Skip to main content

Deserialization

2663 CVEs technique

Monthly

CVE-2025-1945 PyPI CRITICAL POC PATCH Act Now

PickleScan before 0.0.23 can be bypassed by flipping specific ZIP file header flag bits, allowing malicious pickle files to evade detection inside PyTorch model archives. An attacker can embed arbitrary code execution payloads that PickleScan misses but PyTorch's torch.load() still processes. A proof-of-concept exists and a patch is available in version 0.0.23.

Authentication Bypass Deserialization RCE Pytorch AI / ML
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-27816 CRITICAL Act Now

A vulnerability was discovered in the Arctera InfoScale 7.0 through 8.0.2 where a .NET remoting endpoint can be exploited due to the insecure deserialization of potentially untrusted messages. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Deserialization Windows
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2024-13906 HIGH This Week

The Gallery by BestWebSoft - Customizable Image and Photo Galleries for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.7.3 via. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure WordPress PHP Deserialization
NVD
CVSS 3.1
7.2
EPSS
1.0%
CVE-2025-2043 MEDIUM This Month

A vulnerability was found in LinZhaoguan pb-cms 1.0.0 and classified as critical. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Pb Cms
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2024-12742 HIGH This Week

A deserialization of untrusted data vulnerability exists in NI G Web Development Software that may result in arbitrary code execution. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization
NVD
CVSS 4.0
8.4
EPSS
0.3%
CVE-2025-0956 HIGH This Week

The WooCommerce Recover Abandoned Cart plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 24.3.0 via deserialization of untrusted input from the. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure WordPress PHP Deserialization
NVD
CVSS 3.1
8.1
EPSS
1.1%
CVE-2024-13787 CRITICAL Act Now

The VEDA - MultiPurpose WordPress Theme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.2 via deserialization of untrusted input in the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure WordPress PHP Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-13777 HIGH This Week

The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.91 via deserialization of untrusted input. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure WordPress PHP Deserialization Zoomsounds
NVD
CVSS 3.1
8.1
EPSS
2.2%
CVE-2025-0912 CRITICAL PATCH Act Now

The Donations Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.4 via deserialization of untrusted input from the Donation Form through the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

WordPress PHP RCE Deserialization Givewp
NVD GitHub
CVSS 3.1
9.8
EPSS
3.7%
CVE-2025-26999 HIGH This Week

PHP object injection in ProfileGrid WordPress plugin versions up to 5.9.4.3 allows authenticated attackers to execute arbitrary code through unsafe deserialization of user-controlled data. With CVSS 8.8 severity and only low-privilege authentication required, this CWE-502 vulnerability enables full site compromise. EPSS exploitation probability is low (0.23%, 45th percentile) and no active exploitation or public POC is confirmed, though Patchstack has documented the vulnerability in their WordPress plugin security database.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-26967 HIGH This Week

PHP object injection in Events Calendar for GeoDirectory plugin versions through 2.3.14 enables authenticated attackers with low-privilege access to execute arbitrary PHP code by injecting malicious serialized objects. The CVSS 8.8 score reflects network-based exploitation requiring only low-level authentication, with no user interaction needed. EPSS score of 0.23% (45th percentile) indicates low observed exploitation probability, and no CISA KEV listing confirms this is not yet actively exploited in the wild. Patchstack database reports this as a confirmed deserialization vulnerability (CWE-502) in the WordPress plugin ecosystem.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-26885 HIGH This Week

Deserialization of Untrusted Data vulnerability in Brent Jett Assistant allows Object Injection.5.1. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2024-47092 HIGH PATCH This Week

Insecure deserialization and improper certificate validation in Checkmk Exchange plugin check-mk-api prior to 5.8.1. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Microsoft Deserialization Check Mk Python Api
NVD GitHub
CVSS 4.0
7.7
EPSS
0.2%
CVE-2024-13833 HIGH This Week

The Album Gallery - WordPress Gallery plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.6.3 via deserialization of untrusted input from gallery meta. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure WordPress PHP Deserialization
NVD
CVSS 3.1
7.2
EPSS
1.0%
CVE-2025-0769 MEDIUM This Month

PixelYourSite - Your smart PIXEL (TAG) and API Manager 10.1.1.1 was found to be vulnerable. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

PHP Deserialization
NVD
CVSS 4.0
6.3
EPSS
0.2%
CVE-2024-13831 HIGH This Week

The Tabs for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.0 via deserialization of untrusted input in the 'product_has_custom_tabs'. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure WordPress PHP Deserialization Tabs For Woocommerce
NVD
CVSS 3.1
7.2
EPSS
1.0%
CVE-2025-0767 MEDIUM This Month

WP Activity Log 5.3.2 was found to be vulnerable. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

PHP Deserialization Wp Activity Log
NVD
CVSS 4.0
6.3
EPSS
0.2%
CVE-2025-1741 MEDIUM This Month

A vulnerability classified as problematic was found in b1gMail up to 7.4.1-pl1. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Deserialization
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.4%
CVE-2025-26900 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in flexmls Flexmls® IDX allows Object Injection.14.27. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-27301 HIGH This Week

Deserialization of Untrusted Data vulnerability in Nazmul Hasan Robin NHR Options Table Manager allows Object Injection.1.2. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-27300 HIGH This Week

Deserialization of Untrusted Data vulnerability in giuliopanda ADFO allows Object Injection.9.1. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-26763 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in MetaSlider Responsive Slider by MetaSlider allows Object Injection.94.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-1556 MEDIUM POC This Month

A vulnerability, which was classified as problematic, has been found in westboy CicadasCMS 1.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Cicadascms
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.3%
CVE-2024-13899 HIGH This Week

The Mambo Importer plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0 via deserialization of untrusted input via the $data parameter in the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure WordPress PHP Deserialization Mambo Joomla Importer
NVD
CVSS 3.1
7.2
EPSS
1.1%
CVE-2025-1403 PyPI HIGH PATCH This Week

Qiskit SDK 0.45.0 through 1.2.4 could allow a remote attacker to cause a denial of service using a maliciously crafted QPY file containing a malformed symengine serialization stream which can cause a. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Denial Of Service Qiskit
NVD
CVSS 3.1
8.6
EPSS
0.4%
CVE-2024-13789 CRITICAL Act Now

The ravpage plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.31 via deserialization of untrusted input from the 'paramsv2' parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure WordPress PHP Deserialization
NVD
CVSS 3.1
9.8
EPSS
1.9%
CVE-2025-27218 MEDIUM POC THREAT This Month

Sitecore Experience Manager (XM) and Experience Platform (XP) 10.4 before KB1002844 allow remote code execution through insecure deserialization. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 57.6%.

RCE Code Injection Deserialization
NVD Exploit-DB
CVSS 3.1
5.3
EPSS
57.6%
Threat
4.3
CVE-2024-37361 CRITICAL Act Now

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.9
EPSS
0.2%
CVE-2024-28777 HIGH This Week

IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 is vulnerable to unrestricted deserialization. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM RCE Deserialization Denial Of Service Cognos Controller +1
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2024-13556 HIGH PATCH This Week

The Affiliate Links: WordPress Plugin for Link Cloaking and Link Management plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0.1 via deserialization. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Information Disclosure PHP Authentication Bypass Deserialization WordPress +1
NVD
CVSS 3.1
8.1
EPSS
2.5%
CVE-2024-12562 CRITICAL Act Now

The s2Member Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 241216 via deserialization of untrusted input from the 's2member_pro_remote_op'. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure WordPress PHP Deserialization S2Member
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-56180 Maven CRITICAL PATCH Act Now

g. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Apache Deserialization Eventmesh Windows +1
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-52577 Maven CRITICAL PATCH Act Now

In Apache Ignite versions from 2.6.0 and before 2.17.0, configured Class Serialization Filters are ignored for some Ignite endpoints. Rated critical severity (CVSS 9.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache RCE Deserialization Ignite Red Hat
NVD
CVSS 4.0
9.5
EPSS
2.6%
CVE-2024-13770 HIGH This Week

The Puzzles | WP Magazine / Review with Store WordPress Theme + RTL theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.2.4 via deserialization of. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure WordPress PHP Deserialization Puzzles
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2025-1186 MEDIUM This Month

A vulnerability was found in dayrui XunRuiCMS up to 4.6.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Deserialization Xunruicms
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.1%
CVE-2025-1177 MEDIUM POC This Month

A vulnerability was found in dayrui XunRuiCMS 4.6.3. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Deserialization Xunruicms
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2025-24016 Go CRITICAL POC KEV PATCH THREAT Act Now

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI that allows remote code execution on Wazuh management servers.

Wazuh Python Deserialization RCE Suse
NVD
CVSS 3.1
9.9
EPSS
93.9%
Threat
7.8
CVE-2025-1113 MEDIUM POC This Month

A vulnerability was found in taisan tarzan-cms up to 1.0.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Tarzan Cms
NVD VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2021-27017 MEDIUM PATCH This Month

Utilization of a module presented a security risk by allowing the deserialization of untrusted/user supplied data. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Red Hat Suse
NVD
CVSS 3.1
6.6
EPSS
0.1%
CVE-2024-9664 HIGH This Week

The WP All Import Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.9.7 via deserialization of untrusted input from an import file. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure WordPress PHP Deserialization Wp All Import
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-0994 HIGH KEV THREAT Act Now

Trimble Cityworks asset management platform contains a deserialization vulnerability allowing authenticated users to achieve remote code execution on the IIS web server hosting the application.

Microsoft RCE Deserialization Cityworks
NVD
CVSS 4.0
8.6
EPSS
76.0%
CVE-2025-20124 CRITICAL POC CERT-EU Act Now

A vulnerability in an API of Cisco ISE could allow an authenticated, remote attacker to execute arbitrary commands as the root user on an affected device. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Cisco Deserialization Java Identity Services Engine
NVD Exploit-DB
CVSS 3.1
9.9
EPSS
8.3%
CVE-2025-24661 HIGH This Week

Deserialization of Untrusted Data vulnerability in MagePeople Team Taxi Booking Manager for WooCommerce allows Object Injection.1.8. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization WordPress
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-0974 LOW Monitor

A vulnerability, which was classified as critical, has been found in MaxD Lightning Module 4.43 on OpenCart. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization
NVD GitHub VulDB
CVSS 4.0
1.3
EPSS
0.0%
CVE-2024-13742 CRITICAL PATCH Act Now

The iControlWP - Multiple WordPress Site Manager plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.5 via deserialization of untrusted input from the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization WordPress Information Disclosure PHP
NVD
CVSS 3.1
9.8
EPSS
1.4%
CVE-2025-24794 PyPI MEDIUM PATCH This Month

The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Privilege Escalation Python Snowflake Connector
NVD GitHub
CVSS 3.1
6.7
EPSS
0.1%
CVE-2025-0841 MEDIUM This Month

A vulnerability has been found in Aridius XYZ up to 20240927 on OpenCart and classified as critical. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2025-23045 HIGH PATCH This Month

Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization Computer Vision Annotation Tool
NVD GitHub
CVSS 4.0
8.7
EPSS
0.9%
CVE-2024-0140 MEDIUM This Month

NVIDIA RAPIDS contains a vulnerability in cuDF and cuML, where a user could cause a deserialization of untrusted data issue. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service Information Disclosure RCE Nvidia Deserialization
NVD
CVSS 3.1
6.8
EPSS
0.1%
CVE-2025-0734 MEDIUM This Month

A vulnerability has been found in y_project RuoYi up to 4.8.0 and classified as critical. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Ruoyi
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2025-24357 PyPI HIGH PATCH This Month

vLLM is a library for LLM inference and serving. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization Vllm Red Hat
NVD GitHub
CVSS 3.1
7.5
EPSS
1.0%
CVE-2025-24671 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Pdfcrowd Save as PDF plugin by Pdfcrowd allows Object Injection.4.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-24601 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in ThimPress FundPress allows Object Injection.0.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2024-12600 HIGH This Month

The Custom Product Tabs Lite for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.0 via deserialization of untrusted input from the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization WordPress Information Disclosure PHP
NVD
CVSS 3.1
7.2
EPSS
1.3%
CVE-2025-23006 CRITICAL KEV THREAT CERT-EU Act Now

SonicWall SMA1000 AMC and CMC contain a pre-authentication deserialization vulnerability allowing unauthenticated remote attackers to execute arbitrary OS commands on the management appliance.

Deserialization Sma8200V Sma6200 Firmware Sma6210 Firmware Sma7200 Firmware +4
NVD
CVSS 3.1
9.8
EPSS
61.3%
CVE-2025-23914 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in NotFound Muzaara Google Ads Report allows Object Injection.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2024-31903 HIGH This Month

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.2 allow an attacker on the local network to execute arbitrary code on the system, caused by the. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Epss exploitation probability 18.2% and no vendor patch available.

RCE Deserialization IBM Sterling B2b Integrator
NVD
CVSS 3.1
8.8
EPSS
18.2%
CVE-2025-23944 HIGH This Week

Deserialization of Untrusted Data vulnerability in WOOEXIM.COM WOOEXIM allows Object Injection.0.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-23932 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in NotFound Quick Count allows Object Injection.00. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2023-37008 MEDIUM POC This Month

Open5GS MME versions <= 2.6.4 contain a buffer overflow in the ASN.1 deserialization function of the S1AP handler. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Buffer Overflow Open5gs
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-0429 HIGH PATCH This Month

The "AI Power: Complete AI Pack" plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.8.96 via deserialization of untrusted input from the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization WordPress Information Disclosure PHP Aipower
NVD
CVSS 3.1
7.2
EPSS
0.4%
CVE-2025-0428 HIGH PATCH This Month

The "AI Power: Complete AI Pack" plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.8.96 via deserialization of untrusted input from the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization WordPress Information Disclosure PHP Aipower
NVD
CVSS 3.1
7.2
EPSS
0.4%
CVE-2024-49744 HIGH This Month

In checkKeyIntentParceledCorrectly of AccountManagerService.java, there is a possible way to bypass parcel mismatch mitigation due to unsafe deserialization. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Deserialization Privilege Escalation Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-49699 HIGH This Week

Deserialization of Untrusted Data vulnerability in NotFound ARPrice allows Object Injection.0.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
4.6%
CVE-2024-49688 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in NotFound ARPrice allows Object Injection.0.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-10936 HIGH PATCH This Month

The String locator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.6 via deserialization of untrusted input in the 'recursive_unserialize_replace'. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 16.5%.

Deserialization WordPress Information Disclosure PHP String Locator
NVD
CVSS 3.1
8.8
EPSS
16.5%
CVE-2025-0586 HIGH This Month

The a+HRD from aEnrich Technology has an Insecure Deserialization vulnerability, allowing remote attackers with database modification privileges and regular system privileges to perform arbitrary. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Deserialization A Hrd
NVD
CVSS 3.1
7.2
EPSS
1.8%
CVE-2024-12703 HIGH This Month

and potential remote code execution on workstation when a non-admin authenticated user opens a malicious project file. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization
NVD
CVSS 4.0
8.5
EPSS
1.0%
CVE-2024-56515 Go MEDIUM PATCH This Month

Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Docker Deserialization Matrix Media Repo Suse
NVD GitHub
CVSS 3.1
6.8
EPSS
0.4%
CVE-2024-57766 CRITICAL POC Act Now

MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/editField. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Mysiteforme
NVD
CVSS 3.1
9.1
EPSS
0.3%
CVE-2024-57764 CRITICAL POC Act Now

MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/add. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Mysiteforme
NVD
CVSS 3.1
9.1
EPSS
0.3%
CVE-2024-57763 CRITICAL POC Act Now

MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/addField. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Mysiteforme
NVD
CVSS 3.1
9.1
EPSS
0.3%
CVE-2024-57762 HIGH POC This Month

MSFM before v2025.01.01 was discovered to contain a deserialization vulnerability via the pom.xml configuration file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Mysiteforme
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2025-21364 HIGH PATCH This Month

Microsoft Excel Security Feature Bypass Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Microsoft Deserialization 365 Apps Office Long Term Servicing Channel
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2025-0465 MEDIUM This Month

A vulnerability was found in AquilaCMS 1.412.13. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2024-13163 HIGH This Month

Deserialization of untrusted data in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Epss exploitation probability 26.5% and no vendor patch available.

RCE Deserialization Ivanti Endpoint Manager
NVD
CVSS 3.1
7.8
EPSS
26.5%
CVE-2025-22777 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in GiveWP GiveWP allows Object Injection.19.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-12877 CRITICAL PATCH This Week

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.2 via deserialization of untrusted input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 27.5%.

RCE Deserialization WordPress PHP Givewp
NVD
CVSS 3.1
9.8
EPSS
27.5%
CVE-2024-12627 HIGH This Month

The Coupon X: Discount Pop Up, Promo Code Pop Ups, Announcement Pop Up, WooCommerce Popups plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.5 via. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization WordPress Information Disclosure PHP
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2024-13297 MEDIUM This Month

Deserialization of Untrusted Data vulnerability in Drupal Eloqua allows Object Injection.X-* before 7.X-1.15. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization Eloqua Drupal
NVD
CVSS 3.1
6.6
EPSS
0.6%
CVE-2024-13296 PHP MEDIUM PATCH This Month

Deserialization of Untrusted Data vulnerability in Drupal Mailjet allows Object Injection.0.0 before 4.0.1. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization Mailjet Drupal
NVD
CVSS 3.1
6.6
EPSS
0.2%
CVE-2024-13295 MEDIUM This Month

Deserialization of Untrusted Data vulnerability in Drupal Node export allows Object Injection.X-* before 7.X-3.3. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization Node Export Drupal
NVD
CVSS 3.1
6.6
EPSS
0.2%
CVE-2024-13288 PHP MEDIUM PATCH Monitor

Deserialization of Untrusted Data vulnerability in Drupal Monster Menus allows Object Injection.0.0 before 9.3.4, from 9.4.0 before 9.4.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Monster Menus Drupal
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2025-22510 HIGH Act Now

Deserialization of Untrusted Data vulnerability in Konrad Karpieszuk WC Price History for Omnibus allows Object Injection.1.4. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 14.8% and no vendor patch available.

Deserialization
NVD
CVSS 3.1
7.2
EPSS
14.8%
CVE-2023-27531 Ruby MEDIUM PATCH This Month

There is a deserialization of untrusted data vulnerability in the Kredis JSON deserialization code. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Deserialization Suse
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2024-54676 Maven CRITICAL PATCH This Week

Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0 Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Apache Openmeetings
NVD
CVSS 3.1
9.8
EPSS
6.1%
CVE-2022-45185 HIGH POC This Week

An issue was discovered in SuiteCRM 7.12.7. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Suitecrm
NVD GitHub
CVSS 3.1
8.8
EPSS
0.3%
CVE-2024-55555 HIGH POC THREAT Act Now

Invoice Ninja before 5.10.43 allows remote code execution from a pre-authenticated route when an attacker knows the APP_KEY. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 39.4% and no vendor patch available.

RCE Deserialization PHP
NVD GitHub
CVSS 3.1
8.8
EPSS
39.4%
Threat
4.4
CVE-2024-55556 CRITICAL POC THREAT Emergency

Crater Invoice application allows unauthenticated remote command execution through Laravel session cookie deserialization when the APP_KEY is known. Attackers who obtain the application key can forge session cookies containing serialized PHP objects that execute arbitrary commands on the server.

Deserialization
NVD GitHub
CVSS 3.1
9.8
EPSS
79.4%
Threat
5.8
CVE-2024-56291 HIGH This Week

Deserialization of Untrusted Data vulnerability in plainware.com PlainInventory allows Object Injection.1.6. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization
NVD
CVSS 3.1
8.1
EPSS
0.6%
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

PickleScan before 0.0.23 can be bypassed by flipping specific ZIP file header flag bits, allowing malicious pickle files to evade detection inside PyTorch model archives. An attacker can embed arbitrary code execution payloads that PickleScan misses but PyTorch's torch.load() still processes. A proof-of-concept exists and a patch is available in version 0.0.23.

Authentication Bypass Deserialization RCE +2
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

A vulnerability was discovered in the Arctera InfoScale 7.0 through 8.0.2 where a .NET remoting endpoint can be exploited due to the insecure deserialization of potentially untrusted messages. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Deserialization Windows
NVD
EPSS 1% CVSS 7.2
HIGH This Week

The Gallery by BestWebSoft - Customizable Image and Photo Galleries for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.7.3 via. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure WordPress PHP +1
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

A vulnerability was found in LinZhaoguan pb-cms 1.0.0 and classified as critical. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Pb Cms
NVD GitHub VulDB
EPSS 0% CVSS 8.4
HIGH This Week

A deserialization of untrusted data vulnerability exists in NI G Web Development Software that may result in arbitrary code execution. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization
NVD
EPSS 1% CVSS 8.1
HIGH This Week

The WooCommerce Recover Abandoned Cart plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 24.3.0 via deserialization of untrusted input from the. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure WordPress PHP +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

The VEDA - MultiPurpose WordPress Theme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.2 via deserialization of untrusted input in the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure WordPress PHP +1
NVD
EPSS 2% CVSS 8.1
HIGH This Week

The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.91 via deserialization of untrusted input. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure WordPress PHP +2
NVD
EPSS 4% CVSS 9.8
CRITICAL PATCH Act Now

The Donations Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.4 via deserialization of untrusted input from the Donation Form through the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

WordPress PHP RCE +2
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

PHP object injection in ProfileGrid WordPress plugin versions up to 5.9.4.3 allows authenticated attackers to execute arbitrary code through unsafe deserialization of user-controlled data. With CVSS 8.8 severity and only low-privilege authentication required, this CWE-502 vulnerability enables full site compromise. EPSS exploitation probability is low (0.23%, 45th percentile) and no active exploitation or public POC is confirmed, though Patchstack has documented the vulnerability in their WordPress plugin security database.

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

PHP object injection in Events Calendar for GeoDirectory plugin versions through 2.3.14 enables authenticated attackers with low-privilege access to execute arbitrary PHP code by injecting malicious serialized objects. The CVSS 8.8 score reflects network-based exploitation requiring only low-level authentication, with no user interaction needed. EPSS score of 0.23% (45th percentile) indicates low observed exploitation probability, and no CISA KEV listing confirms this is not yet actively exploited in the wild. Patchstack database reports this as a confirmed deserialization vulnerability (CWE-502) in the WordPress plugin ecosystem.

Deserialization
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Deserialization of Untrusted Data vulnerability in Brent Jett Assistant allows Object Injection.5.1. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Insecure deserialization and improper certificate validation in Checkmk Exchange plugin check-mk-api prior to 5.8.1. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Microsoft Deserialization Check Mk Python Api
NVD GitHub
EPSS 1% CVSS 7.2
HIGH This Week

The Album Gallery - WordPress Gallery plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.6.3 via deserialization of untrusted input from gallery meta. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure WordPress PHP +1
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

PixelYourSite - Your smart PIXEL (TAG) and API Manager 10.1.1.1 was found to be vulnerable. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

PHP Deserialization
NVD
EPSS 1% CVSS 7.2
HIGH This Week

The Tabs for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.0 via deserialization of untrusted input in the 'product_has_custom_tabs'. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure WordPress PHP +2
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

WP Activity Log 5.3.2 was found to be vulnerable. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

PHP Deserialization Wp Activity Log
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

A vulnerability classified as problematic was found in b1gMail up to 7.4.1-pl1. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Deserialization
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in flexmls Flexmls® IDX allows Object Injection.14.27. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Deserialization of Untrusted Data vulnerability in Nazmul Hasan Robin NHR Options Table Manager allows Object Injection.1.2. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Deserialization of Untrusted Data vulnerability in giuliopanda ADFO allows Object Injection.9.1. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in MetaSlider Responsive Slider by MetaSlider allows Object Injection.94.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 5.1
MEDIUM POC This Month

A vulnerability, which was classified as problematic, has been found in westboy CicadasCMS 1.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Cicadascms
NVD GitHub VulDB
EPSS 1% CVSS 7.2
HIGH This Week

The Mambo Importer plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0 via deserialization of untrusted input via the $data parameter in the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure WordPress PHP +2
NVD
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Qiskit SDK 0.45.0 through 1.2.4 could allow a remote attacker to cause a denial of service using a maliciously crafted QPY file containing a malformed symengine serialization stream which can cause a. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Denial Of Service Qiskit
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

The ravpage plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.31 via deserialization of untrusted input from the 'paramsv2' parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure WordPress PHP +1
NVD
EPSS 58% 4.3 CVSS 5.3
MEDIUM POC THREAT This Month

Sitecore Experience Manager (XM) and Experience Platform (XP) 10.4 before KB1002844 allow remote code execution through insecure deserialization. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 57.6%.

RCE Code Injection Deserialization
NVD Exploit-DB
EPSS 0% CVSS 9.9
CRITICAL Act Now

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 1% CVSS 8.8
HIGH This Week

IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 is vulnerable to unrestricted deserialization. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM RCE Deserialization +3
NVD
EPSS 2% CVSS 8.1
HIGH PATCH This Week

The Affiliate Links: WordPress Plugin for Link Cloaking and Link Management plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0.1 via deserialization. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Information Disclosure PHP Authentication Bypass +3
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

The s2Member Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 241216 via deserialization of untrusted input from the 's2member_pro_remote_op'. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure WordPress PHP +2
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

g. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Apache Deserialization +3
NVD
EPSS 3% CVSS 9.5
CRITICAL PATCH Act Now

In Apache Ignite versions from 2.6.0 and before 2.17.0, configured Class Serialization Filters are ignored for some Ignite endpoints. Rated critical severity (CVSS 9.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache RCE Deserialization +2
NVD
EPSS 0% CVSS 8.1
HIGH This Week

The Puzzles | WP Magazine / Review with Store WordPress Theme + RTL theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.2.4 via deserialization of. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure WordPress PHP +2
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

A vulnerability was found in dayrui XunRuiCMS up to 4.6.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Deserialization Xunruicms
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability was found in dayrui XunRuiCMS 4.6.3. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Deserialization Xunruicms
NVD GitHub VulDB
EPSS 94% 7.8 CVSS 9.9
CRITICAL POC KEV PATCH THREAT Act Now

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI that allows remote code execution on Wazuh management servers.

Wazuh Python Deserialization +2
NVD
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability was found in taisan tarzan-cms up to 1.0.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Tarzan Cms
NVD VulDB
EPSS 0% CVSS 6.6
MEDIUM PATCH This Month

Utilization of a module presented a security risk by allowing the deserialization of untrusted/user supplied data. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Red Hat Suse
NVD
EPSS 0% CVSS 7.2
HIGH This Week

The WP All Import Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.9.7 via deserialization of untrusted input from an import file. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure WordPress PHP +2
NVD
EPSS 76% CVSS 8.6
HIGH KEV THREAT Act Now

Trimble Cityworks asset management platform contains a deserialization vulnerability allowing authenticated users to achieve remote code execution on the IIS web server hosting the application.

Microsoft RCE Deserialization +1
NVD
EPSS 8% CVSS 9.9
CRITICAL POC Act Now

A vulnerability in an API of Cisco ISE could allow an authenticated, remote attacker to execute arbitrary commands as the root user on an affected device. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Cisco Deserialization Java +1
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in MagePeople Team Taxi Booking Manager for WooCommerce allows Object Injection.1.8. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization WordPress
NVD
EPSS 0% CVSS 1.3
LOW Monitor

A vulnerability, which was classified as critical, has been found in MaxD Lightning Module 4.43 on OpenCart. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization
NVD GitHub VulDB
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

The iControlWP - Multiple WordPress Site Manager plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.5 via deserialization of untrusted input from the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization WordPress Information Disclosure +1
NVD
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Privilege Escalation Python +1
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM This Month

A vulnerability has been found in Aridius XYZ up to 20240927 on OpenCart and classified as critical. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD GitHub VulDB
EPSS 1% CVSS 8.7
HIGH PATCH This Month

Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization Computer Vision Annotation Tool
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM This Month

NVIDIA RAPIDS contains a vulnerability in cuDF and cuML, where a user could cause a deserialization of untrusted data issue. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service Information Disclosure RCE +2
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

A vulnerability has been found in y_project RuoYi up to 4.8.0 and classified as critical. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Ruoyi
NVD GitHub VulDB
EPSS 1% CVSS 7.5
HIGH PATCH This Month

vLLM is a library for LLM inference and serving. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization Vllm +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Pdfcrowd Save as PDF plugin by Pdfcrowd allows Object Injection.4.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in ThimPress FundPress allows Object Injection.0.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 1% CVSS 7.2
HIGH This Month

The Custom Product Tabs Lite for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.0 via deserialization of untrusted input from the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization WordPress Information Disclosure +1
NVD
EPSS 61% CVSS 9.8
CRITICAL KEV THREAT Act Now

SonicWall SMA1000 AMC and CMC contain a pre-authentication deserialization vulnerability allowing unauthenticated remote attackers to execute arbitrary OS commands on the management appliance.

Deserialization Sma8200V Sma6200 Firmware +6
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in NotFound Muzaara Google Ads Report allows Object Injection.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Deserialization
NVD
EPSS 18% CVSS 8.8
HIGH This Month

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.2 allow an attacker on the local network to execute arbitrary code on the system, caused by the. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Epss exploitation probability 18.2% and no vendor patch available.

RCE Deserialization IBM +1
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in WOOEXIM.COM WOOEXIM allows Object Injection.0.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in NotFound Quick Count allows Object Injection.00. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Open5GS MME versions <= 2.6.4 contain a buffer overflow in the ASN.1 deserialization function of the S1AP handler. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Buffer Overflow Open5gs
NVD
EPSS 0% CVSS 7.2
HIGH PATCH This Month

The "AI Power: Complete AI Pack" plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.8.96 via deserialization of untrusted input from the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization WordPress Information Disclosure +2
NVD
EPSS 0% CVSS 7.2
HIGH PATCH This Month

The "AI Power: Complete AI Pack" plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.8.96 via deserialization of untrusted input from the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization WordPress Information Disclosure +2
NVD
EPSS 0% CVSS 7.8
HIGH This Month

In checkKeyIntentParceledCorrectly of AccountManagerService.java, there is a possible way to bypass parcel mismatch mitigation due to unsafe deserialization. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Deserialization Privilege Escalation Android +1
NVD
EPSS 5% CVSS 8.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in NotFound ARPrice allows Object Injection.0.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in NotFound ARPrice allows Object Injection.0.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 16% CVSS 8.8
HIGH PATCH This Month

The String locator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.6 via deserialization of untrusted input in the 'recursive_unserialize_replace'. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 16.5%.

Deserialization WordPress Information Disclosure +2
NVD
EPSS 2% CVSS 7.2
HIGH This Month

The a+HRD from aEnrich Technology has an Insecure Deserialization vulnerability, allowing remote attackers with database modification privileges and regular system privileges to perform arbitrary. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Deserialization A Hrd
NVD
EPSS 1% CVSS 8.5
HIGH This Month

and potential remote code execution on workstation when a non-admin authenticated user opens a malicious project file. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization
NVD
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Docker Deserialization Matrix Media Repo +1
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL POC Act Now

MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/editField. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Mysiteforme
NVD
EPSS 0% CVSS 9.1
CRITICAL POC Act Now

MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/add. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Mysiteforme
NVD
EPSS 0% CVSS 9.1
CRITICAL POC Act Now

MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/addField. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Mysiteforme
NVD
EPSS 0% CVSS 7.5
HIGH POC This Month

MSFM before v2025.01.01 was discovered to contain a deserialization vulnerability via the pom.xml configuration file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Mysiteforme
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Month

Microsoft Excel Security Feature Bypass Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Microsoft Deserialization 365 Apps +1
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

A vulnerability was found in AquilaCMS 1.412.13. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD GitHub VulDB
EPSS 26% CVSS 7.8
HIGH This Month

Deserialization of untrusted data in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Epss exploitation probability 26.5% and no vendor patch available.

RCE Deserialization Ivanti +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in GiveWP GiveWP allows Object Injection.19.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 28% CVSS 9.8
CRITICAL PATCH This Week

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.2 via deserialization of untrusted input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 27.5%.

RCE Deserialization WordPress +2
NVD
EPSS 1% CVSS 7.5
HIGH This Month

The Coupon X: Discount Pop Up, Promo Code Pop Ups, Announcement Pop Up, WooCommerce Popups plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.5 via. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization WordPress Information Disclosure +1
NVD
EPSS 1% CVSS 6.6
MEDIUM This Month

Deserialization of Untrusted Data vulnerability in Drupal Eloqua allows Object Injection.X-* before 7.X-1.15. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization Eloqua Drupal
NVD
EPSS 0% CVSS 6.6
MEDIUM PATCH This Month

Deserialization of Untrusted Data vulnerability in Drupal Mailjet allows Object Injection.0.0 before 4.0.1. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization Mailjet Drupal
NVD
EPSS 0% CVSS 6.6
MEDIUM This Month

Deserialization of Untrusted Data vulnerability in Drupal Node export allows Object Injection.X-* before 7.X-3.3. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization Node Export Drupal
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH Monitor

Deserialization of Untrusted Data vulnerability in Drupal Monster Menus allows Object Injection.0.0 before 9.3.4, from 9.4.0 before 9.4.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Monster Menus Drupal
NVD
EPSS 15% CVSS 7.2
HIGH Act Now

Deserialization of Untrusted Data vulnerability in Konrad Karpieszuk WC Price History for Omnibus allows Object Injection.1.4. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 14.8% and no vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

There is a deserialization of untrusted data vulnerability in the Kredis JSON deserialization code. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Deserialization Suse
NVD
EPSS 6% CVSS 9.8
CRITICAL PATCH This Week

Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0 Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Apache Openmeetings
NVD
EPSS 0% CVSS 8.8
HIGH POC This Week

An issue was discovered in SuiteCRM 7.12.7. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Suitecrm
NVD GitHub
EPSS 39% 4.4 CVSS 8.8
HIGH POC THREAT Act Now

Invoice Ninja before 5.10.43 allows remote code execution from a pre-authenticated route when an attacker knows the APP_KEY. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 39.4% and no vendor patch available.

RCE Deserialization PHP
NVD GitHub
EPSS 79% 5.8 CVSS 9.8
CRITICAL POC THREAT Emergency

Crater Invoice application allows unauthenticated remote command execution through Laravel session cookie deserialization when the APP_KEY is known. Attackers who obtain the application key can forge session cookies containing serialized PHP objects that execute arbitrary commands on the server.

Deserialization
NVD GitHub
EPSS 1% CVSS 8.1
HIGH This Week

Deserialization of Untrusted Data vulnerability in plainware.com PlainInventory allows Object Injection.1.6. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization
NVD
Prev Page 14 of 30 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy