Skip to main content

Deserialization

2663 CVEs technique

Monthly

CVE-2024-10456 CRITICAL Act Now

Delta Electronics InfraSuite Device Master versions prior to 1.0.12 are affected by a deserialization vulnerability that targets the Device-Gateway, which could allow deserialization of arbitrary. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 4.0
9.3
EPSS
17.7%
CVE-2024-50507 CRITICAL Act Now

Remote code execution in the DS.DownloadList WordPress plugin (versions through 1.3) allows unauthenticated attackers to trigger PHP object injection via untrusted deserialization, leading to full site compromise. EPSS scores this at the 96th percentile (22.05%) for exploitation probability, indicating elevated likelihood of opportunistic attacks against unpatched WordPress installations, though no public exploit identified at time of analysis and it is not currently listed in CISA KEV.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
22.1%
CVE-2024-48206 CRITICAL Act Now

A Deserialization of Untrusted Data vulnerability in chainer v7.8.1.post1 leads to execution of arbitrary code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-48063 PyPI CRITICAL POC PATCH Act Now

In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Pytorch
NVD GitHub
CVSS 3.1
9.8
EPSS
1.6%
CVE-2024-50416 HIGH This Week

Deserialization of Untrusted Data vulnerability in WPClever WPC Shop as a Customer for WooCommerce wpc-shop-as-customer allows Object Injection.2.6. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Deserialization
NVD VulDB
CVSS 3.1
8.8
EPSS
0.7%
CVE-2024-50408 HIGH This Week

Deserialization of Untrusted Data vulnerability in Bob Namaste!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
CVSS 3.1
8.8
EPSS
1.2%
CVE-2024-49684 HIGH This Week

Deserialization of Untrusted Data vulnerability in revmakx Backup and Staging by WP Time Capsule wp-time-capsule allows Object Injection.22.21. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
CVSS 3.1
7.2
EPSS
0.8%
CVE-2024-49625 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in sphoid SiteBuilder Dynamic Components sitebuilder-dynamic-components allows Object Injection.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-49624 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in smartdevth Advanced Advertising System advanced-advertising-system allows Object Injection.3.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-49332 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in giveawayboost Giveaway Boost giveaway-boost allows Object Injection.1.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-49626 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Piyush Patel Shipyaari Shipping Management shipyaari-shipping-managment allows Object Injection.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-10079 HIGH This Week

The WP Easy Post Types plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.4.4 via deserialization of untrusted input from the 'text' parameter in the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization WordPress Information Disclosure PHP Wp Easy Post Types
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2024-48924 NuGet HIGH PATCH This Week

### Impact When this library is used to deserialize messagepack data from an untrusted source, there is a risk of a denial of service attack by an attacker that sends data contrived to produce hash. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Denial Of Service
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2024-49318 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Scott My Reading Library my-reading-library allows Object Injection.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-47836 PHP MEDIUM POC PATCH This Month

Admidio is an open-source user management solution. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE Admidio
NVD GitHub
CVSS 3.1
4.3
EPSS
0.5%
CVE-2024-49227 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in foter Free Stock Photos Foter free-stock-photos-foter allows Object Injection.5.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-49226 HIGH This Week

Deserialization of Untrusted Data vulnerability in taketin TAKETIN To WP Membership taketin-to-wp-membership allows Object Injection.8.17. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
CVSS 3.1
8.8
EPSS
0.8%
CVE-2024-49218 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Al Imran Akash Recently recently-viewed-most-viewed-and-sold-products-for-woocommerce allows Object Injection.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Deserialization
NVD VulDB
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-48030 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Webextends Telecash Ricaricaweb telecash-ricaricaweb allows Object Injection.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-48028 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Boyan Raichev IP Loc8 ip-loc8 allows Object Injection.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-48026 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in GMRobbins Disc Golf Manager disc-golf-manager allows Object Injection.0.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-49271 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Unlimited Elements Unlimited Elements For Elementor (Free Widgets, Addons, Templates) unlimited-elements-for-elementor allows Command. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Deserialization Elementor
NVD VulDB
CVSS 3.1
9.1
EPSS
2.8%
CVE-2024-48042 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in supsystic Contact Form by Supsystic contact-form-by-supsystic allows Command Injection.7.28. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Deserialization
NVD VulDB
CVSS 3.1
9.1
EPSS
1.9%
CVE-2024-9634 CRITICAL PATCH Act Now

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.3 via deserialization of untrusted input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE WordPress PHP Givewp
NVD
CVSS 3.1
9.8
EPSS
1.4%
CVE-2024-9953 MEDIUM PATCH This Month

A potential denial-of-service (DoS) vulnerability exists in CERT VINCE software versions prior to 3.0.8. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Python Vince
NVD GitHub
CVSS 3.1
4.9
EPSS
0.4%
CVE-2024-45733 HIGH This Week

In Splunk Enterprise for Windows versions below 9.2.3 and 9.1.6, a low-privileged user that does not hold the "admin" or "power" Splunk roles could perform a Remote Code Execution (RCE) due to an. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Splunk Microsoft
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2024-9917 MEDIUM POC This Month

A vulnerability, which was classified as critical, was found in HuangDou UTCMS V9. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization PHP Usualtoolcms
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
8.7%
CVE-2024-48033 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in baptiste.gourdin Talkback talkback-secure-linkback-protocol allows Object Injection.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2024-47074 CRITICAL PATCH Act Now

DataEase is an open source data visualization analysis tool. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Java PostgreSQL Dataease
NVD GitHub
CVSS 4.0
9.3
EPSS
0.6%
CVE-2024-47636 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in eyecix JobSearch wp-jobsearch allows Object Injection.5.9. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-9005 HIGH This Week

remotely executed on the server when unsafely deserialized data is posted to the web server. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization
NVD
CVSS 4.0
7.3
EPSS
0.3%
CVE-2024-9314 HIGH PATCH This Week

The Rank Math SEO - AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.228 via deserialization of untrusted. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization WordPress Information Disclosure PHP Seo
NVD
CVSS 3.1
7.2
EPSS
0.8%
CVE-2024-47561 Maven CRITICAL PATCH Act Now

Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Apache Java Avro +2
NVD
CVSS 4.0
9.2
EPSS
3.3%
CVE-2024-8885 HIGH This Week

A local privilege escalation vulnerability in Sophos Intercept X for Windows with Central Device Encryption 2024.2.0 and older allows writing of arbitrary files. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.

Deserialization Privilege Escalation Sophos Microsoft
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2024-7434 HIGH This Week

The UltraPress theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.2 via deserialization of untrusted input. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization PHP Information Disclosure WordPress Ultrapress
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2024-7433 HIGH This Week

The Empowerment theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.2 via deserialization of untrusted input. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization WordPress Information Disclosure PHP Empowerment
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2024-7432 HIGH This Week

The Unseen Blog theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.0 via deserialization of untrusted input. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization WordPress Information Disclosure PHP Unseen Blog
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2024-45772 Maven HIGH PATCH This Week

Deserialization of Untrusted Data vulnerability in Apache Lucene Replicator.4.0 before 9.12.0. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

Deserialization Apache Java Lucene Replicator
NVD
CVSS 3.1
8.0
EPSS
0.6%
CVE-2024-45200 MEDIUM This Month

In Nintendo Mario Kart 8 Deluxe before 3.0.3, the LAN/LDN local multiplayer implementation allows a remote attacker to exploit a stack-based buffer overflow upon deserialization of session. Rated medium severity (CVSS 6.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization Code Injection RCE Buffer Overflow
NVD GitHub
CVSS 3.1
6.3
EPSS
1.4%
CVE-2024-8353 CRITICAL POC PATCH THREAT Act Now

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1 via deserialization of untrusted input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 91.9%.

Deserialization PHP RCE WordPress Givewp
NVD
CVSS 3.1
9.8
EPSS
91.9%
Threat
6.2
CVE-2024-8922 HIGH PATCH This Week

The Product Enquiry for WooCommerce, WooCommerce product catalog plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.2.33.32 via deserialization of. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization WordPress Information Disclosure PHP Product Enquiry For Woocommerce
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2024-43191 HIGH This Week

IBM ManageIQ could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted yaml file request. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization IBM Cloud Pak For Multicloud Management Monitoring
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2024-8316 HIGH This Week

In Progress Telerik UI for WPF versions prior to 2024 Q3 (2024.3.924), a code execution attack is possible through an insecure deserialization vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Deserialization RCE Ui For Wpf
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2024-7576 CRITICAL Act Now

In Progress Telerik UI for WPF versions prior to 2024 Q3 (2024.3.924), a code execution attack is possible through an insecure deserialization vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Ui For Wpf
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2024-8514 HIGH PATCH This Week

The Prisna GWT - Google Website Translator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.11 via deserialization of untrusted input from the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Google Deserialization WordPress PHP Information Disclosure +1
NVD
CVSS 3.1
7.2
EPSS
1.0%
CVE-2024-42323 HIGH This Week

SnakeYaml Deser Load Malicious xml rce vulnerability in Apache HertzBeat (incubating). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Apache Hertzbeat
NVD
CVSS 3.1
8.8
EPSS
4.1%
CVE-2024-46983 Maven CRITICAL PATCH Act Now

sofa-hessian is an internal improved version of Hessian3/4 powered by Ant Group CO., Ltd. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Sofa Hessian
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-8375 PyPI MEDIUM PATCH This Month

There exists a use after free vulnerability in Reverb. Rated medium severity (CVSS 5.7). This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Google Denial Of Service Reverb
NVD GitHub
CVSS 4.0
5.7
EPSS
0.1%
CVE-2024-35515 PyPI CRITICAL Act Now

Insecure deserialization in sqlitedict up to v2.1.0 allows attackers to execute arbitrary code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Code Injection RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-5998 PyPI HIGH POC PATCH This Week

A vulnerability in the FAISS.deserialize_from_bytes function of langchain-ai/langchain allows for pickle deserialization of untrusted data. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Deserialization Langchain
NVD GitHub
CVSS 3.1
7.8
EPSS
0.4%
CVE-2024-22399 Maven CRITICAL PATCH Act Now

Deserialization of Untrusted Data vulnerability in Apache Seata. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Apache Seata
NVD
CVSS 3.1
9.8
EPSS
3.3%
CVE-2024-8862 PyPI MEDIUM POC PATCH This Month

A vulnerability, which was classified as critical, has been found in h2oai h2o-3 3.46.0.4. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization H2O
NVD VulDB
CVSS 4.0
6.9
EPSS
1.3%
CVE-2024-41874 CRITICAL Act Now

ColdFusion versions 2023.9, 2021.15 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Coldfusion
NVD
CVSS 3.1
9.8
EPSS
30.3%
CVE-2024-28991 HIGH This Week

SolarWinds Access Rights Manager (ARM) was found to be susceptible to a remote code execution vulnerability. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

Deserialization RCE Access Rights Manager
NVD
CVSS 3.1
8.0
EPSS
3.1%
CVE-2024-45857 PyPI HIGH This Week

Deserialization of untrusted data can occur in versions 2.4.0 or newer of the Cleanlab project, enabling a maliciously crafted datalab.pkl file to run arbitrary code on an end user’s system when the. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2024-45855 PyPI HIGH POC This Week

Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when using. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Deserialization RCE Mindsdb
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-45854 PyPI HIGH POC This Week

Deserialization of untrusted data can occur in versions 23.10.3.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Deserialization RCE Mindsdb
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-45853 PyPI HIGH POC This Week

Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when used for. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Deserialization RCE Mindsdb
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-45852 PyPI HIGH POC This Week

Deserialization of untrusted data can occur in versions 23.3.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded model to run arbitrary code on the server when interacted with. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE Mindsdb
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2024-29847 CRITICAL Act Now

Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Ivanti Endpoint Manager
NVD
CVSS 3.1
9.8
EPSS
52.9%
CVE-2024-43466 HIGH PATCH This Week

Microsoft SharePoint Server Denial of Service Vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Denial Of Service Microsoft Sharepoint Server
NVD
CVSS 3.1
7.5
EPSS
4.5%
CVE-2024-43464 HIGH PATCH This Week

Microsoft SharePoint Server Remote Code Execution Vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Microsoft Sharepoint Server
NVD
CVSS 3.1
7.2
EPSS
35.9%
CVE-2024-38018 HIGH PATCH This Week

Microsoft SharePoint Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Microsoft Sharepoint Server
NVD
CVSS 3.1
8.8
EPSS
51.5%
CVE-2024-44902 PHP CRITICAL Act Now

A deserialization vulnerability in Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Thinkphp
NVD GitHub
CVSS 3.1
9.8
EPSS
4.3%
CVE-2024-37288 HIGH This Week

A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Elastic Kibana
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2024-40711 CRITICAL POC KEV THREAT Act Now

A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE Veeam Backup Replication
NVD
CVSS 3.1
9.8
EPSS
88.2%
CVE-2024-45758 LIB CRITICAL POC Act Now

H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization H2O
NVD GitHub
CVSS 3.1
9.1
EPSS
0.9%
CVE-2024-7435 HIGH PATCH This Week

The Attire theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.0.6 via deserialization of untrusted input. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization WordPress Information Disclosure PHP Attire
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2024-8016 HIGH This Week

The Events Calendar Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.0.2 via deserialization of untrusted input from the 'filters' parameter in. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization WordPress PHP Events Calendar Pro
NVD
CVSS 3.1
7.2
EPSS
0.7%
CVE-2024-2694 HIGH This Week

The Betheme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 27.5.6 via deserialization of untrusted input of the 'mfn-page-items' post meta value. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization WordPress Information Disclosure PHP Betheme
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2024-8255 HIGH This Week

Delta Electronics DTN Soft version 2.0.1 and prior are vulnerable to an attacker achieving remote code execution through a deserialization of untrusted data vulnerability. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Dtn Soft
NVD
CVSS 4.0
8.4
EPSS
0.8%
CVE-2024-43931 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in eyecix JobSearch allows Object Injection.5.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Jobsearch Wp Job Board
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-8030 CRITICAL PATCH Act Now

The Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider plugin is vulnerable to PHP Object Injection via. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization WordPress Information Disclosure PHP Ultimate Store Kit
NVD
CVSS 3.1
9.8
EPSS
1.1%
CVE-2024-7656 HIGH This Week

The Image Hotspot by DevVN plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.5 via deserialization of untrusted input in the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization WordPress PHP Code Injection RCE +1
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2024-7351 HIGH PATCH This Week

The Simple Job Board plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.12.3 via deserialization of untrusted input when editing job applications. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization WordPress Information Disclosure PHP Simple Job Board
NVD
CVSS 3.1
7.2
EPSS
0.6%
CVE-2024-45169 CRITICAL POC Act Now

An issue was discovered in UCI IDOL 2 (aka uciIDOL or IDOL2) through 2.12. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE Idol2
NVD
CVSS 3.1
9.8
EPSS
1.4%
CVE-2024-45167 CRITICAL POC Act Now

An issue was discovered in UCI IDOL 2 (aka uciIDOL or IDOL2) through 2.12. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE Idol2
NVD
CVSS 3.1
9.8
EPSS
1.2%
CVE-2024-45166 CRITICAL POC Act Now

An issue was discovered in UCI IDOL 2 (aka uciIDOL or IDOL2) through 2.12. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE Denial Of Service Idol2
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2024-5335 CRITICAL PATCH Act Now

The Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider plugin is vulnerable to PHP Object Injection via. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization WordPress Information Disclosure PHP Ultimate Store Kit
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-42363 HIGH This Week

Prior to 3385, the user-controlled role parameter enters the application in the Kubernetes::RoleVerificationsController. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Kubernetes
NVD GitHub
CVSS 3.1
8.8
EPSS
1.1%
CVE-2024-42362 HIGH POC PATCH This Week

Hertzbeat is an open source, real-time monitoring system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Deserialization Hertzbeat
NVD GitHub
CVSS 3.1
8.8
EPSS
1.3%
CVE-2024-8003 MEDIUM POC PATCH This Month

A vulnerability was found in Go-Tribe gotribe-admin 1.0 and classified as problematic. Rated medium severity (CVSS 5.1), this vulnerability is low attack complexity. Public exploit code available.

Deserialization Gotribe Admin
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.8%
CVE-2024-5932 CRITICAL POC PATCH THREAT Act Now

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization WordPress PHP Givewp
NVD GitHub
CVSS 3.1
9.8
EPSS
74.3%
CVE-2024-43354 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Saad Iqbal myCred mycred.7.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-43252 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Crew HRM Crew HRM hr-management.1.1. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization
NVD VulDB
CVSS 3.1
9.0
EPSS
0.7%
CVE-2024-43242 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in azzaroco Ultimate Membership Pro indeed-membership-pro.7. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization
NVD VulDB
CVSS 3.1
9.0
EPSS
0.6%
CVE-2024-37099 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Liquid Web GiveWP allows Object Injection.14.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Givewp
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-28986 CRITICAL POC KEV THREAT CERT-EU Act Now

SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Java Web Help Desk
NVD
CVSS 3.1
9.8
EPSS
84.6%
CVE-2024-43141 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Roland Barker, xnau webdesign Participants Database allows Object Injection.5.9.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-7561 HIGH This Week

The The Next theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.0 via deserialization of untrusted input from the wpeden_post_meta post meta value. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization WordPress Information Disclosure PHP
NVD
CVSS 3.1
8.8
EPSS
0.7%
EPSS 18% CVSS 9.3
CRITICAL Act Now

Delta Electronics InfraSuite Device Master versions prior to 1.0.12 are affected by a deserialization vulnerability that targets the Device-Gateway, which could allow deserialization of arbitrary. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 22% CVSS 9.8
CRITICAL Act Now

Remote code execution in the DS.DownloadList WordPress plugin (versions through 1.3) allows unauthenticated attackers to trigger PHP object injection via untrusted deserialization, leading to full site compromise. EPSS scores this at the 96th percentile (22.05%) for exploitation probability, indicating elevated likelihood of opportunistic attacks against unpatched WordPress installations, though no public exploit identified at time of analysis and it is not currently listed in CISA KEV.

Deserialization
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

A Deserialization of Untrusted Data vulnerability in chainer v7.8.1.post1 leads to execution of arbitrary code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Pytorch
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in WPClever WPC Shop as a Customer for WooCommerce wpc-shop-as-customer allows Object Injection.2.6. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Deserialization
NVD VulDB
EPSS 1% CVSS 8.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in Bob Namaste!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
EPSS 1% CVSS 7.2
HIGH This Week

Deserialization of Untrusted Data vulnerability in revmakx Backup and Staging by WP Time Capsule wp-time-capsule allows Object Injection.22.21. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in sphoid SiteBuilder Dynamic Components sitebuilder-dynamic-components allows Object Injection.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in smartdevth Advanced Advertising System advanced-advertising-system allows Object Injection.3.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in giveawayboost Giveaway Boost giveaway-boost allows Object Injection.1.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Piyush Patel Shipyaari Shipping Management shipyaari-shipping-managment allows Object Injection.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
EPSS 1% CVSS 8.8
HIGH This Week

The WP Easy Post Types plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.4.4 via deserialization of untrusted input from the 'text' parameter in the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization WordPress Information Disclosure +2
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

### Impact When this library is used to deserialize messagepack data from an untrusted source, there is a risk of a denial of service attack by an attacker that sends data contrived to produce hash. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Denial Of Service
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Scott My Reading Library my-reading-library allows Object Injection.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

Admidio is an open-source user management solution. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE Admidio
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in foter Free Stock Photos Foter free-stock-photos-foter allows Object Injection.5.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
EPSS 1% CVSS 8.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in taketin TAKETIN To WP Membership taketin-to-wp-membership allows Object Injection.8.17. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Al Imran Akash Recently recently-viewed-most-viewed-and-sold-products-for-woocommerce allows Object Injection.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Deserialization
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Webextends Telecash Ricaricaweb telecash-ricaricaweb allows Object Injection.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Boyan Raichev IP Loc8 ip-loc8 allows Object Injection.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in GMRobbins Disc Golf Manager disc-golf-manager allows Object Injection.0.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
EPSS 3% CVSS 9.1
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Unlimited Elements Unlimited Elements For Elementor (Free Widgets, Addons, Templates) unlimited-elements-for-elementor allows Command. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Deserialization Elementor
NVD VulDB
EPSS 2% CVSS 9.1
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in supsystic Contact Form by Supsystic contact-form-by-supsystic allows Command Injection.7.28. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Deserialization
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.3 via deserialization of untrusted input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE WordPress +2
NVD
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

A potential denial-of-service (DoS) vulnerability exists in CERT VINCE software versions prior to 3.0.8. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Python Vince
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

In Splunk Enterprise for Windows versions below 9.2.3 and 9.1.6, a low-privileged user that does not hold the "admin" or "power" Splunk roles could perform a Remote Code Execution (RCE) due to an. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Splunk +1
NVD
EPSS 9% CVSS 5.3
MEDIUM POC This Month

A vulnerability, which was classified as critical, was found in HuangDou UTCMS V9. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization PHP Usualtoolcms
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in baptiste.gourdin Talkback talkback-secure-linkback-protocol allows Object Injection.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
EPSS 1% CVSS 9.3
CRITICAL PATCH Act Now

DataEase is an open source data visualization analysis tool. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Java PostgreSQL +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in eyecix JobSearch wp-jobsearch allows Object Injection.5.9. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
EPSS 0% CVSS 7.3
HIGH This Week

remotely executed on the server when unsafely deserialized data is posted to the web server. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization
NVD
EPSS 1% CVSS 7.2
HIGH PATCH This Week

The Rank Math SEO - AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.228 via deserialization of untrusted. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization WordPress Information Disclosure +2
NVD
EPSS 3% CVSS 9.2
CRITICAL PATCH Act Now

Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Apache +4
NVD
EPSS 0% CVSS 8.8
HIGH This Week

A local privilege escalation vulnerability in Sophos Intercept X for Windows with Central Device Encryption 2024.2.0 and older allows writing of arbitrary files. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.

Deserialization Privilege Escalation Sophos +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

The UltraPress theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.2 via deserialization of untrusted input. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization PHP Information Disclosure +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

The Empowerment theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.2 via deserialization of untrusted input. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization WordPress Information Disclosure +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

The Unseen Blog theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.0 via deserialization of untrusted input. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization WordPress Information Disclosure +2
NVD
EPSS 1% CVSS 8.0
HIGH PATCH This Week

Deserialization of Untrusted Data vulnerability in Apache Lucene Replicator.4.0 before 9.12.0. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

Deserialization Apache Java +1
NVD
EPSS 1% CVSS 6.3
MEDIUM This Month

In Nintendo Mario Kart 8 Deluxe before 3.0.3, the LAN/LDN local multiplayer implementation allows a remote attacker to exploit a stack-based buffer overflow upon deserialization of session. Rated medium severity (CVSS 6.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization Code Injection RCE +1
NVD GitHub
EPSS 92% 6.2 CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1 via deserialization of untrusted input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 91.9%.

Deserialization PHP RCE +2
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

The Product Enquiry for WooCommerce, WooCommerce product catalog plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.2.33.32 via deserialization of. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization WordPress Information Disclosure +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

IBM ManageIQ could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted yaml file request. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization IBM Cloud Pak For Multicloud Management Monitoring
NVD
EPSS 0% CVSS 7.8
HIGH This Week

In Progress Telerik UI for WPF versions prior to 2024 Q3 (2024.3.924), a code execution attack is possible through an insecure deserialization vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Deserialization RCE Ui For Wpf
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

In Progress Telerik UI for WPF versions prior to 2024 Q3 (2024.3.924), a code execution attack is possible through an insecure deserialization vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Ui For Wpf
NVD
EPSS 1% CVSS 7.2
HIGH PATCH This Week

The Prisna GWT - Google Website Translator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.11 via deserialization of untrusted input from the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Google Deserialization WordPress +3
NVD
EPSS 4% CVSS 8.8
HIGH This Week

SnakeYaml Deser Load Malicious xml rce vulnerability in Apache HertzBeat (incubating). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Apache Hertzbeat
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

sofa-hessian is an internal improved version of Hessian3/4 powered by Ant Group CO., Ltd. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Sofa Hessian
NVD GitHub
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

There exists a use after free vulnerability in Reverb. Rated medium severity (CVSS 5.7). This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Google Denial Of Service +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

Insecure deserialization in sqlitedict up to v2.1.0 allows attackers to execute arbitrary code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Code Injection RCE
NVD GitHub
EPSS 0% CVSS 7.8
HIGH POC PATCH This Week

A vulnerability in the FAISS.deserialize_from_bytes function of langchain-ai/langchain allows for pickle deserialization of untrusted data. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Deserialization Langchain
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

Deserialization of Untrusted Data vulnerability in Apache Seata. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Apache Seata
NVD
EPSS 1% CVSS 6.9
MEDIUM POC PATCH This Month

A vulnerability, which was classified as critical, has been found in h2oai h2o-3 3.46.0.4. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization H2O
NVD VulDB
EPSS 30% CVSS 9.8
CRITICAL Act Now

ColdFusion versions 2023.9, 2021.15 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Coldfusion
NVD
EPSS 3% CVSS 8.0
HIGH This Week

SolarWinds Access Rights Manager (ARM) was found to be susceptible to a remote code execution vulnerability. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

Deserialization RCE Access Rights Manager
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Deserialization of untrusted data can occur in versions 2.4.0 or newer of the Cleanlab project, enabling a maliciously crafted datalab.pkl file to run arbitrary code on an end user’s system when the. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE
NVD
EPSS 0% CVSS 7.5
HIGH POC This Week

Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when using. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Deserialization RCE Mindsdb
NVD
EPSS 0% CVSS 7.5
HIGH POC This Week

Deserialization of untrusted data can occur in versions 23.10.3.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Deserialization RCE Mindsdb
NVD
EPSS 0% CVSS 7.5
HIGH POC This Week

Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when used for. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Deserialization RCE Mindsdb
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

Deserialization of untrusted data can occur in versions 23.3.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded model to run arbitrary code on the server when interacted with. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE Mindsdb
NVD
EPSS 53% CVSS 9.8
CRITICAL Act Now

Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Ivanti +1
NVD
EPSS 5% CVSS 7.5
HIGH PATCH This Week

Microsoft SharePoint Server Denial of Service Vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Denial Of Service Microsoft +1
NVD
EPSS 36% CVSS 7.2
HIGH PATCH This Week

Microsoft SharePoint Server Remote Code Execution Vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Microsoft +1
NVD
EPSS 51% CVSS 8.8
HIGH PATCH This Week

Microsoft SharePoint Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Microsoft +1
NVD
EPSS 4% CVSS 9.8
CRITICAL Act Now

A deserialization vulnerability in Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Thinkphp
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Elastic +1
NVD
EPSS 88% CVSS 9.8
CRITICAL POC KEV THREAT Act Now

A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE Veeam Backup Replication
NVD
EPSS 1% CVSS 9.1
CRITICAL POC Act Now

H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization H2O
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

The Attire theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.0.6 via deserialization of untrusted input. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization WordPress Information Disclosure +2
NVD
EPSS 1% CVSS 7.2
HIGH This Week

The Events Calendar Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.0.2 via deserialization of untrusted input from the 'filters' parameter in. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization WordPress PHP +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

The Betheme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 27.5.6 via deserialization of untrusted input of the 'mfn-page-items' post meta value. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization WordPress Information Disclosure +2
NVD
EPSS 1% CVSS 8.4
HIGH This Week

Delta Electronics DTN Soft version 2.0.1 and prior are vulnerable to an attacker achieving remote code execution through a deserialization of untrusted data vulnerability. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Dtn Soft
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in eyecix JobSearch allows Object Injection.5.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Jobsearch Wp Job Board
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

The Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider plugin is vulnerable to PHP Object Injection via. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization WordPress Information Disclosure +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

The Image Hotspot by DevVN plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.5 via deserialization of untrusted input in the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization WordPress PHP +3
NVD
EPSS 1% CVSS 7.2
HIGH PATCH This Week

The Simple Job Board plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.12.3 via deserialization of untrusted input when editing job applications. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization WordPress Information Disclosure +2
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

An issue was discovered in UCI IDOL 2 (aka uciIDOL or IDOL2) through 2.12. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE Idol2
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

An issue was discovered in UCI IDOL 2 (aka uciIDOL or IDOL2) through 2.12. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE Idol2
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

An issue was discovered in UCI IDOL 2 (aka uciIDOL or IDOL2) through 2.12. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE Denial Of Service +1
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

The Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider plugin is vulnerable to PHP Object Injection via. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization WordPress Information Disclosure +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Prior to 3385, the user-controlled role parameter enters the application in the Kubernetes::RoleVerificationsController. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Kubernetes
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

Hertzbeat is an open source, real-time monitoring system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Deserialization Hertzbeat
NVD GitHub
EPSS 1% CVSS 5.1
MEDIUM POC PATCH This Month

A vulnerability was found in Go-Tribe gotribe-admin 1.0 and classified as problematic. Rated medium severity (CVSS 5.1), this vulnerability is low attack complexity. Public exploit code available.

Deserialization Gotribe Admin
NVD GitHub VulDB
EPSS 74% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization WordPress PHP +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Saad Iqbal myCred mycred.7.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
EPSS 1% CVSS 9.0
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Crew HRM Crew HRM hr-management.1.1. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization
NVD VulDB
EPSS 1% CVSS 9.0
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in azzaroco Ultimate Membership Pro indeed-membership-pro.7. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Liquid Web GiveWP allows Object Injection.14.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Givewp
NVD
EPSS 85% CVSS 9.8
CRITICAL POC KEV THREAT Act Now

SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Java +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Roland Barker, xnau webdesign Participants Database allows Object Injection.5.9.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 1% CVSS 8.8
HIGH This Week

The The Next theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.0 via deserialization of untrusted input from the wpeden_post_meta post meta value. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization WordPress Information Disclosure +1
NVD
Prev Page 16 of 30 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy