Deserialization

Remote unauthenticated attackers can execute arbitrary code in Apache MINA 2.0.0-2.0.27, 2.1.0-2.1.10, and 2.2.0-2.2.5 through unsafe deserialization in AbstractIoBuffer.getObject(). This is an incomplete fix bypass for CVE-2024-52046 where the classname allowlist validation occurs after static initializers execute, enabling attackers to trigger malicious code execution before security controls engage. Apache confirmed the flaw affects applications calling IoBuffer.getObject() and released patches in versions 2.0.28, 2.1.11, and 2.2.6. CVSS 9.8 critical score reflects network-accessible unauthenticated exploitation with complete system compromise potential.

Remote code execution in Apache MINA 2.0.0-2.0.27, 2.1.0-2.1.10, and 2.2.0-2.2.5 allows unauthenticated network attackers to execute arbitrary code by exploiting unsafe deserialization in AbstractIoBuffer.resolveClass(). The vulnerability bypasses classname allowlist protections due to incomplete validation of static classes and primitive types. CVSS 9.8 critical severity reflects trivial network-based exploitation requiring no authentication or user interaction. Applications using IoBuffer.getObject() are affected. Vendor-released patches available in versions 2.0.28, 2.1.11, and 2.2.6.

JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values via javax.jms.ObjectMessage.getObject() without applying any ObjectInputFilter, class allowlist or class denylist. Because this code path is reached whenever the mapJmsMessage option is enabled (the default) and Camel acts as a JMS consumer, an attacker able to publish a crafted ObjectMessage to a queue or topic consumed by a Camel application could achieve remote code execution when a deserialization gadget chain was present on the classpath. The same handling was reached transitively through camel-sjms2 (whose Sjms2Endpoint extends SjmsEndpoint) and through camel-amqp (whose AMQPJmsBinding extends JmsBinding), and by other JMS-family components built on JmsComponent such as camel-activemq and camel-activemq6. This issue affects Apache Camel: from 3.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.7. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.

The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. When a Camel route uses camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput (for example via getBody(ObjectInput.class) or @Body ObjectInput), an attacker sending a crafted serialized Java object over the network to the MINA consumer port can trigger arbitrary code execution in the context of the application during readObject(). This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.

The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of `<keyId>.key` files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to `java.security.KeyPair` is evaluated only after `readObject()` has already returned, so any `readObject()` side effects in the deserialized object run before the type check. An attacker who can write to the key directory used by a Camel application - for example through a path traversal into the directory, misconfigured filesystem permissions on the volume where keys are stored, a compromised key provisioning pipeline, or a symlink attack - can place a crafted serialized Java object that, when deserialized during normal key lifecycle operations, results in arbitrary code execution in the context of the application. This issue affects Apache Camel: from 4.19.0 before 4.20.0, from 4.18.0 before 4.18.2. Users are recommended to upgrade to version 4.20.0, which fixes the issue by replacing java.io.ObjectInputStream-based key and metadata storage with standard PKCS#8 (private key) / X.509 SubjectPublicKeyInfo (public key) Base64 JSON encoding. For users on the 4.18.x LTS releases stream, upgrade to 4.18.2.

Out-of-bounds memory read in Deskflow's clipboard deserialization allows authenticated remote peers to crash the application or potentially leak memory contents. The vulnerability affects versions prior to 1.26.0.138 and stems from insufficient validation of clipboard data structure during network transfer between connected machines. A malicious peer on the shared keyboard/mouse network can exploit this by sending specially crafted clipboard updates. CVSS 7.4 reflects network-based attack with low complexity requiring authenticated peer connection. No public exploit identified at time of analysis, though proof-of-concept code exists (CVSS E:P).

Remote code execution in Ray Data 2.49.0-2.54.0 allows attackers to execute arbitrary Python code by crafting malicious Parquet files containing Ray tensor extension types. When Ray Data reads these files, it deserializes untrusted metadata using cloudpickle.loads() without validation, triggering code execution during schema parsing before any data is read. The vulnerability requires only that a victim read a crafted Parquet file from any source (cloud storage, HuggingFace datasets, shared filesystems)-no cluster access or authentication needed. This reintroduces a vulnerability class previously fixed in May 2024, making it a regression introduced in July 2025 (PR #54831). Working proof-of-concept exists demonstrating exploitation via HuggingFace datasets following Ray's own documentation. EPSS data not available, not currently in CISA KEV.

Apache NiFi TinkerpopClientService allows authenticated high-privilege users to execute arbitrary code without proper permission validation. The service fails to enforce required Execute Code permissions, enabling privilege escalation within the NiFi environment. While CVSS scores this at 7.5 (High), real-world risk requires authenticated high-privilege access (PR:H), significantly limiting the attack surface to compromised admin accounts or malicious insiders. No public exploit code has been identified, and CISA KEV does not list this vulnerability, suggesting no confirmed active exploitation at time of disclosure.

Tenant authorization bypass in Apache DolphinScheduler versions before 3.4.1 allows authenticated low-privilege users to execute workflows using arbitrary tenant configurations not assigned to their account, exposing high confidentiality and integrity risks. The vulnerability (CWE-863: Incorrect Authorization) enables privilege escalation through tenant context manipulation during workflow execution. Despite a CVSS score of 8.1, EPSS probability is low (0.02%, 4th percentile) with no active exploitation confirmed. Vendor patch is available in version 3.4.1.

Unsafe deserialization in Apache DolphinScheduler RPC module (versions 3.2.0 to 3.3.0) allows authenticated network attackers to achieve remote code execution by injecting malicious class types into StandardRpcRequest messages sent to Master or Worker nodes. The vulnerability requires network access and valid credentials but carries moderate CVSS (6.3) with very low EPSS exploitation probability (0.02%), suggesting limited real-world weaponization despite the dangerous vulnerability class.

Remote code execution in Ruby ERB library via unsafe deserialization allows unauthenticated attackers to execute arbitrary code by exploiting incomplete protection in Marshal.load workflows. While ERB 2.2.0+ added guards to prevent code execution during deserialization in result() and run() methods, the def_module(), def_method(), and def_class() methods remained unprotected, enabling attackers to bypass the @_init safeguard. Exploitation requires high complexity (AV:N/AC:H) as applications must deserialize untrusted Marshal data with ERB loaded. No EPSS or KEV data available; exploitation likelihood depends on prevalence of unsafe Marshal.load patterns in Ruby codebases.

Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.

KTransformers through 0.5.3 contains an unsafe deserialization vulnerability in the balance_serve backend mode where the scheduler RPC server binds a ZMQ ROUTER socket to all interfaces with no authentication and deserializes incoming messages using pickle.loads() without validation. Attackers can send a crafted pickle payload to the exposed ZMQ socket to execute arbitrary code on the server with the privileges of the ktransformers process.

LeRobot contains an unsafe deserialization vulnerability in the async inference pipeline where pickle.loads() is used to deserialize data received over unauthenticated gRPC channels without TLS in the policy server and robot client components. An unauthenticated network-reachable attacker can achieve arbitrary code execution on the server or client by sending a crafted pickle payload through the SendPolicyInstructions, SendObservations, or GetActions gRPC calls.

Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents. Versions 0.0.41 through 0.0.93 have a vulnerability in `LivekitFrameSerializer` - an optional, non-default, undocumented frame serializer class (now deprecated) intended for LiveKit integration. The class's `deserialize()` method uses Python's `pickle.loads()` on data received from WebSocket clients without any validation or sanitization. This means that a malicious WebSocket client can send a crafted pickle payload to execute arbitrary code on the Pipecat server. The vulnerable code resides in `src/pipecat/serializers/livekit.py` (around line 73), where untrusted WebSocket message data is passed directly into `pickle.loads()` for deserialization. If a Pipecat server is configured to use LivekitFrameSerializer and is listening on an external interface (e.g. 0.0.0.0), an attacker on the network (or the internet, if the service is exposed) could achieve remote code execution (RCE) on the server by sending a malicious pickle payload. Version 0.0.94 contains a fix. Users of Pipecat should avoid or replace unsafe deserialization and improve network security configuration. The best mitigation is to stop using the vulnerable LivekitFrameSerializer altogether. Those who require LiveKit functionality should upgrade to the latest Pipecat version and switch to the recommended `LiveKitTransport` or another secure method provided by the framework. Additionally, always follow secure coding practices: never trust client-supplied data, and avoid Python pickle (or similar unsafe deserialization) in network-facing components.

Code injection in Microsoft Kiota versions prior to 1.31.1 allows attackers who control or tamper with OpenAPI descriptions to inject malicious code into generated HTTP client libraries. Exploitation requires developers to generate clients from untrusted or compromised OpenAPI specifications, then compile and execute the poisoned code. The attack chain culminates in arbitrary code execution within the context of applications using the tainted generated clients. CVSS 7.3 with local attack vector and user interaction required suggests lower immediate urgency, though EPSS data is unavailable. No public exploit code or active exploitation confirmed at time of analysis.

All four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token), without performing any admin-action authorization via `validate_admin_request`. Every other admin handler in the codebase correctly calls `validate_admin_request` with a specific `AdminAction`. This is the only admin handler file that skips authorization. A non-admin user can overwrite a shared admin-defined notification target by name, causing subsequent bucket events to be delivered to an attacker-controlled endpoint. This enables cross-user event interception and audit evasion. 1. **Authorization bypass on all four endpoints** (03_readonly_user_bypass.py) - PUT, GET list, GET arns, DELETE all return 200 for readonly-user - Control routes (list-users, kms/status) correctly return 403 - Unauthenticated requests correctly rejected (403 Signature required) 2. **SSRF via health probe** (04_ssrf_listener_landing.py) - HEAD request from rustfs container to attacker-controlled listener - No host validation: only scheme check (http/https) 3. **Target hijacking and event exfiltration** (05_target_hijacking.py, 06_full_event_exfil.py) - Readonly-user overwrites admin-configured target URL by name - Subsequent S3 events delivered to attacker-controlled endpoint - Captured event body includes object keys, bucket names, user identities, and request metadata 4. **Audit evasion** (05_target_hijacking.py) - Readonly-user can delete unbound targets - Readonly-user can overwrite bound targets (silently redirecting events) 1. **Self-referencing webhook to admin API** (13_self_referencing_test.py) - Webhook sends unsigned POST with event JSON body - Admin endpoints require SigV4 auth -- unsigned request rejected - "Confused deputy" via self-referencing does NOT work 2. **Protocol smuggling via non-HTTP targets** - Only 2 target types implemented: webhook and MQTT (`event.rs:613` enforces this) - No Redis, Kafka, AMQP, or other protocol targets exist - CRLF injection in webhook config fields sanitized by reqwest - MQTT uses rumqttc (pure Rust binary protocol client), no raw TCP injection 3. **MQTT target for RCE** - No unsafe code in MQTT handler - rumqttc 0.29.0 has no known public CVEs - No Command::new, template engines, or deserialization of broker responses 4. **Unauth access** - Endpoints correctly reject unauthenticated requests (403) - Endpoints correctly reject invalid credentials (403) No existing advisory covers notification target endpoints. 11 published GHSAs on rustfs/rustfs cover different handlers. Closest: - CVE-2026-22042 (ImportIam wrong action constant) -- same bug class, different file - CVE-2026-22043 (deny_only short-circuit) -- different bug class Submit via GitHub PVR. The finding is well-supported with live PoC, code references, and clear root cause. The fix is straightforward (add `validate_admin_request` calls to event.rs handlers). Core submission should reference 2-3 focused PoC scripts (readonly bypass, target hijack, event exfil), not the full set of 13 exploratory scripts. Koda Reef This issue has been patched in version https://github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.94.

Remote code execution in Red Hat Apache Camel Infinispan component allows low-privileged attackers to execute arbitrary code via unsafe deserialization in ProtoStream remote aggregation repository. Exploiting this vulnerability requires network access and low-privilege credentials but grants full system compromise affecting confidentiality, integrity, and availability. The attack complexity is rated high (AC:H), suggesting specific configuration or timing requirements. No active exploitation confirmed at time of analysis (not in CISA KEV), and public exploit code status is unknown.

Remote code execution in Progress Telerik UI for ASP.NET AJAX via insecure deserialization in the RadFilter control allows unauthenticated remote attackers to execute arbitrary code on the server by tampering with exposed client-side filter state. Affected versions span 2024.4.1114 through 2026.1.421. EPSS data not available; no public exploit or CISA KEV listing identified at time of analysis. The CVSS 8.1 (High) reflects network accessibility but 'High' attack complexity (AC:H), indicating successful exploitation requires specific conditions beyond simple network access.

Improper error handling in free5GC AMF prior to version 1.4.3 allows remote attackers to invoke the HTTPUEContextTransfer handler with uninitialized request objects by sending requests with unsupported Content-Type headers. The missing default case in the Content-Type switch statement silently skips deserialization without raising an error, resulting in integrity loss when malformed or crafted payloads reach the processor with null/uninitialized state. CVSS score of 5.5 reflects low integrity impact; publicly available exploit code exists (E:P).

Fail-open request handling in free5GC UDR's POST /nudr-dr/v2/policy-data/subs-to-notify endpoint allows Policy Data notification subscriptions to be created with invalid, empty, or partially processed input after HTTP body read or deserialization failures. The handler fails to return after sending error responses (HTTP 500 for body read failure, HTTP 400 for deserialization failure), causing execution to continue and invoke the subscription processor with an uninitialized or malformed PolicyDataSubscription object. This is a logic flaw rather than memory corruption or remote code execution, but it violates fail-secure design principles for a write-capable API and may result in inconsistent subscription state or unintended database entries depending on downstream validation behavior.

PHP object injection in MetaSlider Responsive Slider plugin (WordPress) through version 3.106.0 allows authenticated administrators with high privileges to execute arbitrary code by deserializing untrusted data. The vulnerability requires authenticated high-privilege access (PR:H), limiting exploitation to compromised admin accounts or malicious insiders. EPSS data not available; no confirmed active exploitation or public POC identified at time of analysis.

Remote code execution in OpenMage Magento LTS versions prior to 20.17.0 allows unauthenticated attackers to execute arbitrary code by uploading malicious phar archives disguised as images and triggering PHP deserialization via phar:// stream wrappers. The attack requires high complexity (AC:H) to exploit successfully. EPSS data not available, but exploitation requires specific conditions around file upload and path manipulation. Vendor patch available in version 20.17.0, confirmed by GitHub security advisory GHSA-fg79-cr9c-7369.

Deserialization vulnerability in Apache Airflow webserver (all versions before 3.2.0) allows network-accessible attackers to execute arbitrary code by injecting malicious XCom payloads, despite vendor-assigned Low severity due to the trusted Dag Author threat model. CVSS 9.8 Critical rating reflects unauthenticated network-based RCE capability (AV:N/PR:N), contradicting the description's trust assumption. EPSS 0.07% (22nd percentile) suggests low immediate exploitation likelihood. No active exploitation confirmed; vendor patch available in version 3.2.0 with public GitHub PR.

Zebra cryptocurrency node prior to version 4.3.1 allocates excessive memory (up to 233,016 addresses) when deserializing addr/addrv2 protocol messages, even though the specification limits messages to 1,000 addresses. An attacker can trigger out-of-memory crashes by sending multiple oversized address messages over different connections. This is a network-accessible denial of service vulnerability affecting all Zebra versions before 4.3.1, with no public exploit code identified but straightforward to execute given the protocol specification.

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the InvokerTransformer deserialization gadget chain. Quartz 2.3.2, also bundled in the application, deserializes job data BLOBs from the qrtz_job_details table using ObjectInputStream with no deserialization filter or class allowlist. An authenticated attacker who can write to the Quartz job table, such as through the previously described SQL injection in previewSql, can replace a scheduled job's JOB_DATA with a malicious CommonsCollections6 gadget chain payload. When the Quartz cron trigger fires, the payload is deserialized and executes arbitrary commands as root inside the container, achieving full remote code execution. This issue has been fixed in version 2.10.21.

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a JDBC parameter blocklist bypass vulnerability in the MySQL datasource configuration. The Mysql class uses Lombok's @Data annotation, which auto-generates a public setter for the illegalParameters field that contains the JDBC security blocklist. When a datasource configuration is submitted as JSON, Jackson deserialization calls setIllegalParameters with an attacker-supplied empty list, replacing the blocklist before getJdbc() validation runs. This allows an authenticated attacker to include dangerous JDBC parameters such as allowLoadLocalInfile=true, and by pointing the datasource at a rogue MySQL server, exploit the LOAD DATA LOCAL INFILE protocol feature to read arbitrary files from the DataEase server filesystem, including sensitive environment variables and database credentials. This issue has been fixed in version 2.10.21.

Remote code execution in Digital Knowledge KnowledgeDeliver (all versions prior to February 24, 2026) via malicious ViewState deserialization. A hard-coded ASP.NET machineKey allows unauthenticated remote attackers to bypass ViewState validation and execute arbitrary code on the server. Mandiant reported this critical deserialization vulnerability. EPSS score of 0.08% (24th percentile) suggests low observed exploitation activity, though no public exploit is confirmed at time of analysis. CVSS vector indicates network-accessible attack requiring no privileges or user interaction, but the 7.5 score reflects only Confidentiality impact-real-world RCE capability makes this significantly more severe than the partial CVSS rating suggests.

Deserialization of untrusted data vulnerability in OpenText, Inc RightFax on Windows, 64 bit, 32 bit allows Object Injection.This issue affects RightFax: through 25.4.

Remote code execution as root in OpenRemote IoT platform's rules engine (versions prior to 1.20.3) allows authenticated non-superuser attackers with write:rules role to execute arbitrary Java code via unsandboxed JavaScript rulesets. The vulnerability stems from Nashorn ScriptEngine.eval() executing user-supplied JavaScript without ClassFilter restrictions, enabling Java.type() access to any JVM class including java.lang.Runtime. Attackers can compromise the entire multi-tenant platform, steal c

{subsId} endpoint, allowing unintended modification of Policy Data notification subscriptions with invalid or partially processed input. The handler lacks return statements following error responses, causing execution to continue to the downstream processor with uninitialized or empty subscription objects. No public exploit code or active exploitation has been confirmed; this is a robustness and input validation flaw affecting write operations on a core 5G network function.

Unauthenticated access to free5GC UDR subscriber identifiers exposes SUPI/IMSI values via unprotected 5G Service Based Interface endpoint. Missing return statements in free5GC UDR versions prior to 4.2.1 allow attackers to retrieve complete subscriber databases with a single parameterless HTTP GET request, undermining 3GPP SUCI privacy mechanisms. Public exploit code exists. EPSS score is low (0.10%) indicating limited observed exploitation, but impact is severe for exposed deployments with misconfigured network segmentation.

Remote code execution in Adobe Connect 12.10 and earlier (including 2025.3) allows unauthenticated attackers to execute arbitrary code by exploiting unsafe deserialization. Attack requires no user interaction despite UI:R in CVSS vector, with scope change enabling container escape or privilege escalation beyond the application context. Adobe released patch APSB26-37. EPSS score of 1.50% (81st percentile) indicates moderate exploitation probability. No active exploitation confirmed (SSVC: exploitation=none), but deserialization flaws are commonly targeted once details emerge.

Remote code execution in Adobe Connect 12.10 and earlier allows unauthenticated network attackers to execute arbitrary code via deserialization of untrusted data. The vulnerability has changed scope (CVSS 9.3), enabling impact beyond the vulnerable component. Adobe issued patch APSB26-37. EPSS indicates 81st percentile risk with 1.44% probability, and CISA SSVC reports no active exploitation. The CVSS vector conflicts with the description: vector indicates user interaction required (UI:R) while description states 'does not require user interaction' - verify actual interaction requirements with Adobe advisory.

Privilege escalation in Azure Monitor Agent versions prior to 1.41.0 exploits insecure deserialization of untrusted data, allowing authenticated local attackers with low privileges to achieve full system compromise (high confidentiality, integrity, and availability impact). CVSS 7.8 severity reflects local attack vector with low complexity and no user interaction required. No public exploit identified at time of analysis, though the vulnerability class (CWE-502) is well-understood and frequently targeted. Microsoft has released patch version 1.41.0 to address this flaw.

Deserialization of untrusted data in Microsoft HPC Pack 2019 enables authenticated local attackers to escalate privileges to SYSTEM level. Affects all versions below 6.3.8355. Vendor-released patch available via Microsoft Security Response Center. CVSS 7.8 reflects high impact (complete system compromise) with low attack complexity requiring only low-level authenticated access. No public exploit identified at time of analysis, though CWE-502 deserialization flaws are well-understood and commonly weaponized once technical details emerge.

PHP object injection in Smart Post Show WordPress plugin versions ≤3.0.12 allows administrators to deserialize untrusted input via the import_shortcodes() function. While no POP chain exists in the plugin itself (making direct exploitation impossible), the vulnerability becomes critical if paired with another plugin/theme containing exploitable gadget chains, potentially enabling file deletion, data exfiltration, or remote code execution. CVSS 7.2 (High) reflects theoretical maximum impact. No public exploit identified at time of analysis, with EPSS data unavailable for this recent CVE identifier.

Remote code execution via SQL injection in Craft Commerce 4.x (4.0.0-4.10.2) and 5.x (5.0.0-5.5.4) allows authenticated control panel users to write PHP webshells through a four-step exploitation chain. Attack exploits unsanitized TotalRevenue widget settings interpolated into SQL, PDO multi-statement support, and unsafe PHP deserialization in yii2-queue to instantiate a GuzzleHttp FileCookieJar gadget chain. Complete exploitation requires only three HTTP requests and low-privileged authenticati

Remote code execution in Pachno 1.0.6 allows unauthenticated attackers to achieve arbitrary code execution by exploiting unsafe deserialization of PHP objects. Attackers write malicious serialized payloads to world-writable cache files with predictable names, which are automatically unserialized during framework bootstrap before authentication occurs. EPSS indicates 0.14% probability of exploitation (33rd percentile), no active exploitation confirmed per CISA KEV, and SSVC classifies this as automatable with total technical impact.

Remote code execution in Keras 3.13.0 allows unauthenticated attackers to execute arbitrary code by crafting malicious .keras model files that load attacker-controlled TensorFlow SavedModels during deserialization, bypassing safe_mode protections. Exploitation requires user interaction (victim must load the malicious model), but no authentication is required to deliver the payload. EPSS data not available; no public exploit code or active exploitation confirmed at time of analysis, but the technical barrier is low given the detailed vulnerability disclosure.

Remote code execution in Apache Airflow 3.1.x allows authenticated DAG Authors to execute arbitrary code in the webserver context through crafted XCom payloads exploiting insecure deserialization (CWE-502). Affects Apache Airflow versions 3.1.8 through <3.2.0. Despite CVSS 8.8, vendor rates severity as Low due to DAG Authors being highly trusted roles. No public exploit identified at time of analysis, with EPSS exploitation probability at 0.07% (21st percentile), indicating minimal real-world risk. Vendor-released patch: Apache Airflow 3.2.0.

Remote code execution in Apache Storm before 2.8.6 allows authenticated users with topology submission rights to execute arbitrary code on Nimbus and Worker JVMs via crafted serialized objects in Kerberos TGT credentials. The vulnerability exploits unsafe deserialization in the Nimbus Thrift API (CWE-502) with CVSS 8.8. No active exploitation confirmed (EPSS 0.30%, SSVC exploitation status: none), but the low attack complexity and network attack vector make this a critical patch priority for Storm deployments with authenticated users.

Deserialization of untrusted data in Samsung Open Source Escargot JavaScript engine prior to commit 97e8115ab1110bc502b4b5e4a0c689a71520d335 allows local attackers without privileges to trigger a denial of service condition via process abort. The vulnerability exploits unsafe deserialization of Java objects, resulting in application termination rather than code execution. No public exploit code or active exploitation has been identified at the time of analysis.

wolfSSL versions up to 5.9.0 allow arbitrary memory deallocation via unsafe deserialization of poisoned session cache data. An attacker with high privileges who can inject a crafted session into the cache and trigger specific session restore API calls can cause memory corruption with availability impact. No public exploit code or active exploitation has been confirmed; the vulnerability requires precise conditions including local access, high privileges, and user interaction.

Remote code execution in Sonatype Nexus Repository 3.22.1-3.90.2 allows authenticated attackers with task creation permissions to execute arbitrary code via unsafe deserialization in the task management component. Exploitation bypasses the nexus.scripts.allowCreation security control, granting unauthorized code execution on the server. CVSS 9.4 (Critical). No public exploit identified at time of analysis. Attack requires low-privileged authentication (PR:L) and network access but no user interaction.

LangChain's f-string prompt-template validation allows information disclosure through attribute access and nested format-specifier injection in DictPromptTemplate and ImagePromptTemplate classes. Unauthenticated remote attackers can craft malicious template strings to expose internal object state, model context, or logs when templates are formatted with rich Python objects. Practical impact is limited to applications that accept untrusted template strings (not just variable values) and pass complex objects into template formatting; hardcoded templates and value-only user input are unaffected. Vendor-released patch available in langchain-core 0.3.84 and 1.2.28.

Unsafe YAML deserialization in PraisonAI allows remote code execution through malicious agent definition files. The AgentService.loadAgentFromFile method uses js-yaml.load without safe schema restrictions, permitting dangerous tags like !!js/function that execute arbitrary JavaScript. Unauthenticated attackers can upload crafted YAML files via API endpoints to achieve complete server compromise. Affects PraisonAI prior to v4.5.115. Publicly available exploit code exists via proof-of-concept demonstrating command execution.

Arbitrary code execution in Red Hat Quay via unsafe deserialization during resumable container image uploads affects multiple Quay 3.x deployments and Mirror Registry instances. An authenticated attacker with low privileges can tamper with intermediate upload data stored in the database to execute code on the Quay server, though exploitation requires high attack complexity and user interaction (CVSS 7.1). EPSS data not available; no public exploit identified at time of analysis, but the deserialization vulnerability class (CWE-502) is well-understood and frequently targeted.

PHP object injection in Everest Forms for WordPress (all versions ≤3.4.3) allows unauthenticated remote attackers to achieve critical system compromise. Attackers submit malicious serialized payloads through any public form field, which persist through sanitization into the wp_evf_entrymeta database table. When administrators view form entries, unsafe unserialize() without class restrictions processes the payload, enabling arbitrary code execution. CVSS 9.8 (Critical) reflects network-accessible

Remote code execution in IBM Langflow Desktop versions 1.6.0 through 1.8.2 allows authenticated attackers to execute arbitrary code via unsafe deserialization in the FAISS component. The vulnerability stems from an insecure default configuration that permits deserialization of untrusted data. With CVSS 8.8 (High) reflecting network accessibility, low complexity, and full impact on confidentiality, integrity, and availability, this represents a critical risk for organizations running affected versions. Vendor-released patch available through IBM security advisory. No public exploit identified at time of analysis, though the attack path is well-understood given the CWE-502 deserialization vulnerability class.

Arbitrary code execution in NVIDIA DALI (all versions prior to 2.0) allows local authenticated attackers with low privileges to execute malicious code by exploiting insecure deserialization of untrusted data, requiring user interaction. EPSS exploitation probability and KEV status data not available; no public exploit identified at time of analysis. The vulnerability affects NVIDIA's Data Loading Library, a critical component in AI/ML data preprocessing pipelines.

Remote code execution in OpenIdentityPlatform OpenAM 16.0.5 and earlier allows unauthenticated attackers to execute arbitrary OS commands via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypass exploits an unpatched deserialization sink in JATO's ClientSession.deserializeAttributes() that was overlooked when CVE-2021-35464 was mitigated. Attackers can target any JATO ViewBean endpoint with <jato:form> tags (commonly found in password reset pages) using a PriorityQue

Buffer use-after-free in Apache Kafka Java producer client (versions ≤3.9.1, ≤4.0.1, ≤4.1.1) can silently route messages to incorrect topics when batch expiration races with in-flight network requests. CVSS 8.7 (High) with network-accessible attack vector and high complexity. CISA SSVC indicates no active exploitation, non-automatable attack, and partial technical impact. No public exploit identified at time of analysis. EPSS data not provided, but the combination of high CVSS, cross-scope impact (S:C), and dual confidentiality/integrity impact warrants prioritization for environments processing sensitive message streams.

Remote code execution in HuggingFace Transformers library allows arbitrary code execution via malicious checkpoint files. The `_load_rng_state()` method in the `Trainer` class calls `torch.load()` without the `weights_only=True` parameter, enabling deserialization attacks when PyTorch versions below 2.6 are used with torch>=2.2. An attacker can craft a malicious `rng_state.pth` checkpoint file that executes arbitrary code when loaded by an application using affected Transformers versions. The fix is available in version v5.0.0rc3, and no public exploit has been independently confirmed at time of analysis.

Unsafe deserialization in pytries datrie through version 0.8.3 enables remote code execution when loading untrusted trie files via Trie.load(), Trie.read(), or Trie.__setstate__(). Unauthenticated remote attackers can exploit this vulnerability by crafting malicious serialized trie objects; publicly available exploit code exists, and the maintainers have not yet addressed the issue despite early notification.

Unsafe deserialization in FedML-AI FedML's gRPC server allows unauthenticated remote attackers to achieve confidentiality, integrity, and availability compromise through malicious payloads sent to the sendMessage function in versions up to 0.8.9. EPSS data not available; no CISA KEV listing indicates no confirmed active exploitation at time of analysis. Vendor unresponsive to coordinated disclosure attempts, raising concerns about patch availability and ongoing risk for production deployments of this federated machine learning framework.

Arbitrary code execution in pyload-ng via pickle deserialization allows non-admin users with SETTINGS and ADD permissions to write malicious session files and trigger unauthenticated RCE. Attackers redirect the download directory to Flask's session store (/tmp/pyLoad/flask), plant a crafted pickle payload as a predictable session filename, then trigger deserialization by sending any HTTP request with the corresponding session cookie. This bypasses CVE-2026-33509 fix controls because storage_folder was not added to ADMIN_ONLY_OPTIONS. No public exploit identified at time of analysis, though detailed proof-of-concept methodology is documented in the advisory. EPSS data not available for this recent CVE.

Unsafe deserialization in NASA cFS Pickle Module (versions up to 7.0.0) allows authenticated local attackers with low privileges to trigger remote code execution or information disclosure through the pickle.load() function. The vulnerability requires high attack complexity and local access, limiting its practical exploitation scope. Public exploit code is available, but the issue remains unpatched as of the last vendor update.

Unsafe deserialization in Roundcube Webmail's Redis/Memcache session handler allows unauthenticated remote attackers to write arbitrary files by crafting malicious session data. Affected versions include all 1.6.x before 1.6.14 and all 1.5.x before 1.5.14. While the CVSS score of 3.7 is low and attack complexity is high, the integrity impact (arbitrary file write) poses a real risk to instances using Redis or Memcache for session storage.

Remote Code Execution in Group-Office enterprise CRM via insecure deserialization allows authenticated attackers to write arbitrary files and execute code on the server. Affects all versions prior to 6.8.156, 25.0.90, and 26.0.12 across multiple product branches. CVSS 9.9 (Critical) with network-based attack vector requiring only low-privileged authentication. No public exploit identified at time of analysis, though the technical details in the GitHub Security Advisory provide sufficient impleme

Remote code execution in OpenSTAManager v2.10.1 and earlier allows authenticated attackers to achieve unauthenticated RCE via chained exploitation of arbitrary SQL injection (GHSA-2fr7-cc4f-wh98) and insecure PHP deserialization in the oauth2.php endpoint. The unauthenticated oauth2.php file calls unserialize() on attacker-controlled database content without class restrictions, enabling gadget chain exploitation (Laravel/RCE22) to execute arbitrary system commands as www-data. Attack requires in

Deserialization of untrusted data in NVIDIA BioNeMo Framework enables local attackers to execute arbitrary code, cause denial of service, disclose sensitive information, or tamper with data when users open malicious files. CVSS 7.8 (High) reflects local attack vector requiring user interaction. EPSS data not available; no public exploit identified at time of analysis. Affects NVIDIA BioNeMo Framework, a platform for AI-driven drug discovery and biomolecular research.

Insecure deserialization in NVIDIA BioNeMo Framework enables remote code execution when attackers can induce users to process malicious serialized data. This vulnerability (CWE-502) affects the BioNeMo Framework with network-reachable attack surface (AV:N) and low complexity (AC:L), requiring only user interaction (UI:R) but no authentication (PR:N). The CVSS 8.8 rating reflects critical impacts across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though the deserialization vulnerability class is well-understood and commonly exploited. EPSS data not available for this CVE.

Insecure deserialization in WatchGuard Fireware OS enables local code execution as the portald user when combined with a filesystem write primitive. Affects Fireware OS versions 12.1 through 12.11.8 and 2025.1 through 2026.1.2 on platforms supporting Access Portal (excludes T-15/T-35 models). CVSS 8.4 severity reflects high impact but requires prior high-privilege local access and an existing write vulnerability to exploit. No public exploit identified at time of analysis, with EPSS data unavailable for risk probability assessment.

Insecure deserialization in Gigabyte Control Center's Performance Library component allows authenticated local users to escalate privileges to SYSTEM by sending crafted serialized payloads to the EasyTune Engine service. Affecting Gigabyte Performance Library across versions, this CWE-502 flaw enables low-privileged users to gain complete control of the Windows system. EPSS data not available; no public exploit identified at time of analysis, though the local attack vector and low complexity (CVSS:3.1/AV:L/AC:L/PR:L) suggest exploitation is technically straightforward for attackers with initial local access.

Arbitrary Perl code execution in GRID::Machine through version 0.127 occurs when clients connect to remote hosts via RPC over SSH, as the client-side deserializer uses eval() on untrusted data from the remote peer without validation. A compromised or malicious remote host can inject arbitrary Perl code into Dumper-formatted responses that executes silently on the client during RPC calls, while maintaining correct return values to avoid detection. The vulnerability is design-inherent but the trust requirement for remote hosts is not documented, creating a security expectation mismatch for users.

Remote attackers can crash Zebra cryptocurrency nodes (versions <4.3.0) by sending malformed V5 transactions that pass initial deserialization but trigger panics during transaction ID calculation. The vulnerability requires no authentication and can be exploited via a single crafted network message to the P2P port (8233) or through the sendrawtransaction RPC method. No public exploit code has been identified at time of analysis, though the attack mechanism is well-documented in the vendor advisory. EPSS data not available for this CVE.

The serialize-javascript npm library versions prior to 7.0.5 contain a CPU exhaustion denial-of-service vulnerability triggered when processing specially crafted array-like objects with artificially large length properties, causing the serialization process to hang indefinitely and consume 100% CPU. The vulnerability affects npm package serialize-javascript (pkg:npm/serialize-javascript) and impacts applications that serialize untrusted or user-controlled objects, particularly those also vulnerable to prototype pollution or YAML deserialization attacks that could inject malicious payloads. No public exploit code has been identified, but the attack vector is network-accessible with high complexity, posing a moderate real-world threat in supply-chain and backend service contexts.

Prototype pollution in the locutus npm package's unserialize() function allows remote attackers to inject arbitrary properties into deserialized objects by crafting malicious PHP-serialized payloads containing __proto__ keys, enabling authorization bypass, property propagation attacks, and denial of service via method override. The vulnerability affects locutus versions prior to 3.0.25; publicly available exploit code exists demonstrating property injection, for-in propagation to real own properties, and built-in method disruption.

Remote Code Execution and Arbitrary File Read in Metabase Enterprise Edition allows authenticated administrators to execute arbitrary code and read sensitive files via malicious serialization archives. Affected versions span at least 1.47 through 1.59.3, with patches released in versions 1.54.22, 1.55.22, 1.56.22, 1.57.16, 1.58.10, and 1.59.4. The vulnerability exploits the POST /api/ee/serialization/import endpoint by injecting INIT properties into H2 JDBC specifications within crafted serialization archives, triggering arbitrary SQL execution during database synchronization. Authentication as an admin is required (CVSS PR:H), and the vulnerability has been confirmed exploitable on Metabase Cloud infrastructure.

Remote code execution is possible in DataDog's dd-trace-java agent versions prior to 1.60.3 when running on JDK 16 or earlier with exposed JMX/RMI ports. The vulnerability stems from unsafe deserialization in the RMI instrumentation's custom endpoint, allowing network-accessible attackers to execute arbitrary code if gadget-chain libraries exist on the classpath. Vendor-released patch: version 1.60.3. No public exploit identified at time of analysis, though the issue was responsibly disclosed through DataDog's bug bounty program by Mohamed Amine ait Ouchebou.

A deserialization vulnerability exists in the wvp-GB28181-pro project (a video streaming platform using GB28181 protocol) through version 2.7.4, specifically in the GenericFastJsonRedisSerializer implementation within the Redis configuration. The flaw allows unauthenticated remote attackers to exploit insecure deserialization through the API endpoint, potentially achieving code execution or data manipulation with low complexity. A public proof-of-concept exploit has been released on GitHub, significantly increasing the risk of active exploitation, and the vendor has not responded to disclosure attempts.

The Frontend Admin by DynamiApps plugin for WordPress contains a PHP Object Injection vulnerability affecting all versions up to and including 3.28.31. Authenticated attackers with Editor-level privileges or higher can exploit unsafe deserialization of the 'post_content' field in admin_form posts to inject malicious PHP objects and achieve remote code execution through available POP chains. This represents a critical risk for WordPress sites using this plugin with elevated user accounts.

Saloon PHP library versions prior to 4.0.0 contain a PHP object injection vulnerability in the AccessTokenAuthenticator::unserialize() method, which unsafely deserializes OAuth token state using unserialize() with allowed_classes set to true. An attacker who can control the serialized token string-such as by overwriting a cached token file or injecting malicious data-can supply a crafted serialized gadget object that executes arbitrary code through PHP magic methods during deserialization. In environments with common dependencies like Monolog present, this vulnerability can be reliably chained to achieve remote code execution (RCE), making it a critical threat to any API integration or SDK built on vulnerable Saloon versions.

A deserialization vulnerability in OpenTelemetry Java instrumentation versions prior to 2.26.1 allows remote code execution when the RMI instrumentation endpoint processes untrusted data without serialization filters. The vulnerability affects applications using the OpenTelemetry Java agent with network-reachable RMI/JMX endpoints and gadget-chain-compatible libraries on the classpath. This was responsibly disclosed in coordination with Datadog, and a patch is available in version 2.26.1.

A deserialization of untrusted data vulnerability in the JS Archive List jQuery widget (jquery-archive-list-widget) versions up to 6.1.7 allows remote attackers to inject malicious objects and achieve code execution or information disclosure. The vulnerability affects WordPress installations using the vulnerable plugin versions, and exploitation requires sending crafted serialized PHP objects to the affected endpoint. No CVSS vector or EPSS score has been assigned, and KEV status is unknown, though the vulnerability was reported by Patchstack security researchers.

A PHP object injection vulnerability exists in the Edge-Themes Pelicula video production and movie theme due to insecure deserialization of untrusted data, classified as CWE-502. The vulnerability affects Pelicula versions prior to 1.10, allowing attackers to inject arbitrary objects and potentially achieve remote code execution or other malicious outcomes. No CVSS score or EPSS data has been published, and no confirmed KEV or active exploitation in the wild has been reported, but the nature of object injection vulnerabilities typically enables high-impact attacks when paired with accessible gadget chains in the WordPress ecosystem.

A deserialization of untrusted data vulnerability exists in Mikado-Themes Stål (a WordPress theme) that allows arbitrary object injection through unsafe unserialize() operations. Versions prior to 1.7 are affected. An attacker can exploit this to instantiate arbitrary PHP objects, potentially leading to remote code execution, data exfiltration, or site compromise depending on available gadget chains in the WordPress environment.

A deserialization of untrusted data vulnerability exists in Edge-Themes Kamperen WordPress theme versions prior to 1.3, allowing attackers to perform arbitrary object instantiation through object injection attacks. This CWE-502 vulnerability enables remote code execution or information disclosure without requiring authentication in many scenarios. While no CVSS score is currently published and KEV/EPSS data are unavailable, the vulnerability has been reported by Patchstack and affects all installations of the Kamperen theme below version 1.3.

A deserialization of untrusted data vulnerability exists in Edge-Themes Gracey WordPress theme versions prior to 1.4, allowing attackers to perform arbitrary object instantiation through object injection attacks. This CWE-502 vulnerability affects all installations of Gracey below version 1.4 and could enable remote code execution or other malicious actions depending on available gadget chains in the WordPress environment. No CVSS score, EPSS risk metric, or KEV status has been publicly assigned, but the vulnerability is documented by Patchstack with a patch available in version 1.4.

This is a deserialization of untrusted data vulnerability in the Mikado-Themes Halstein WordPress theme (versions prior to 1.8) that allows arbitrary object injection via CWE-502. An attacker can exploit this flaw to instantiate arbitrary PHP objects, potentially leading to remote code execution or information disclosure depending on available gadget chains. The vulnerability was reported by Patchstack and affects all versions of Halstein below 1.8; no CVSS score, EPSS data, or KEV status is currently published, limiting immediate risk quantification but indicating this is a serious deserialization flaw that should be patched urgently.

A deserialization of untrusted data vulnerability exists in Elated-Themes Leroux WordPress theme versions prior to 1.4, allowing unauthenticated attackers to perform arbitrary object instantiation through object injection attacks. An attacker can exploit this vulnerability to instantiate arbitrary PHP objects, potentially leading to remote code execution or information disclosure depending on available gadget chains in the WordPress environment. While no CVSS score or active KEV status is currently available, the vulnerability has been documented by Patchstack and assigned ENISA EUVD ID EUVD-2026-15861, indicating it is a recognized threat affecting WordPress installations using the vulnerable Leroux theme.

A deserialization of untrusted data vulnerability exists in Edge-Themes Archicon WordPress theme versions prior to 1.7, allowing attackers to perform arbitrary object instantiation through object injection attacks. This vulnerability, tracked as CWE-502, enables attackers to instantiate arbitrary PHP objects during the deserialization process, potentially leading to remote code execution or other malicious outcomes depending on available gadget chains in the WordPress environment. The vulnerability was reported by Patchstack and affects all versions of Archicon below 1.7, with a patch available in version 1.7 and later.

A deserialization of untrusted data vulnerability exists in Select-Themes Borgholm marketing agency theme (WordPress) that allows object injection attacks. The vulnerability affects Borgholm versions prior to 1.6, and attackers can exploit this to inject malicious PHP objects that execute arbitrary code within the WordPress environment. While no CVSS score or EPSS data is currently available, the CWE-502 classification indicates this is a critical deserialization flaw with high exploitation potential; no active KEV or public POC status is documented, but the vulnerability was reported through Patchstack with full advisory details available.

A PHP object injection vulnerability exists in BoldGrid weForms plugin through version 1.6.26 due to unsafe deserialization of untrusted data, allowing attackers to instantiate arbitrary objects and potentially execute remote code or manipulate application state. This affects WordPress installations using the vulnerable weForms plugin versions, and exploitation requires no authentication based on the deserialization attack vector. While no CVSS score or EPSS data is currently available, the CWE-502 classification and object injection capability represent a critical-severity issue typical of deserialization flaws that often lead to remote code execution.

A deserialization of untrusted data vulnerability (CWE-502) exists in the magepeopleteam Bus Ticket Booking with Seat Reservation WordPress plugin through version 5.6.0, allowing object injection attacks. An attacker can inject malicious serialized PHP objects into the application, potentially leading to remote code execution or other critical impacts depending on available gadget chains in the WordPress environment. No CVSS score or EPSS data is currently available, and KEV status is unknown, but the vulnerability affects all installations running the vulnerable plugin versions.

A PHP Object Injection vulnerability exists in the ThemeREX Buisson WordPress theme through version 1.1.11, stemming from unsafe deserialization of untrusted data (CWE-502). This flaw allows attackers to inject malicious serialized objects that can lead to arbitrary code execution or other object manipulation attacks depending on available gadget chains in the WordPress environment. While no CVSS score or EPSS data is currently published and the vulnerability has not been listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, the public disclosure via Patchstack indicates active awareness in the security community.

A PHP Object Injection vulnerability exists in the ThemeREX Work & Travel Company WordPress theme through version 1.2, stemming from unsafe deserialization of untrusted data (CWE-502). An attacker can exploit this vulnerability to inject malicious objects into the application, potentially leading to remote code execution or arbitrary object manipulation depending on the gadget chains available in the WordPress environment. No CVSS score, EPSS data, or KEV status is currently available, and the vulnerability was identified and reported by Patchstack, though active exploitation status remains unclear.

A PHP Object Injection vulnerability exists in ThemeREX Love Story WordPress theme through version 1.3.12, stemming from unsafe deserialization of untrusted data. This vulnerability allows attackers to inject malicious serialized objects that can lead to remote code execution or other object-oriented attack chains. The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) and has been reported by Patchstack; no CVSS score or EPSS data is currently available, and KEV status is unknown.

A PHP object injection vulnerability exists in the sbthemes WooCommerce Infinite Scroll plugin (versions up to and including 1.6.2) due to unsafe deserialization of untrusted data. This vulnerability allows attackers to inject malicious serialized objects, potentially leading to remote code execution or arbitrary object instantiation depending on available gadget chains within the WordPress environment. The vulnerability affects all installations of this plugin through version 1.6.2 and has been documented by Patchstack, though CVSS scoring and exploitation metrics are currently unavailable.