

The sr_feuser_register extension through 12.4.8 for TYPO3 allows Remote Code Execution. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization
NVD
EPSS 1% CVSS 7.2
HIGH This Month

The Glossary by WPPedia - Best Glossary plugin for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.0 via deserialization of untrusted. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure WordPress PHP +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

vLLM, an inference and serving engine for large language models (LLMs), has an issue in versions 0.6.5 through 0.8.4 that ONLY impacts environments using the `PyNcclPipe` KV cache transfer. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Vllm Pytorch +2
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Month

An authenticated user can modify application state data. Rated high severity (CVSS 7.5). No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Chimpstudio Foodbakery Sticky Cart allows Object Injection.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Conference allows Object Injection.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Potenzaglobalsolutions CiyaShop allows Object Injection.18.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Restaurant WordPress allows Object Injection.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in ThemeGoods Altair allows Object Injection.2.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Chimpstudio FoodBakery allows Object Injection.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Elbisnero WordPress Events Calendar Registration & Tickets allows Object Injection.6.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

PHP object injection in Smart Sections Theme Builder (WordPress plugin) through version 1.7.8 enables remote unauthenticated attackers to achieve arbitrary code execution via deserialization of untrusted data. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms network-based exploitation requiring no authentication or user interaction, creating a critical remotely exploitable condition. EPSS score of 0.37% (59th percentile) suggests moderate exploitation probability, though no CISA KEV listing or public exploit code has been identified at time of analysis. Patchstack database identifies this as a PHP Object Injection vulnerability affecting the WPBakery Page Builder addon.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

PHP object injection in WPBot Pro WordPress Chatbot versions up to 12.7.0 allows remote unauthenticated attackers to execute arbitrary code by exploiting unsafe deserialization of user-supplied data. The vulnerability achieves complete system compromise with CVSS 9.8 critical severity (network accessible, no authentication required, low complexity). No active exploitation confirmed in CISA KEV, but EPSS score of 0.37% (59th percentile) indicates moderate exploitation likelihood. Patchstack database confirms the vulnerability with technical details available to researchers.

WordPress Deserialization
NVD
EPSS 0% CVSS 4.8
MEDIUM POC Monitor

A vulnerability was found in iop-apl-uw basestation3 up to 3.0.4 and classified as problematic.py. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Basestation
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Deserialization of Untrusted Data vulnerability in ShapedPlugin LLC WP Tabs allows Object Injection.2.11. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 4.8
MEDIUM Monitor

A vulnerability classified as problematic has been found in XU-YIJIE grpo-flat up to 9024b43f091e2eb9bac65802b120c0b35f9ba856. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.

Deserialization
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM Monitor

A vulnerability was found in BeamCtrl Airiana up to 11.0. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.

Deserialization
NVD GitHub VulDB
EPSS 1% CVSS 6.6
MEDIUM PATCH This Month

Emlog is an open source website building system. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Emlog
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM This Month

A vulnerability, which was classified as problematic, has been found in VITA-MLLM Freeze-Omni up to 20250421.load of the file models/utils.py. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.

Deserialization
NVD GitHub VulDB
EPSS 2% CVSS 9.8
CRITICAL This Week

mediDOK before 2.5.18.43 allows remote attackers to achieve remote code execution on a target system via deserialization of untrusted data. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Deserialization
NVD
EPSS 5% CVSS 9.5
CRITICAL Act Now

Cap Collectif is an online decision making platform that integrates several tools. Rated critical severity (CVSS 9.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.4.0.1 via deserialization of untrusted input in the. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

WordPress PHP Deserialization +1
NVD
EPSS 2% CVSS 7.4
HIGH This Week

Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code locally. Rated high severity (CVSS 7.4), this vulnerability is no authentication required. No vendor patch available.

Microsoft Deserialization Sharepoint Server
NVD
EPSS 1% CVSS 7.8
HIGH This Week

Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code locally. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Microsoft Deserialization Sharepoint Server
NVD
EPSS 1% CVSS 7.0
HIGH This Week

Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code locally. Rated high severity (CVSS 7.0), this vulnerability is no authentication required. No vendor patch available.

Microsoft Deserialization Sharepoint Server
NVD
EPSS 68% CVSS 9.1
CRITICAL POC KEV THREAT Act Now

SAP NetWeaver Visual Composer allows privileged users to upload untrusted content that is deserialized on the server, enabling remote code execution. Companion to CVE-2025-31324.

SAP Deserialization Netweaver
NVD
EPSS 2% CVSS 10.0
CRITICAL This Week

The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component, which allows an unauthenticated attacker to send malicious payload request in a. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Command Injection Deserialization +2
NVD
EPSS 0% CVSS 6.6
MEDIUM This Month

An authenticated attacker can maliciously modify layout data files in the SEL-5033 installation directory to execute arbitrary code. Rated medium severity (CVSS 6.6). No vendor patch available.

RCE Deserialization
NVD
EPSS 3% CVSS 8.7
HIGH This Month

Deserialization of untrusted data in Microsoft Dataverse allows an authorized attacker to execute code over a network. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Microsoft Deserialization Dataverse
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Deserialization of Untrusted Data vulnerability in Florent Maillefaud WP Maintenance allows Object Injection.1.9.7. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Deserialization of Untrusted Data vulnerability in Mario Peshev WP-CRM System allows Object Injection.4.1. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 3% CVSS 9.8
CRITICAL Act Now

The PGS Core plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.8.0 via deserialization of untrusted input in the 'import_header' function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure WordPress PHP +1
NVD
EPSS 1% CVSS 8.0
HIGH PATCH This Week

vLLM is an inference and serving engine for large language models. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

RCE Deserialization Vllm +1
NVD GitHub
EPSS 6% CVSS 8.9
HIGH This Week

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Retrieval Based Voice Conversion Webui
NVD GitHub
EPSS 6% CVSS 8.9
HIGH This Week

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Retrieval Based Voice Conversion Webui
NVD GitHub
EPSS 6% CVSS 8.9
HIGH This Week

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Retrieval Based Voice Conversion Webui
NVD GitHub
EPSS 6% CVSS 8.9
HIGH This Week

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Retrieval Based Voice Conversion Webui
NVD GitHub
EPSS 6% CVSS 8.9
HIGH This Week

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Retrieval Based Voice Conversion Webui
NVD GitHub
EPSS 6% CVSS 8.9
HIGH This Week

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Retrieval Based Voice Conversion Webui
NVD GitHub
EPSS 6% CVSS 8.9
HIGH This Week

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Retrieval Based Voice Conversion Webui
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability was found in zhangyanbo2007 youkefu up to 4.2.0 and classified as problematic. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Youkefu
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

LLama Factory enables fine-tuning of large language models. Rated medium severity (CVSS 6.1), this vulnerability is low attack complexity. Public exploit code available.

Deserialization Llama Factory
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

NVIDIA TensorRT-LLM for any platform contains a vulnerability in python executor where an attacker may cause a data validation issue by local access to the TRTLLM server. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Deserialization Python +2
NVD
EPSS 2% CVSS 10.0
CRITICAL POC PATCH Act Now

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Deserialization Vllm +1
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

GFI MailEssentials prior to version 21.8 is vulnerable to a .NET deserialization issue. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Mailessentials
NVD
EPSS 0% CVSS 7.8
HIGH POC This Week

GFI MailEssentials prior to version 21.8 is vulnerable to a local privilege escalation issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Deserialization Mailessentials
NVD
EPSS 0% CVSS 3.5
LOW Monitor

DevExpress before 23.1.3 has a data-source protection mechanism bypass during deserialization on XML data. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization Devexpress
NVD
EPSS 1% CVSS 3.5
LOW Monitor

DevExpress before 23.1.3 does not properly protect XtraReport serialized data in ASP.NET web forms. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization Devexpress
NVD
EPSS 3% CVSS 8.1
HIGH PATCH This Week

The Jupiter X Core plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.8.11 via deserialization of untrusted input from the 'file' parameter of the. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Information Disclosure WordPress PHP +2
NVD
EPSS 16% CVSS 8.1
HIGH KEV THREAT Act Now

ConnectWise ScreenConnect 25.2.3 and earlier may be susceptible to ViewState code injection when machine keys are compromised, enabling remote code execution through ASP.NET deserialization.

RCE Deserialization Screenconnect
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Deserialization of Untrusted Data vulnerability in Michael Cannon Flickr Shortcode Importer allows Object Injection.2.3. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Deserialization of Untrusted Data vulnerability in djjmz Social Counter allows Object Injection.0.5. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 6.8
MEDIUM POC PATCH This Month

The unsafe globals in Picklescan before 0.0.25 do not include ssl. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Deserialization Picklescan
NVD GitHub
EPSS 1% CVSS 7.6
HIGH This Week

NVIDIA NeMo Framework contains a vulnerability where a user could cause a deserialization of untrusted data by remote code execution. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Nvidia RCE Deserialization +1
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

When reading binary Ion data through Amazon.IonDotnet using the RawBinaryReader class, Amazon.IonDotnet does not check the number of bytes read from the underlying stream while deserializing the. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Denial Of Service
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL POC PATCH Act Now

PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd system. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Deserialization Pytorch +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Deserialization of Untrusted Data vulnerability in Apache ActiveMQ NMS OpenWire Client.1.1 when performing connections to untrusted servers. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache RCE Deserialization +1
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in bdthemes Ultimate Store Kit Elementor Addons allows Object Injection.4.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Mahmudul Hasan Arif FluentBoards allows Object Injection.47. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Shahjahan Jewel FluentCommunity allows Object Injection.2.15. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in bestwebsoft Rating by BestWebSoft allows Object Injection.7. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in WP Speedo Team Members allows Object Injection.4.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in Stylemix uListing allows Object Injection.2.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in wpWax HelpGent allows Object Injection.2.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in PickPlugins Question Answer allows Object Injection.2.70. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Climax Themes Kata Plus allows Object Injection.5.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in turitop TuriTop Booking System allows Object Injection.0.10. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in ssvadim SS Quiz allows Object Injection.0.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in saoshyant1994 Saoshyant Slider allows Object Injection.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
Prev Page 12 of 30 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy