Skip to main content

Deserialization

2663 CVEs technique

Monthly

CVE-2024-56283 HIGH This Week

Deserialization of Untrusted Data vulnerability in plainware.com Locatoraid Store Locator allows Object Injection.9.50. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization
NVD
CVSS 3.1
8.1
EPSS
0.7%
CVE-2024-49222 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Amento Tech Pvt ltd WPGuppy allows Object Injection.1.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-12313 HIGH This Week

The Compare Products for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.1 via deserialization of untrusted input from the. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization WordPress Information Disclosure PHP
NVD
CVSS 3.1
8.1
EPSS
2.3%
CVE-2024-11465 HIGH This Week

The Custom Product Tabs for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.8.5 via deserialization of untrusted input in the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization WordPress Information Disclosure PHP
NVD
CVSS 3.1
7.2
EPSS
1.0%
CVE-2024-20150 HIGH This Month

In Modem, there is a possible system crash due to a logic error. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Denial Of Service Lr12a Lr13 Nr15 +2
NVD
CVSS 3.1
7.5
EPSS
7.4%
CVE-2024-13136 MEDIUM POC This Month

A vulnerability was found in wangl1989 mysiteforme 1.0 and classified as critical. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Java Mysiteforme
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2024-10957 HIGH This Month

The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to PHP Object Injection in all versions from 1.23.8 to 1.24.11 via deserialization of untrusted input in the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization WordPress Information Disclosure PHP
NVD
CVSS 3.1
8.8
EPSS
1.3%
CVE-2024-10932 HIGH This Month

The Backup Migration plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.6 via deserialization of untrusted input in the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization WordPress Information Disclosure PHP
NVD
CVSS 3.1
8.8
EPSS
1.7%
CVE-2024-56068 HIGH This Week

Deserialization of Untrusted Data vulnerability in azzaroco WP SuperBackup indeed-wp-superbackup.3.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2024-12994 MEDIUM This Month

A vulnerability was found in running-elephant Datart 1.0.0-rc3. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization File Upload
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.5%
CVE-2024-52046 Maven CRITICAL PATCH Act Now

The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process incoming serialized data but lacks the necessary security checks and defenses. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Apache Java Mina
NVD
CVSS 4.0
10.0
EPSS
23.9%
CVE-2024-12721 HIGH This Week

The Custom Product Tabs For WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.4 via deserialization of untrusted input from the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Deserialization WordPress Information Disclosure Custom Product Tabs For Woocommerce
NVD
CVSS 3.1
7.2
EPSS
1.1%
CVE-2024-12677 HIGH This Week

Delta Electronics DTM Soft deserializes objects, which could allow an attacker to execute arbitrary code. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE
NVD
CVSS 4.0
8.5
EPSS
0.3%
CVE-2024-12741 HIGH This Week

A deserialization of untrusted data vulnerability exists in NI DAQExpress that may result in remote code execution. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE
NVD
CVSS 4.0
8.4
EPSS
4.2%
CVE-2024-56058 CRITICAL Emergency

Unsafe PHP object deserialization in the VRPConnector WordPress plugin (versions up to and including 2.0.1) by denniskravetstns enables remote code execution through PHP Object Injection. Remote attackers can submit crafted serialized payloads that, when unserialized, instantiate attacker-controlled objects and trigger magic methods leading to arbitrary code execution; no public exploit identified at time of analysis, but EPSS places this in the 97th percentile (36.92%) indicating elevated exploitation likelihood.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
36.9%
CVE-2024-12687 HIGH This Week

Deserialization of Untrusted Data vulnerability in PlexTrac (Runbooks modules) which allows Object Injection and arbitrary file writes.61.3 before 2.8.1. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Plextrac
NVD
CVSS 4.0
8.6
EPSS
0.6%
CVE-2024-10095 CRITICAL Act Now

In Progress Telerik UI for WPF versions prior to 2024 Q4 (2024.4.1213), a code execution attack is possible through an insecure deserialization vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Ui For Wpf
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-54367 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Ultimate Member ForumWP forumwp allows Object Injection.1.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-54282 HIGH This Week

Deserialization of Untrusted Data vulnerability in Themeum WP Mega Menu wp-megamenu allows Object Injection.4.2. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.8%
CVE-2024-54273 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in PickPlugins Mail Picker mail-picker allows Object Injection.0.14. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-11839 HIGH This Week

Deserialization of Untrusted Data vulnerability in PlexTrac (Runbooks modules) which allows Object Injection and arbitrary file writes.61.3 before 2.8.1. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Plextrac
NVD
CVSS 4.0
8.6
EPSS
0.3%
CVE-2024-49147 CRITICAL Act Now

Deserialization of untrusted data in Microsoft Update Catalog allows an unauthorized attacker to elevate privileges on the website’s webserver. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Microsoft Update Catalog
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2024-12312 HIGH This Week

The Print Science Designer plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.152 via deserialization of untrusted input through the. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization WordPress Information Disclosure PHP
NVD
CVSS 3.1
8.1
EPSS
1.1%
CVE-2024-49070 HIGH This Week

Microsoft SharePoint Remote Code Execution Vulnerability. Rated high severity (CVSS 7.4), this vulnerability is no authentication required. No vendor patch available.

Deserialization RCE Microsoft Sharepoint Server
NVD
CVSS 3.1
7.4
EPSS
2.2%
CVE-2024-49063 HIGH This Week

Microsoft/Muzic Remote Code Execution Vulnerability. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Microsoft Muzic
NVD
CVSS 3.1
8.4
EPSS
1.7%
CVE-2024-11949 HIGH This Week

GFI Archiver Store Service Deserialization of Untrusted Data Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Archiver
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2024-11947 HIGH This Week

GFI Archiver Core Service Deserialization of Untrusted Data Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Archiver
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2024-53247 HIGH This Week

In Splunk Enterprise versions below 9.3.2, 9.2.4, and 9.1.7, and versions below 3.4.261 and 3.7.13 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Splunk
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2024-49849 HIGH This Week

A vulnerability has been identified in SIMATIC S7-PLCSIM V16 (All versions), SIMATIC S7-PLCSIM V17 (All versions), SIMATIC STEP 7 Safety V16 (All versions), SIMATIC STEP 7 Safety V17 (All versions <. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE
NVD
CVSS 4.0
8.4
EPSS
0.2%
CVE-2024-55638 PHP CRITICAL PATCH Act Now

Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Drupal
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2024-55637 PHP CRITICAL PATCH Act Now

Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Drupal
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-55636 PHP CRITICAL PATCH Act Now

Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Drupal
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-11501 HIGH This Week

The Gallery plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3 via deserialization of untrusted input from wd_gallery_$id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization WordPress Information Disclosure PHP
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2024-54136 CRITICAL POC PATCH Act Now

ClipBucket V5 provides open source video hosting with PHP. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization PHP Clipbucket
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-54135 HIGH POC PATCH This Week

ClipBucket V5 provides open source video hosting with PHP. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Deserialization PHP Clipbucket
NVD GitHub
CVSS 3.1
8.8
EPSS
0.7%
CVE-2024-12138 MEDIUM POC This Month

A vulnerability classified as critical was found in horilla up to 1.2.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Horilla
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.7%
CVE-2024-10587 HIGH This Week

The Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor - Funnelforms Free plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including,. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Deserialization WordPress Information Disclosure
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2024-42455 HIGH This Week

A vulnerability in Veeam Backup & Replication allows a low-privileged user to connect to remoting services and exploit insecure deserialization by sending a serialized temporary file collection. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Deserialization Veeam Backup Replication
NVD
CVSS 3.1
8.1
EPSS
15.1%
CVE-2024-51363 CRITICAL POC Act Now

Insecure deserialization in Hodoku v2.3.0 to v2.3.2 allows attackers to execute arbitrary code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-53477 CRITICAL Act Now

JFinal CMS 5.1.0 is vulnerable to Command Execution via unauthorized execution of deserialization in the file ApiForm.java. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Jfinal Cms
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-52338 PyPI CRITICAL PATCH Act Now

Deserialization of untrusted data in IPC and Parquet readers in the Apache Arrow R package versions 4.0.0 through 16.1.0 allows arbitrary code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Deserialization RCE Apache Python Arrow
NVD GitHub
CVSS 3.1
9.8
EPSS
2.3%
CVE-2024-53673 CRITICAL Act Now

A java deserialization vulnerability in HPE Remote Insight Support may allow an unauthenticated attacker to execute code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Java Insight Remote Support
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-11145 CRITICAL Act Now

Valor Apps Easy Folder Listing Pro has a deserialization vulnerability that allows an unauthenticated, remote attacker to execute arbitrary code with the privileges of the Joomla!. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Easy Folder Listing Pro
NVD GitHub
CVSS 4.0
9.3
EPSS
1.0%
CVE-2024-11662 MEDIUM This Month

A vulnerability was found in welliamcao OpsManage 3.0.1/3.0.2/3.0.3/3.0.4/3.0.5. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.5%
CVE-2024-53915 CRITICAL Act Now

An issue was discovered in the server in Veritas Enterprise Vault before 15.2, ZDI-CAN-24405. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Hashicorp Enterprise Vault
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-53914 CRITICAL Act Now

An issue was discovered in the server in Veritas Enterprise Vault before 15.2, ZDI-CAN-24344. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Hashicorp Enterprise Vault
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-53913 CRITICAL Act Now

An issue was discovered in the server in Veritas Enterprise Vault before 15.2, ZDI-CAN-24343. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Hashicorp Enterprise Vault
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-53912 CRITICAL Act Now

An issue was discovered in the server in Veritas Enterprise Vault before 15.2, ZDI-CAN-24341. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Hashicorp Enterprise Vault
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-53911 CRITICAL Act Now

An issue was discovered in the server in Veritas Enterprise Vault before 15.2, ZDI-CAN-24339. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Hashicorp Enterprise Vault
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-53910 CRITICAL Act Now

An issue was discovered in the server in Veritas Enterprise Vault before 15.2, ZDI-CAN-24336. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Hashicorp Enterprise Vault
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-53909 CRITICAL Act Now

An issue was discovered in the server in Veritas Enterprise Vault before 15.2, ZDI-CAN-24334. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Hashicorp Enterprise Vault
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-9511 CRITICAL Act Now

The FluentSMTP - WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Deserialization WordPress PHP Information Disclosure
NVD
CVSS 3.1
9.8
EPSS
1.1%
CVE-2024-11394 PyPI HIGH PATCH This Week

Hugging Face Transformers Trax Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Transformers
NVD
CVSS 3.1
8.8
EPSS
2.4%
CVE-2024-11393 PyPI HIGH PATCH This Week

Hugging Face Transformers MaskFormer Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Transformers
NVD
CVSS 3.1
8.8
EPSS
2.9%
CVE-2024-11392 PyPI HIGH POC PATCH This Week

Hugging Face Transformers MobileViTV2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Transformers
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
7.1%
CVE-2024-5580 HIGH This Week

Allegra loadFieldMatch Deserialization of Untrusted Data Remote Code Execution Vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Allegra
NVD
CVSS 3.0
7.2
EPSS
1.5%
CVE-2024-5579 HIGH This Week

Allegra renderFieldMatch Deserialization of Untrusted Data Remote Code Execution Vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Allegra
NVD
CVSS 3.0
7.2
EPSS
1.5%
CVE-2024-11409 HIGH This Week

The Grid View Gallery plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0 via deserialization of untrusted input from cs_all_photos_details parameter. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization WordPress Information Disclosure PHP
NVD
CVSS 3.1
7.2
EPSS
1.1%
CVE-2024-10913 HIGH This Week

The Clone plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.4.6 via deserialization of untrusted input in the 'recursive_unserialized_replace'. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization WordPress Information Disclosure PHP
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2024-52445 HIGH This Week

Deserialization of Untrusted Data vulnerability in ModelTheme QRMenu Restaurant QR Menu Lite qrmenu-lite allows Object Injection.0.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2024-52443 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in masikonis Geolocator geolocator allows Object Injection.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-52440 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in xpresslane Xpresslane Fast Checkout xpresslane-integration-for-woocommerce allows Object Injection.0.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-52439 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Mark O'Donnell Team Rosters team-rosters allows Object Injection.8.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2024-10382 HIGH This Week

There exists a code execution vulnerability in the Car App Android Jetpack Library. Rated high severity (CVSS 7.3). No vendor patch available.

Deserialization RCE Java Google Androidx Car App
NVD
CVSS 4.0
7.3
EPSS
0.2%
CVE-2024-52434 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in supsystic Popup by Supsystic popup-by-supsystic allows Command Injection.10.29. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Deserialization
NVD
CVSS 3.1
9.1
EPSS
1.4%
CVE-2024-52433 CRITICAL POC THREAT Emergency

Unauthenticated PHP object injection in the Mindstien Technologies 'My Geo Posts Free' WordPress plugin (versions up to and including 1.2) allows remote attackers to deserialize attacker-controlled data, potentially leading to full site compromise. The flaw is rated CVSS 9.8 and carries an EPSS of 80.62% (99th percentile), indicating very high probability of near-term exploitation, though no public exploit identified at time of analysis.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
80.6%
Threat
5.9
CVE-2024-52432 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in NIX Solutions Ltd NIX Anti-Spam Light nix-anti-spam-light allows Object Injection.0.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-52430 CRITICAL Emergency

Untrusted data deserialization in the Lis Video Gallery WordPress plugin (versions through 0.2.1) by bublick allows remote attackers to perform PHP object injection, potentially leading to arbitrary code execution depending on gadget chains available in the WordPress instance. The CVSS 9.8 score and EPSS of 31.81% (97th percentile) signal elevated exploitation likelihood, though no public exploit identified at time of analysis. The flaw was disclosed via Patchstack and affects WordPress sites running this plugin.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
31.8%
CVE-2024-52427 CRITICAL Act Now

Deserialization of untrusted data in the Vollstart Event Tickets with Ticket Scanner WordPress plugin (versions up to and including 2.3.11) enables Server-Side Include (SSI) Injection, allowing authenticated low-privilege attackers to execute arbitrary code with scope-changing impact across the affected WordPress instance. With an EPSS score of 12.22% (94th percentile) and CVSS 9.9, this represents a high-priority issue, though no public exploit identified at time of analysis. The vulnerability was disclosed by Patchstack and impacts WordPress sites running this plugin.

Deserialization
NVD
CVSS 3.1
9.9
EPSS
12.2%
CVE-2024-41151 HIGH This Week

Deserialization of Untrusted Data vulnerability in Apache HertzBeat. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Apache Hertzbeat
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2024-52414 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Anthony Carbon WDES Responsive Mobile Menu wdes-responsive-mobile-menu allows Object Injection.3.18. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2024-52413 CRITICAL Act Now

Remote code execution in the dmcwebzone Airin Blog WordPress plugin (versions up to and including 1.6.1) is possible through PHP Object Injection via deserialization of untrusted data. Unauthenticated network attackers can exploit this CWE-502 weakness to compromise affected WordPress sites with no user interaction, and while no public exploit identified at time of analysis, the EPSS score of 2.82% (86th percentile) indicates above-average exploitation interest.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
2.8%
CVE-2024-52412 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Stephen Cui Xin xin allows Object Injection.0.8.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-52411 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in flowcraft Advanced Personalization personalization-by-flowcraft allows Object Injection.1.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2024-52410 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Phoenixheart Referrer Detector referrer-detector allows Object Injection.2.1.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2024-52409 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Phoenixheart AJAX Random Posts ajax-random-posts allows Object Injection.3.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2024-52393 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Eric Teubert Podlove Podcast Publisher podlove-podcasting-plugin-for-wordpress.1.15. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Deserialization
NVD
CVSS 3.1
9.1
EPSS
0.5%
CVE-2024-37285 HIGH PATCH This Week

A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Elastic Kibana
NVD
CVSS 3.1
7.2
EPSS
1.3%
CVE-2024-10962 HIGH PATCH This Week

The Migration, Backup, Staging - WPvivid plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 0.9.107 via deserialization of untrusted input in the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization WordPress Information Disclosure PHP Migration Backup Staging
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2024-43080 HIGH PATCH This Week

In onReceive of AppRestrictionsFragment.java, there is a possible escalation of privilege due to unsafe deserialization. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Privilege Escalation Android
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2024-52306 PHP CRITICAL PATCH Act Now

FileManager provides a Backpack admin interface for files and folder. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Filemanager
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-10013 HIGH This Week

In Progress Telerik UI for WinForms versions prior to 2024 Q4 (2024.4.1113), a code execution attack is possible through an insecure deserialization vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Telerik Ui For Winforms
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2024-10012 HIGH This Week

In Progress Telerik UI for WPF versions prior to 2024 Q4 (2024.4.1111), a code execution attack is possible through an insecure deserialization vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Ui For Wpf
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2024-10828 CRITICAL Act Now

The Advanced Order Export For WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.5.5 via deserialization of untrusted input during Order. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE WordPress PHP Advanced Order Export For Woocommerce
NVD
CVSS 3.1
9.8
EPSS
1.4%
CVE-2024-8069 MEDIUM KEV THREAT This Month

Limited remote code execution with privilege of a NetworkService Account access in Citrix Session Recording if the attacker is an authenticated user on the same intranet as the session recording. Rated medium severity (CVSS 5.1), this vulnerability is low attack complexity. No vendor patch available.

Deserialization RCE Citrix Session Recording
NVD
CVSS 4.0
5.1
EPSS
14.7%
CVE-2024-44102 CRITICAL PATCH Act Now

A vulnerability has been identified in PP TeleControl Server Basic 1000 to 5000 V3.1 (6NH9910-0AA31-0AE1) (All versions < V3.1.2.1 with redundancy configured), PP TeleControl Server Basic 256 to 1000. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Telecontrol Server Basic
NVD
CVSS 4.0
10.0
EPSS
1.0%
CVE-2024-10749 LOW Monitor

A vulnerability, which was classified as critical, was found in ThinkAdmin up to 6.1.67. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization PHP Thinkadmin
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.5%
CVE-2024-50354 Go MEDIUM POC PATCH This Month

gnark is a fast zk-SNARK library that offers a high-level API to design circuits. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Deserialization Denial Of Service Gnark
NVD GitHub
CVSS 3.1
5.5
EPSS
0.3%
CVE-2024-43383 NuGet HIGH PATCH This Week

Deserialization of Untrusted Data vulnerability in Apache Lucene.Net.Replicator.NET's Replicator library: from 4.8.0-beta00005 through 4.8.0-beta00016. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization RCE Apache Authentication Bypass Lucene Net
NVD
CVSS 3.1
8.1
EPSS
1.2%
CVE-2024-48112 PHP CRITICAL POC Act Now

A deserialization vulnerability in the component \controller\Index.php of Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE PHP Thinkphp
NVD GitHub
CVSS 3.1
9.8
EPSS
0.9%
EPSS 1% CVSS 8.1
HIGH This Week

Deserialization of Untrusted Data vulnerability in plainware.com Locatoraid Store Locator allows Object Injection.9.50. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Amento Tech Pvt ltd WPGuppy allows Object Injection.1.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 2% CVSS 8.1
HIGH This Week

The Compare Products for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.1 via deserialization of untrusted input from the. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization WordPress Information Disclosure +1
NVD
EPSS 1% CVSS 7.2
HIGH This Week

The Custom Product Tabs for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.8.5 via deserialization of untrusted input in the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization WordPress Information Disclosure +1
NVD
EPSS 7% CVSS 7.5
HIGH This Month

In Modem, there is a possible system crash due to a logic error. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Denial Of Service Lr12a +4
NVD
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability was found in wangl1989 mysiteforme 1.0 and classified as critical. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Java Mysiteforme
NVD GitHub VulDB
EPSS 1% CVSS 8.8
HIGH This Month

The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to PHP Object Injection in all versions from 1.23.8 to 1.24.11 via deserialization of untrusted input in the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization WordPress Information Disclosure +1
NVD
EPSS 2% CVSS 8.8
HIGH This Month

The Backup Migration plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.6 via deserialization of untrusted input in the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization WordPress Information Disclosure +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Deserialization of Untrusted Data vulnerability in azzaroco WP SuperBackup indeed-wp-superbackup.3.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

A vulnerability was found in running-elephant Datart 1.0.0-rc3. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization File Upload
NVD GitHub VulDB
EPSS 24% CVSS 10.0
CRITICAL PATCH Act Now

The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process incoming serialized data but lacks the necessary security checks and defenses. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Apache +2
NVD
EPSS 1% CVSS 7.2
HIGH This Week

The Custom Product Tabs For WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.4 via deserialization of untrusted input from the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Deserialization WordPress +2
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Delta Electronics DTM Soft deserializes objects, which could allow an attacker to execute arbitrary code. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE
NVD
EPSS 4% CVSS 8.4
HIGH This Week

A deserialization of untrusted data vulnerability exists in NI DAQExpress that may result in remote code execution. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE
NVD
EPSS 37% CVSS 9.8
CRITICAL Emergency

Unsafe PHP object deserialization in the VRPConnector WordPress plugin (versions up to and including 2.0.1) by denniskravetstns enables remote code execution through PHP Object Injection. Remote attackers can submit crafted serialized payloads that, when unserialized, instantiate attacker-controlled objects and trigger magic methods leading to arbitrary code execution; no public exploit identified at time of analysis, but EPSS places this in the 97th percentile (36.92%) indicating elevated exploitation likelihood.

Deserialization
NVD
EPSS 1% CVSS 8.6
HIGH This Week

Deserialization of Untrusted Data vulnerability in PlexTrac (Runbooks modules) which allows Object Injection and arbitrary file writes.61.3 before 2.8.1. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Plextrac
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

In Progress Telerik UI for WPF versions prior to 2024 Q4 (2024.4.1213), a code execution attack is possible through an insecure deserialization vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Ui For Wpf
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Ultimate Member ForumWP forumwp allows Object Injection.1.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 1% CVSS 7.2
HIGH This Week

Deserialization of Untrusted Data vulnerability in Themeum WP Mega Menu wp-megamenu allows Object Injection.4.2. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in PickPlugins Mail Picker mail-picker allows Object Injection.0.14. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 8.6
HIGH This Week

Deserialization of Untrusted Data vulnerability in PlexTrac (Runbooks modules) which allows Object Injection and arbitrary file writes.61.3 before 2.8.1. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Plextrac
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Deserialization of untrusted data in Microsoft Update Catalog allows an unauthorized attacker to elevate privileges on the website’s webserver. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Microsoft Update Catalog
NVD
EPSS 1% CVSS 8.1
HIGH This Week

The Print Science Designer plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.152 via deserialization of untrusted input through the. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization WordPress Information Disclosure +1
NVD
EPSS 2% CVSS 7.4
HIGH This Week

Microsoft SharePoint Remote Code Execution Vulnerability. Rated high severity (CVSS 7.4), this vulnerability is no authentication required. No vendor patch available.

Deserialization RCE Microsoft +1
NVD
EPSS 2% CVSS 8.4
HIGH This Week

Microsoft/Muzic Remote Code Execution Vulnerability. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Microsoft +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

GFI Archiver Store Service Deserialization of Untrusted Data Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Archiver
NVD
EPSS 1% CVSS 8.8
HIGH This Week

GFI Archiver Core Service Deserialization of Untrusted Data Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Archiver
NVD
EPSS 1% CVSS 8.8
HIGH This Week

In Splunk Enterprise versions below 9.3.2, 9.2.4, and 9.1.7, and versions below 3.4.261 and 3.7.13 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Splunk
NVD
EPSS 0% CVSS 8.4
HIGH This Week

A vulnerability has been identified in SIMATIC S7-PLCSIM V16 (All versions), SIMATIC S7-PLCSIM V17 (All versions), SIMATIC STEP 7 Safety V16 (All versions), SIMATIC STEP 7 Safety V17 (All versions <. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Drupal
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Drupal
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Drupal
NVD
EPSS 1% CVSS 8.8
HIGH This Week

The Gallery plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3 via deserialization of untrusted input from wd_gallery_$id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization WordPress Information Disclosure +1
NVD
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

ClipBucket V5 provides open source video hosting with PHP. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization PHP Clipbucket
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

ClipBucket V5 provides open source video hosting with PHP. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Deserialization PHP Clipbucket
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM POC This Month

A vulnerability classified as critical was found in horilla up to 1.2.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Horilla
NVD GitHub VulDB
EPSS 1% CVSS 8.8
HIGH This Week

The Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor - Funnelforms Free plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including,. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Deserialization WordPress +1
NVD
EPSS 15% CVSS 8.1
HIGH This Week

A vulnerability in Veeam Backup & Replication allows a low-privileged user to connect to remoting services and exploit insecure deserialization by sending a serialized temporary file collection. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Deserialization Veeam Backup Replication
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Insecure deserialization in Hodoku v2.3.0 to v2.3.2 allows attackers to execute arbitrary code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

JFinal CMS 5.1.0 is vulnerable to Command Execution via unauthorized execution of deserialization in the file ApiForm.java. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Jfinal Cms
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

Deserialization of untrusted data in IPC and Parquet readers in the Apache Arrow R package versions 4.0.0 through 16.1.0 allows arbitrary code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Deserialization RCE Apache +2
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

A java deserialization vulnerability in HPE Remote Insight Support may allow an unauthenticated attacker to execute code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Java Insight Remote Support
NVD
EPSS 1% CVSS 9.3
CRITICAL Act Now

Valor Apps Easy Folder Listing Pro has a deserialization vulnerability that allows an unauthenticated, remote attacker to execute arbitrary code with the privileges of the Joomla!. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Easy Folder Listing Pro
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM This Month

A vulnerability was found in welliamcao OpsManage 3.0.1/3.0.2/3.0.3/3.0.4/3.0.5. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD GitHub VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue was discovered in the server in Veritas Enterprise Vault before 15.2, ZDI-CAN-24405. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Hashicorp +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue was discovered in the server in Veritas Enterprise Vault before 15.2, ZDI-CAN-24344. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Hashicorp +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue was discovered in the server in Veritas Enterprise Vault before 15.2, ZDI-CAN-24343. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Hashicorp +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue was discovered in the server in Veritas Enterprise Vault before 15.2, ZDI-CAN-24341. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Hashicorp +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue was discovered in the server in Veritas Enterprise Vault before 15.2, ZDI-CAN-24339. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Hashicorp +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue was discovered in the server in Veritas Enterprise Vault before 15.2, ZDI-CAN-24336. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Hashicorp +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue was discovered in the server in Veritas Enterprise Vault before 15.2, ZDI-CAN-24334. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Hashicorp +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

The FluentSMTP - WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Deserialization WordPress +2
NVD
EPSS 2% CVSS 8.8
HIGH PATCH This Week

Hugging Face Transformers Trax Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Transformers
NVD
EPSS 3% CVSS 8.8
HIGH PATCH This Week

Hugging Face Transformers MaskFormer Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Transformers
NVD
EPSS 7% CVSS 8.8
HIGH POC PATCH This Week

Hugging Face Transformers MobileViTV2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Transformers
NVD Exploit-DB
EPSS 2% CVSS 7.2
HIGH This Week

Allegra loadFieldMatch Deserialization of Untrusted Data Remote Code Execution Vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Allegra
NVD
EPSS 2% CVSS 7.2
HIGH This Week

Allegra renderFieldMatch Deserialization of Untrusted Data Remote Code Execution Vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Allegra
NVD
EPSS 1% CVSS 7.2
HIGH This Week

The Grid View Gallery plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0 via deserialization of untrusted input from cs_all_photos_details parameter. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization WordPress Information Disclosure +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

The Clone plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.4.6 via deserialization of untrusted input in the 'recursive_unserialized_replace'. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization WordPress Information Disclosure +1
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in ModelTheme QRMenu Restaurant QR Menu Lite qrmenu-lite allows Object Injection.0.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in masikonis Geolocator geolocator allows Object Injection.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in xpresslane Xpresslane Fast Checkout xpresslane-integration-for-woocommerce allows Object Injection.0.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Mark O'Donnell Team Rosters team-rosters allows Object Injection.8.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 7.3
HIGH This Week

There exists a code execution vulnerability in the Car App Android Jetpack Library. Rated high severity (CVSS 7.3). No vendor patch available.

Deserialization RCE Java +2
NVD
EPSS 1% CVSS 9.1
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in supsystic Popup by Supsystic popup-by-supsystic allows Command Injection.10.29. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Deserialization
NVD
EPSS 81% 5.9 CVSS 9.8
CRITICAL POC THREAT Emergency

Unauthenticated PHP object injection in the Mindstien Technologies 'My Geo Posts Free' WordPress plugin (versions up to and including 1.2) allows remote attackers to deserialize attacker-controlled data, potentially leading to full site compromise. The flaw is rated CVSS 9.8 and carries an EPSS of 80.62% (99th percentile), indicating very high probability of near-term exploitation, though no public exploit identified at time of analysis.

Deserialization
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in NIX Solutions Ltd NIX Anti-Spam Light nix-anti-spam-light allows Object Injection.0.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 32% CVSS 9.8
CRITICAL Emergency

Untrusted data deserialization in the Lis Video Gallery WordPress plugin (versions through 0.2.1) by bublick allows remote attackers to perform PHP object injection, potentially leading to arbitrary code execution depending on gadget chains available in the WordPress instance. The CVSS 9.8 score and EPSS of 31.81% (97th percentile) signal elevated exploitation likelihood, though no public exploit identified at time of analysis. The flaw was disclosed via Patchstack and affects WordPress sites running this plugin.

Deserialization
NVD
EPSS 12% CVSS 9.9
CRITICAL Act Now

Deserialization of untrusted data in the Vollstart Event Tickets with Ticket Scanner WordPress plugin (versions up to and including 2.3.11) enables Server-Side Include (SSI) Injection, allowing authenticated low-privilege attackers to execute arbitrary code with scope-changing impact across the affected WordPress instance. With an EPSS score of 12.22% (94th percentile) and CVSS 9.9, this represents a high-priority issue, though no public exploit identified at time of analysis. The vulnerability was disclosed by Patchstack and impacts WordPress sites running this plugin.

Deserialization
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in Apache HertzBeat. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Apache Hertzbeat
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Anthony Carbon WDES Responsive Mobile Menu wdes-responsive-mobile-menu allows Object Injection.3.18. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 3% CVSS 9.8
CRITICAL Act Now

Remote code execution in the dmcwebzone Airin Blog WordPress plugin (versions up to and including 1.6.1) is possible through PHP Object Injection via deserialization of untrusted data. Unauthenticated network attackers can exploit this CWE-502 weakness to compromise affected WordPress sites with no user interaction, and while no public exploit identified at time of analysis, the EPSS score of 2.82% (86th percentile) indicates above-average exploitation interest.

Deserialization
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Stephen Cui Xin xin allows Object Injection.0.8.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in flowcraft Advanced Personalization personalization-by-flowcraft allows Object Injection.1.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Phoenixheart Referrer Detector referrer-detector allows Object Injection.2.1.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Phoenixheart AJAX Random Posts ajax-random-posts allows Object Injection.3.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Eric Teubert Podlove Podcast Publisher podlove-podcasting-plugin-for-wordpress.1.15. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Deserialization
NVD
EPSS 1% CVSS 7.2
HIGH PATCH This Week

A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Elastic +1
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

The Migration, Backup, Staging - WPvivid plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 0.9.107 via deserialization of untrusted input in the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization WordPress Information Disclosure +2
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

In onReceive of AppRestrictionsFragment.java, there is a possible escalation of privilege due to unsafe deserialization. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Privilege Escalation Android
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

FileManager provides a Backpack admin interface for files and folder. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Filemanager
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

In Progress Telerik UI for WinForms versions prior to 2024 Q4 (2024.4.1113), a code execution attack is possible through an insecure deserialization vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Telerik Ui For Winforms
NVD
EPSS 0% CVSS 7.8
HIGH This Week

In Progress Telerik UI for WPF versions prior to 2024 Q4 (2024.4.1111), a code execution attack is possible through an insecure deserialization vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Ui For Wpf
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

The Advanced Order Export For WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.5.5 via deserialization of untrusted input during Order. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE WordPress +2
NVD
EPSS 15% CVSS 5.1
MEDIUM KEV THREAT This Month

Limited remote code execution with privilege of a NetworkService Account access in Citrix Session Recording if the attacker is an authenticated user on the same intranet as the session recording. Rated medium severity (CVSS 5.1), this vulnerability is low attack complexity. No vendor patch available.

Deserialization RCE Citrix +1
NVD
EPSS 1% CVSS 10.0
CRITICAL PATCH Act Now

A vulnerability has been identified in PP TeleControl Server Basic 1000 to 5000 V3.1 (6NH9910-0AA31-0AE1) (All versions < V3.1.2.1 with redundancy configured), PP TeleControl Server Basic 256 to 1000. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Telecontrol Server Basic
NVD
EPSS 1% CVSS 2.3
LOW Monitor

A vulnerability, which was classified as critical, was found in ThinkAdmin up to 6.1.67. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization PHP Thinkadmin
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

gnark is a fast zk-SNARK library that offers a high-level API to design circuits. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Deserialization Denial Of Service Gnark
NVD GitHub
EPSS 1% CVSS 8.1
HIGH PATCH This Week

Deserialization of Untrusted Data vulnerability in Apache Lucene.Net.Replicator.NET's Replicator library: from 4.8.0-beta00005 through 4.8.0-beta00016. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization RCE Apache +2
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

A deserialization vulnerability in the component \controller\Index.php of Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE PHP +1
NVD GitHub
Prev Page 15 of 30 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy