Deserialization
Monthly
Deserialization of Untrusted Data vulnerability in Apache InLong.7.0 through 1.11.0, the attackers can bypass using malicious parameters. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
image-optimizer before 1.7.3 allows PHAR deserialization, e.g., the phar:// protocol in arguments to file_exists(). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The ConvertPlug plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.5.25 via deserialization of untrusted input from the 'settings_encoded' attribute of. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
kurwov is a fast, dependency-free library for creating Markov Chains. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
sagemaker-python-sdk is a library for training and deploying machine learning models on Amazon SageMaker. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
The Grid Gallery - Photo Image Grid Gallery plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.3 via deserialization via shortcode of untrusted input. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
The Photo Gallery - Responsive Photo Gallery, Image Gallery, Portfolio Gallery, Logo Gallery And Team Gallery plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.17.5 via deserialization of untrusted input from. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
The Geo Controller WordPress plugin before 8.6.5 unserializes user input via some of its AJAX actions and REST API routes, which could allow unauthenticated users to perform PHP Object Injection when. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Event Monster - Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.9 via deserialization via. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Team Yoast Custom field finder.3. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Deserialization of Untrusted Data vulnerability in 8theme XStore Core.3.5. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
NewPipe is an Android app for video streaming written in Java. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in WebToffee Import Export WordPress Users.5.3. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Javier Carazo Import and export users and customers import-users-from-csv-with-meta.26.2. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. No vendor patch available.
A vulnerability classified as critical has been found in Byzoro Smart S80 Management Platform up to 20240411. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Averta Master Slider.9.5. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Deserialization of Untrusted Data vulnerability in ThemeKraft WooBuddy.4.20. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.
An insecure deserialization vulnerability exists in the BentoML framework, allowing remote code execution (RCE) by sending a specially crafted POST request. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in WP All Import Import Users from CSV.2. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. No vendor patch available.
A vulnerability, which was classified as critical, has been found in cym1102 nginxWebUI up to 3.9.9. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WPvivid Backup & Migration Plugin for WordPress is vulnerable to PHAR Deserialization in all versions up to, and including, 0.9.99 via deserialization of untrusted input at the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 20.5%.
Deserialization of Untrusted Data vulnerability in PropertyHive.0.9. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data within the `load_repo_checkpoint()` function of the `TFPreTrainedModel()`. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
The plugin is vulnerable to PHP Object Injection in versions up to and including, 2.6.3 via deserialization of untrusted input in the import function via the 'shortcode' parameter. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Link Whisper Free plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 0.7.1 via deserialization of untrusted input of the 'mfn-page-items' post meta. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Hubbub Lite - Fast, Reliable Social Sharing Buttons plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.33.1 via deserialization of untrusted input. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
The Simple Job Board plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.11.0 via deserialization of untrusted input in the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The CMB2 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.10.1 via deserialization of untrusted input from the text_datetime_timestamp_timezone. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
GPT Academic provides interactive interfaces for large language models. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
A vulnerability was found in EyouCMS 1.6.5. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in VJInfotech WP Import Export Lite.9.26. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. No vendor patch available.
Deserialization of Untrusted Data vulnerability in PickPlugins Product Designer.0.32. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
WordPress is an open publishing platform for the Web. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Modal Popup Box - Popup Builder, Show Offers And News in Popup plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.5.2 via deserialization of. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Alldata V0.4.6 is vulnerable to Command execution vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A deserialization vulnerability in the FASTJSON component of Alldata v0.4.6 allows attackers to execute arbitrary commands via supplying crafted data. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in websupporter Filter Custom Fields & Taxonomies Light filter-custom-fields-taxonomies-light.05. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.
The Essential Addons for Elementor plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.9.13 via deserialization of untrusted input from the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
The Button plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.27 via deserialization of untrusted input in the button_shortcode function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Lightbox slider - Responsive Lightbox Gallery plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.9 via deserialization of untrusted input through. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in MainWP MainWP Links Manager Extension.1. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Deserialization of Untrusted Data vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart.1.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Acowebs PDF Invoices and Packing Slips For WooCommerce.3.7. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable. No vendor patch available.
Deserialization of Untrusted Data vulnerability in StellarWP GiveWP give.4.2. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Hercules Design Hercules Core.4. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in INFINITUM FORM Geo Controller.6.4. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Deserialization of Untrusted Data vulnerability in WPDeveloper BetterDocs.3.3. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 11.8% and no vendor patch available.
Deserialization of Untrusted Data vulnerability in WPENGINE, INC. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Wholesale Team WholesaleX.3.2. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Repute Infosystems ARMember.0.26. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Repute Infosystems ARMember.0.26. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.
The Meta Tag Manager plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0.2 via deserialization of untrusted input in the get_post_data function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Echo Plugins Knowledge Base for Documentation, FAQs with AI Assistance.30.2. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Deserialization of Untrusted Data vulnerability in WPEverest User Registration.3.2.1. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Gibbon through 26.0.00 allows remote authenticated users to conduct PHP deserialization attacks via columnOrder in a POST request to the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The "BuddyPress WooCommerce My Account Integration. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Symfony 1 is a community-driven fork of the 1.x branch of Symfony, a PHP framework for web projects. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
A flaw was found in the RPC library APIs of libvirt. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
The Artica-Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution as the "www-data" user. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Qiskit IBM Runtime is an environment that streamlines quantum computations and provides optimal implementations of the Qiskit quantum computing SDK. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
In Progress® Telerik® Reporting versions prior to 2024 Q1 (18.0.24.130), a code execution attack is possible by a remote threat actor through an insecure deserialization vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In Progress® Telerik® Reporting versions prior to 2024 Q1 (18.0.24.130), a code execution attack is possible by a local threat actor through an insecure deserialization vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
In Progress® Telerik® Report Server versions prior to 2024 Q1 (10.0.24.130), a remote code execution attack is possible through an insecure deserialization vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Deserialization of Untrusted Data vulnerability in Social Media Share Buttons By Sygnoos Social Media Share Buttons.1.0. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Themefic Tourfic tourfic.11.17. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.
CWE-502: Deserialization of Untrusted Data vulnerability exists that could cause remote code execution when a malicious project file is loaded into the application by a valid user. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
The Social Media Share Buttons plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.1.0 via deserialization of untrusted input through the attachmentUrl. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Symfony1 is a community fork of symfony 1.4 with DIC, form enhancements, latest Swiftmailer, better performance, composer compatible and PHP 8 support. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
The Post Grid, Slider & Carousel Ultimate - with Shortcode, Gutenberg Block & Elementor Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.6.7. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
The Logo Showcase Ultimate - Logo Carousel, Logo Slider & Logo Grid plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8 via deserialization via. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
The Product Carousel Slider & Grid Ultimate for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.7 via deserialization of untrusted. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
The Play.ht - Make Your Blog Posts Accessible With Text to Speech Audio plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.6.4 via deserialization of. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In writeUserLP of UserManagerService.java, device policies are serialized with an incorrect tag due to a logic error in the code. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
The PDF Invoices and Packing Slips For WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.7 via deserialization of untrusted input via. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
nGrinder before 3.5.9 allows to accept serialized Java objects from unauthenticated users, which could allow remote attacker to execute arbitrary code via unsafe Java objects deserialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
nGrinder before 3.5.9 uses old version of SnakeYAML, which could allow remote attacker to execute arbitrary code via unsafe deserialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
nGrinder before 3.5.9 allows connection to malicious JMX/RMI server by default, which could be the cause of executing arbitrary code via RMI registry by remote attacker. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Apache InLong.8.0 through 1.10.0, the attackers can use the specific payload to read from an arbitrary file. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Auto Refresh Single Page plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1 via deserialization of untrusted input from the arsp_options post. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Vimeography: Vimeo Video Gallery WordPress Plugin plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.3.2 via deserialization of untrusted input via. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An issue was discovered in Tunis Soft "Product Designer" (productdesigner) module for PrestaShop before version 1.178.36, allows remote attackers to execute arbitrary code, escalate privileges, and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The SolarWinds Security Event Manager was susceptible to Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
The Slider Responsive Slideshow - Image slider, Gallery slideshow plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8 via deserialization of. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
Dataease is an open source data visualization analysis tool. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
An issue in WuKongOpenSource WukongCRM v.72crm_9.0.1_20191202 allows a remote attacker to execute arbitrary code via the parseObject() function in the fastjson component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability, which was classified as critical, was found in TemmokuMVC up to 2.3. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
A vulnerability classified as critical was found in van_der_Schaar LAB AutoPrognosis 0.1.21. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Apache InLong.7.0 through 1.11.0, the attackers can bypass using malicious parameters. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
image-optimizer before 1.7.3 allows PHAR deserialization, e.g., the phar:// protocol in arguments to file_exists(). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The ConvertPlug plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.5.25 via deserialization of untrusted input from the 'settings_encoded' attribute of. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
kurwov is a fast, dependency-free library for creating Markov Chains. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
sagemaker-python-sdk is a library for training and deploying machine learning models on Amazon SageMaker. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
The Grid Gallery - Photo Image Grid Gallery plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.3 via deserialization via shortcode of untrusted input. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
The Photo Gallery - Responsive Photo Gallery, Image Gallery, Portfolio Gallery, Logo Gallery And Team Gallery plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.17.5 via deserialization of untrusted input from. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
The Geo Controller WordPress plugin before 8.6.5 unserializes user input via some of its AJAX actions and REST API routes, which could allow unauthenticated users to perform PHP Object Injection when. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Event Monster - Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.9 via deserialization via. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Team Yoast Custom field finder.3. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Deserialization of Untrusted Data vulnerability in 8theme XStore Core.3.5. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
NewPipe is an Android app for video streaming written in Java. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in WebToffee Import Export WordPress Users.5.3. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Javier Carazo Import and export users and customers import-users-from-csv-with-meta.26.2. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. No vendor patch available.
A vulnerability classified as critical has been found in Byzoro Smart S80 Management Platform up to 20240411. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Averta Master Slider.9.5. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Deserialization of Untrusted Data vulnerability in ThemeKraft WooBuddy.4.20. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.
An insecure deserialization vulnerability exists in the BentoML framework, allowing remote code execution (RCE) by sending a specially crafted POST request. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in WP All Import Import Users from CSV.2. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. No vendor patch available.
A vulnerability, which was classified as critical, has been found in cym1102 nginxWebUI up to 3.9.9. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WPvivid Backup & Migration Plugin for WordPress is vulnerable to PHAR Deserialization in all versions up to, and including, 0.9.99 via deserialization of untrusted input at the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 20.5%.
Deserialization of Untrusted Data vulnerability in PropertyHive.0.9. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data within the `load_repo_checkpoint()` function of the `TFPreTrainedModel()`. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
The plugin is vulnerable to PHP Object Injection in versions up to and including, 2.6.3 via deserialization of untrusted input in the import function via the 'shortcode' parameter. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Link Whisper Free plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 0.7.1 via deserialization of untrusted input of the 'mfn-page-items' post meta. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Hubbub Lite - Fast, Reliable Social Sharing Buttons plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.33.1 via deserialization of untrusted input. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
The Simple Job Board plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.11.0 via deserialization of untrusted input in the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The CMB2 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.10.1 via deserialization of untrusted input from the text_datetime_timestamp_timezone. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
GPT Academic provides interactive interfaces for large language models. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
A vulnerability was found in EyouCMS 1.6.5. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in VJInfotech WP Import Export Lite.9.26. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. No vendor patch available.
Deserialization of Untrusted Data vulnerability in PickPlugins Product Designer.0.32. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
WordPress is an open publishing platform for the Web. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Modal Popup Box - Popup Builder, Show Offers And News in Popup plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.5.2 via deserialization of. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Alldata V0.4.6 is vulnerable to Command execution vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A deserialization vulnerability in the FASTJSON component of Alldata v0.4.6 allows attackers to execute arbitrary commands via supplying crafted data. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in websupporter Filter Custom Fields & Taxonomies Light filter-custom-fields-taxonomies-light.05. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.
The Essential Addons for Elementor plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.9.13 via deserialization of untrusted input from the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
The Button plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.27 via deserialization of untrusted input in the button_shortcode function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Lightbox slider - Responsive Lightbox Gallery plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.9 via deserialization of untrusted input through. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in MainWP MainWP Links Manager Extension.1. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Deserialization of Untrusted Data vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart.1.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Acowebs PDF Invoices and Packing Slips For WooCommerce.3.7. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable. No vendor patch available.
Deserialization of Untrusted Data vulnerability in StellarWP GiveWP give.4.2. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Hercules Design Hercules Core.4. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in INFINITUM FORM Geo Controller.6.4. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Deserialization of Untrusted Data vulnerability in WPDeveloper BetterDocs.3.3. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 11.8% and no vendor patch available.
Deserialization of Untrusted Data vulnerability in WPENGINE, INC. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Wholesale Team WholesaleX.3.2. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Repute Infosystems ARMember.0.26. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Repute Infosystems ARMember.0.26. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.
The Meta Tag Manager plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0.2 via deserialization of untrusted input in the get_post_data function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Echo Plugins Knowledge Base for Documentation, FAQs with AI Assistance.30.2. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Deserialization of Untrusted Data vulnerability in WPEverest User Registration.3.2.1. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Gibbon through 26.0.00 allows remote authenticated users to conduct PHP deserialization attacks via columnOrder in a POST request to the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The "BuddyPress WooCommerce My Account Integration. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Symfony 1 is a community-driven fork of the 1.x branch of Symfony, a PHP framework for web projects. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
A flaw was found in the RPC library APIs of libvirt. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
The Artica-Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution as the "www-data" user. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Qiskit IBM Runtime is an environment that streamlines quantum computations and provides optimal implementations of the Qiskit quantum computing SDK. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
In Progress® Telerik® Reporting versions prior to 2024 Q1 (18.0.24.130), a code execution attack is possible by a remote threat actor through an insecure deserialization vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In Progress® Telerik® Reporting versions prior to 2024 Q1 (18.0.24.130), a code execution attack is possible by a local threat actor through an insecure deserialization vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
In Progress® Telerik® Report Server versions prior to 2024 Q1 (10.0.24.130), a remote code execution attack is possible through an insecure deserialization vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Deserialization of Untrusted Data vulnerability in Social Media Share Buttons By Sygnoos Social Media Share Buttons.1.0. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Themefic Tourfic tourfic.11.17. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.
CWE-502: Deserialization of Untrusted Data vulnerability exists that could cause remote code execution when a malicious project file is loaded into the application by a valid user. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
The Social Media Share Buttons plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.1.0 via deserialization of untrusted input through the attachmentUrl. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Symfony1 is a community fork of symfony 1.4 with DIC, form enhancements, latest Swiftmailer, better performance, composer compatible and PHP 8 support. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
The Post Grid, Slider & Carousel Ultimate - with Shortcode, Gutenberg Block & Elementor Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.6.7. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
The Logo Showcase Ultimate - Logo Carousel, Logo Slider & Logo Grid plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8 via deserialization via. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
The Product Carousel Slider & Grid Ultimate for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.7 via deserialization of untrusted. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
The Play.ht - Make Your Blog Posts Accessible With Text to Speech Audio plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.6.4 via deserialization of. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In writeUserLP of UserManagerService.java, device policies are serialized with an incorrect tag due to a logic error in the code. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
The PDF Invoices and Packing Slips For WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.7 via deserialization of untrusted input via. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
nGrinder before 3.5.9 allows to accept serialized Java objects from unauthenticated users, which could allow remote attacker to execute arbitrary code via unsafe Java objects deserialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
nGrinder before 3.5.9 uses old version of SnakeYAML, which could allow remote attacker to execute arbitrary code via unsafe deserialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
nGrinder before 3.5.9 allows connection to malicious JMX/RMI server by default, which could be the cause of executing arbitrary code via RMI registry by remote attacker. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Apache InLong.8.0 through 1.10.0, the attackers can use the specific payload to read from an arbitrary file. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Auto Refresh Single Page plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1 via deserialization of untrusted input from the arsp_options post. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Vimeography: Vimeo Video Gallery WordPress Plugin plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.3.2 via deserialization of untrusted input via. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An issue was discovered in Tunis Soft "Product Designer" (productdesigner) module for PrestaShop before version 1.178.36, allows remote attackers to execute arbitrary code, escalate privileges, and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The SolarWinds Security Event Manager was susceptible to Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
The Slider Responsive Slideshow - Image slider, Gallery slideshow plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8 via deserialization of. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
Dataease is an open source data visualization analysis tool. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
An issue in WuKongOpenSource WukongCRM v.72crm_9.0.1_20191202 allows a remote attacker to execute arbitrary code via the parseObject() function in the fastjson component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability, which was classified as critical, was found in TemmokuMVC up to 2.3. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
A vulnerability classified as critical was found in van_der_Schaar LAB AutoPrognosis 0.1.21. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.