Deserialization
Monthly
Detection bypass leading to arbitrary code execution in picklescan before 0.0.30 allows attackers to smuggle malicious payloads past the scanner by abusing the doctest.debug_script function, which picklescan's analyzer does not recognize as dangerous. Because picklescan is used to vet untrusted pickle/ML model files before loading, a crafted pickle marked 'safe' will execute attacker commands the moment pickle.load is invoked. There is no public exploit identified at time of analysis, and this is not listed in CISA KEV, but the technique is well-understood and was disclosed by VulnCheck.
Scanner-detection bypass in picklescan before 0.0.30 lets a crafted pickle file evade malicious-code detection and execute arbitrary code on deserialization. The tool - a Python security scanner used to vet untrusted pickle/ML model files - fails to flag `cProfile.run` calls embedded in a pickle object's `__reduce__` method, so a payload routed through `cProfile.run` passes the scan and then runs when the file is loaded. Reported by VulnCheck (CWE-502); no public exploit identified at time of analysis and it is not in CISA KEV.
Static-analysis bypass in Picklescan before 0.0.25 lets attackers smuggle malicious pickle files past its malware scanner, leading to arbitrary OS command execution when a victim deserializes the file. Picklescan's denylist fails to flag unsafe Numpy globals, so a reduce method invoking numpy.testing._private.utils.runstring can import os and run commands while being reported as safe. No public exploit has been identified at time of analysis, though VulnCheck's advisory documents the exact gadget; the issue is not in CISA KEV. CVSS 4.0 base score is 7.6.
Malicious-pickle detection bypass in picklescan before 0.0.28 lets attackers smuggle remote-code-execution payloads past the scanner by hiding them in a pickle reduce method that invokes torch.utils.collect_env.run, which picklescan's blocklist failed to flag. Because picklescan is the gatekeeper many ML pipelines rely on to vet untrusted models (notably scanning Hugging Face artifacts), a 'clean' verdict on a weaponized file directly leads to command execution when the victim deserializes it. Reported by VulnCheck with a fix in 0.0.28; no public exploit identified at time of analysis and not listed in CISA KEV.
Malicious pickle detection bypass in picklescan before 0.0.29 lets attackers smuggle arbitrary code execution payloads past the scanner by abusing the built-in trace.Trace.run function inside a pickle's __reduce__ method. Because picklescan does not flag trace.Trace.run as a dangerous global, a crafted model/pickle file is reported as safe yet executes arbitrary code when later deserialized via pickle.load. No public exploit identified at time of analysis; this is a classic deny-list gap in a security scanner that defenders rely on to gate untrusted ML artifacts.
Remote code execution in IBM WebSphere eXtreme Scale 8.6.1.0-8.6.1.6 arises because three bundled ObjectInputStream subclasses (WsObjectInputStream, ObjectStreamPool$ReusableInputStream, ObjectInputStreamResolver) deserialize untrusted data without any JEP-290 lookahead class filter. When Oracle Coherence is present on the classpath, confirmed working gadget chains (RemoteConstructor.readResolve, PriorityQueue/ExtractorComparator) let a low-privileged authenticated attacker who can write a session attribute - or a LAN-adjacent attacker on the unauthenticated grid replication wire - run arbitrary code on peer WebSphere Application Server JVMs. A vendor patch is available; there is no public exploit identified and EPSS is low (0.29%), but IBM confirms the gadget chains function, giving total technical impact per SSVC.
Remote code execution in IBM WebSphere eXtreme Scale 8.6.1.0 through 8.6.1.6 arises from roughly 50 generated CORBA stub classes in the shipped ogclient.jar that invoke ORB.string_to_object() on an attacker-controlled IOR string during Java deserialization, converting any unfiltered ObjectInputStream sink in the surrounding WebSphere Application Server into outbound IIOP server-side request forgery. When chained with the IBM ORB getUserException class-instantiation flaw (tracked as WAS-26), that SSRF escalates to code execution on the calling JVM. CVSS is 10.0 (scope-changed, full CIA impact); EPSS is 3.01% (86th percentile) and there is no public exploit identified at time of analysis.
Insecure deserialization (CWE-502) in IBM Langflow OSS versions 1.0.0 through 1.10.0 lets any party with access to the backing Redis store inject a malicious serialized object that Langflow deserializes, yielding arbitrary code execution with full application privileges. Successful exploitation exposes all stored secrets, flow data, and the underlying host, effectively a complete compromise of the Langflow instance. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; a vendor patch is available per IBM advisory node 7278443.
Arbitrary code execution in Delta Electronics DTMSoft arises from unsafe deserialization of untrusted data during project file parsing (CWE-502), allowing an attacker who supplies a malicious DTMSoft project file to run code in the context of the user who opens it. The flaw is local and requires victim interaction (opening the crafted file) rather than remote network exploitation, and impacts confidentiality, integrity, and availability fully. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; no EPSS score was supplied.
Arbitrary file deletion in the Export User Data plugin for WordPress (versions up to and including 2.2.6) allows an authenticated subscriber-level attacker to delete any file on the server, including wp-config.php, which can escalate to remote code execution. The flaw stems from unsafe deserialization of a PHP object embedded in a user's display name that is processed when an administrator exports user data. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; exploitation is gated by required administrator interaction.
Authenticated remote code execution affects the official openproject/openproject Docker image, which ships with a hardcoded Rails secret (ENV SECRET_KEY_BASE=OVERWRITE_ME). Because the application uses cookies_serializer = :marshal, any logged-in user who knows this deterministic key can forge a signed cookie containing a malicious Marshal payload that is deserialized when reaching the /my/two_factor_devices cookie reader, yielding code execution on the server (CVSS 9.9, scope-changed). At the time of analysis there is no public exploit identified and the issue is not in CISA KEV, but the predictability of the default key makes exploitation straightforward for anyone running an unmodified image.
Arbitrary code execution in the OWASP ZAP ViewState add-on (versions before 4) lets a malicious or attacker-controlled proxied web server compromise the security tester's own ZAP instance. By embedding a crafted serialized Java object in the javax.faces.ViewState response parameter, an attacker triggers unsafe Java deserialization inside the ZAP JVM the moment the operator views the ViewState panel in the Desktop UI. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the vendor has published an advisory and shipped a fix (viewstate-v4) that disables JSF support entirely.
PHP Object Injection in the Uncanny Automator Pro WordPress plugin (versions <= 7.3.0.6) allows authenticated users holding only the low-privileged Subscriber role to inject crafted serialized PHP objects into an unsafe deserialization sink (CWE-502). Depending on the gadget chains present in the plugin or co-installed software, this can escalate to remote code execution, arbitrary file operations, or database tampering. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; the input-supplied CVSS of 9.8 likely overstates privileges since the title explicitly scopes the flaw to the Subscriber role.
Authenticated PHP object injection in the RealHomes WordPress theme (versions 4.5.3 and earlier) lets a low-privileged Subscriber-level account inject crafted serialized objects into an unsafe deserialization sink (CWE-502). Because WordPress applications and plugins commonly contain POP gadget chains, this can escalate to arbitrary file operations, SQL injection, or remote code execution, which is reflected in the high CVSS 8.8 (C:H/I:H/A:H). Reported by Patchstack; no public exploit identified at time of analysis and it is not listed in CISA KEV.
PHP Object Injection in the BuddyBoss Platform WordPress plugin (versions 3.0.4 and earlier) allows attackers with low-privilege Subscriber access to inject crafted serialized objects that are deserialized unsafely, potentially leading to remote code execution, data tampering, or denial of service depending on available gadget chains. The flaw was reported by Patchstack and carries a CVSS base score of 9.8; however, the 'Subscriber' qualifier implies authenticated access is required, which conflicts with the PR:N in the published vector. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
PHP Object Injection in the Uncanny Automator WordPress plugin (versions 7.3.1.2 and earlier) lets unauthenticated remote attackers submit crafted serialized PHP objects that the application deserializes, potentially leading to full WordPress site compromise. The flaw is rooted in unsafe deserialization of untrusted data (CWE-502) and carries high confidentiality, integrity, and availability impact (CVSS 8.1). No public exploit identified at time of analysis and it is not in CISA KEV; the high attack complexity reflects the need for a usable POP gadget chain in the target environment.
Remote code execution in JetBrains Kotlin before 2.4.20 stems from unsafe deserialization (CWE-502) of build cache metadata, allowing an attacker who can influence cached build artifacts to execute arbitrary code during a build. The flaw carries a CVSS 9.8 (C:H/I:H/A:H) rating, but there is no public exploit identified at time of analysis and EPSS is very low (0.11%, 2nd percentile), and CISA SSVC marks exploitation as 'none'. JetBrains, who reported the issue, has released a fixed version (2.4.20).
Detection bypass in picklescan through version 0.0.26 lets attackers smuggle malicious pickle payloads past the scanner by invoking idlelib.pyshell.ModifiedInterpreter.runcode from a __reduce__ method, which picklescan does not blocklist. Because organizations rely on picklescan to vet PyTorch models and serialized Python objects, a payload it marks 'safe' still achieves arbitrary command execution the moment the victim calls pickle.load(), enabling ML supply-chain attacks. Publicly available exploit code exists (GHSA-3gf5-cxq9-w223 ships a working PoC); the CVE is not in CISA KEV and EPSS data was not provided, so active exploitation is unconfirmed.
Unsafe Java deserialization (CWE-502) in OpenAM Community Edition through 16.0.6 lets attackers abuse the anonymous Push Notification SNS callback REST route to force the server to load an attacker-named class and construct it from attacker-controlled JSON via Jackson. A low-privileged user who starts Push Registration can plant a malicious CTS predicate blob, then drive anonymous callbacks that yield a reliable class-loading and Jackson-construction primitive with classpath-dependent impacts ranging from token-record corruption and DoS to potential process execution and file writes. No public exploit is identified at time of analysis and confirmed arbitrary command execution was not demonstrated on stock classpaths; the issue is fixed in 16.1.1.
PHP Object Injection in the EventPrime event-calendar-management WordPress plugin (versions 4.3.4.1 and earlier) allows an authenticated attacker holding only a low-privilege Subscriber account to inject crafted serialized objects into an unsafe deserialization sink. Depending on the PHP gadget chains present in WordPress core, the plugin, or other installed plugins, this can escalate to data tampering, information disclosure, or remote code execution. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was reported by Patchstack.
Arbitrary code execution in MosaicML Composer arises when the library loads a model or resumption checkpoint, because checkpoint parsing deserializes attacker-controlled pickle data without validation (CWE-502). A user who loads a maliciously crafted checkpoint (.pt) file - for example one downloaded from a model hub or shared by a collaborator - runs arbitrary Python code in the context of the training process. Reported through ZDI (ZDI-26-384, ZDI-CAN-27990); no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but an upstream source fix is available.
Arbitrary code execution affects the WebAuthn authentication module of Open Identity Platform OpenAM Community Edition through 16.0.6, where untrusted Java deserialization (CWE-502) of a user-controllable storage attribute lets an attacker run code as the application server user. The vendor advisory (GHSA-6c99-87fr-6q7r) characterizes this as a pre-authentication RCE, but it is reachable only in non-default deployments where the WebAuthn storage/userAttribute has become attacker-writable. No public exploit has been identified at time of analysis, and the issue is fixed in 16.1.1.
Remote code execution in Feast (the open-source ML feature store) before 0.63.0 lets remote attackers run OS commands as the feast service account by sending a crafted ApplyFeatureView gRPC request to the registry server. The registry base64-decodes the user_defined_function.body field of an OnDemandFeatureView and passes it to dill.loads() before any authorization check, so no credentials are required. A publicly available exploit code exists (reported by VulnCheck via huntr) and a vendor patch is available, though the flaw is not listed in CISA KEV.
Detection bypass in picklescan before 0.0.29 allows attackers to craft malicious pickle files using idlelib.debugobj.ObjectTreeItem.SetText in __reduce__ methods that evade the scanner's dangerous-function checks, resulting in arbitrary command execution when the victim subsequently calls pickle.load(). The flaw turns picklescan from a security control into a false-assurance tool for ML pipelines that consume untrusted PyTorch models. Publicly available exploit code exists via the GHSA advisory, though no public exploit identified in active campaigns at time of analysis.
Integrity bypass in jackson-databind 2.21.0-2.21.3 and 3.0.0-3.1.3 allows unauthenticated network attackers to write to private backing fields that application developers intended as read-only. The flaw occurs when a POJO uses @JsonProperty on a getter with @JsonIgnore on the setter - a common read-only-over-the-wire pattern - and MapperFeature.INFER_PROPERTY_MUTATORS is enabled (the default). No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog. The GHSA advisory characterizes the impact as property tampering and mass assignment; maintainers rate it minor despite a reporter-assessed HIGH severity.
Eager DNS resolution during InetSocketAddress deserialization in jackson-databind (versions 2.0.0 through pre-fix releases across the 2.18, 2.21, and 3.x lines) allows any attacker who can supply untrusted JSON to an affected endpoint to force outbound DNS lookups for attacker-chosen hostnames at readValue() time - before application validation or connect logic can intervene. This DNS-based SSRF (CWE-918) enables internal resolver probing, network topology enumeration, and DNS out-of-band interaction signals against applications that deserialize untrusted JSON into types containing InetSocketAddress fields. No public exploit code and no CISA KEV listing have been identified at time of analysis; EPSS data was not available in the provided intelligence sources.
PolymorphicTypeValidator bypass in jackson-databind versions 2.10.0 through 2.18.7, 2.19.0 through 2.21.3, and 3.0.0 through 3.1.3 allows attackers controlling JSON type identifiers to smuggle denied gadget classes through allow-listed generic containers, leading to arbitrary class instantiation and potential remote code execution. The flaw stems from DatabindContext._resolveAndValidateGeneric() validating only the raw container class name while skipping all nested generic type arguments. No public exploit identified at time of analysis, but the GHSA advisory includes a proof-of-concept configuration and payload structure.
Remote code execution in Spring Statemachine 3.2.0-3.2.4 and 4.0.0-4.0.1 allows authenticated attackers to execute arbitrary code inside the application JVM by injecting malicious serialized Java objects into the Kryo-based persistence backends (JPA, MongoDB, Redis, or ZooKeeper). The flaw stems from deserializing persisted state-machine contexts without enforcing a class allowlist, a classic CWE-502 pattern that has historically yielded reliable gadget-chain exploitation in Java applications. No public exploit identified at time of analysis, but the deserialization sink and Kryo gadget ecosystem make weaponization straightforward once an attacker can write to the persistence store.
Detection bypass in picklescan versions prior to 0.0.29 allows attackers to smuggle arbitrary code execution payloads through malicious pickle files by leveraging idlelib.autocomplete.AutoComplete.fetch_completions inside the __reduce__ method. Because the scanner does not flag this built-in Python function as dangerous, victims who rely on picklescan to vet PyTorch models or other pickle artifacts will load attacker-controlled code under pickle.load(). Publicly available exploit code exists (in the GHSA advisory), though no active in-the-wild exploitation has been reported.
Detection bypass in picklescan before 0.0.28 allows attackers to embed malicious torch.jit.unsupported_tensor_ops.execWrapper calls in pickle files that evade the scanner and execute arbitrary code when later loaded via pickle.load(). Publicly available exploit code exists in the GHSA advisory, and the flaw directly undermines the security guarantee picklescan is meant to provide for PyTorch model files. No CISA KEV listing and no EPSS data are provided, but the scanner bypass nature makes this a meaningful supply-chain risk for ML pipelines.
Detection bypass in picklescan before 0.0.33 allows attackers to smuggle arbitrary code through malicious pickle files by abusing numpy.f2py.crackfortran.myeval in a __reduce__ method, which the scanner fails to flag as dangerous. Any ML pipeline or model-hosting workflow that trusts picklescan's verdict before calling pickle.load() will execute attacker-controlled commands; publicly available exploit code exists in the GHSA advisory, and the CVSS 4.0 score of 7.6 reflects high confidentiality and integrity impact contingent on user interaction.
Detection bypass in picklescan prior to 0.0.29 allows attackers to smuggle remote code execution payloads through pickle files that the scanner incorrectly classifies as safe. The library fails to flag the built-in profile.Profile.runctx function when used in a __reduce__ method, so a downstream pickle.load() of the scanned file executes arbitrary Python. Publicly available exploit code exists in the GHSA-6vqj-c2q5-j97w advisory, though no active exploitation has been reported.
Remote code execution in Pivotal CRM 6.6.04.08 Smart Client arises from insecure deserialization in the Pivotal.Core.Common.dll and Pivotal.Engine.Client.Services.Conversion.dll components, allowing remote attackers to execute arbitrary code on affected installations. The vendor (Aurea/Pivotal) has published a remediation advisory and a researcher has released a public technical advisory, but the issue is not currently listed in CISA KEV and SSVC indicates no observed exploitation. CVSS 8.1 reflects high impact tempered by high attack complexity, while no public exploit identified at time of analysis is corroborated by SSVC's 'Exploitation: none'.
Local arbitrary code execution in Glances versions prior to 4.5.5 occurs when the daemon deserializes its version-check cache file via pickle.load() without integrity validation. An attacker with write access to the Glances user's XDG cache directory (~/.cache/glances/glances-version.db) can plant a malicious pickle that executes as the Glances process user - frequently root - on next startup. Publicly available exploit code exists in the GHSA advisory, but no public exploit identified at time of analysis as actively weaponized.
Uncontrolled recursion in MessagePack-CSharp's JSON conversion helpers allows remote attackers to crash .NET host processes via an uncatchable StackOverflowException, producing a denial-of-service condition in applications that route untrusted input through these APIs. Three independent recursive code paths - ConvertFromJson's FromJsonCore(), TinyJsonReader.ReadNextToken() (which recurses once per comma or colon character, enabling exploitation via malformed JSON), and the ConvertToJson ext-100 typeless extension branch - all bypass the library's existing MessagePackSecurity depth-limit enforcement. No public exploit has been identified at time of analysis, and only applications explicitly using the JSON conversion helpers (not normal typed MessagePack deserialization) are exposed.
Uncontrolled recursion in MessagePack for C# allows network-reachable attackers to crash applications by submitting deeply nested union-type payloads that bypass the library's object graph depth protection. DynamicUnionResolver's runtime-generated deserializers omit the required MessagePackSecurity.DepthStep calls, leaving union code paths entirely outside the recursion guard that protects all other formatter paths. No public exploit or active KEV listing exists at time of analysis, but any application deserializing untrusted MessagePack data via union types over a network endpoint is exposed to availability-only impact.
Unauthenticated remote code execution in OpenDJ Community Edition through 5.1.0 occurs when the JMX RMI connector deserializes attacker-controlled Java objects before authentication is performed. Any deployment with the JMX Connection Handler enabled (commonly turned on for monitoring integrations) is exposed to pre-auth RCE over TCP, as demonstrated against OpenDJ 4.4.15 on JDK 11 with Jackson 2.12.6.1. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Detection bypass in picklescan before 0.0.29 allows attackers to smuggle arbitrary code execution payloads through pickle files by abusing the idlelib.autocomplete.AutoComplete.get_entity function inside __reduce__ methods. Because picklescan does not flag this function as dangerous, malicious ML model files (e.g., PyTorch checkpoints) appear safe to scan but execute attacker commands the moment a victim calls pickle.load(). Publicly available exploit code exists in the GHSA advisory, but no public exploit identified at time of analysis in CISA KEV.
Detection bypass in picklescan versions 0.0.26 and earlier (fixed in 0.0.30) allows attackers to smuggle arbitrary code through malicious pickle files by abusing Python's built-in ensurepip._run_pip function, which the scanner failed to flag as dangerous. Organizations relying on picklescan to vet PyTorch models or other serialized Python objects will load the file as safe and trigger remote code execution upon pickle.load(). Publicly available exploit code exists via the GHSA advisory PoC, though no public exploit identified in active campaigns at time of analysis.
Arbitrary code execution in Picklescan before 0.0.33 occurs because the scanner fails to flag the numpy.f2py.crackfortran._eval_length gadget when used inside a pickle __reduce__ method, allowing crafted pickle files to be marked safe while still executing attacker-supplied Python on load. Workflows that rely on Picklescan to vet untrusted pickle or PyTorch model artifacts are exposed to supply-chain poisoning, and publicly available exploit code exists in the GHSA advisory.
Typeless deserialization in MessagePack-CSharp allows blocked types to be instantiated by wrapping them inside arrays or generic type constructs, bypassing the ThrowIfDeserializingTypeIsDisallowed safety check. Applications using typeless deserialization on MessagePack-CSharp prior to versions 2.5.301 (2.x branch) and 3.1.7 (3.x branch) are exposed. No public exploit code or active exploitation has been identified at time of analysis; the CVSS 4.0 score of 6.3 reflects high attack complexity and the prerequisite that typeless deserialization must be enabled and attacker-controlled input must reach the deserializer.
Remote code execution in Spinnaker's Rosco and Orca services arises because YAML input is parsed with SnakeYAML's unsafe default Constructor rather than a SafeConstructor, letting authenticated users who trigger CloudFormation deployments or CloudFoundry baking load arbitrary Java classes. An attacker with pipeline access can supply a crafted YAML tag (e.g. !!javax.script.ScriptEngineManager) to instantiate dangerous classes and reach code execution on the affected service host. No public weaponized exploit is identified, though the vendor fix commit ships tests demonstrating the arbitrary-object-instantiation primitive, and the flaw is not listed in CISA KEV.
Detection bypass in picklescan versions before 0.0.30 allows malicious pickle files to evade security scanning by using cProfile.runctx in __reduce__ methods, leading to arbitrary code execution when the file is loaded via pickle.load(). The flaw undermines the core purpose of picklescan as a defensive tool for ML model security and was reported by VulnCheck with a published proof-of-concept in the GitHub Security Advisory. No public exploit identified at time of analysis as a weaponized in-the-wild attack, but PoC code is published in the GHSA.
Detection bypass in picklescan before 0.0.30 allows attackers to smuggle arbitrary code execution payloads through pickle files by abusing idlelib.pyshell.ModifiedInterpreter.runcommand inside a __reduce__ method, which the scanner fails to flag as dangerous. Any victim who relies on picklescan to vet PyTorch models or other pickle artifacts and then calls pickle.load() will execute attacker-supplied commands. Publicly available exploit code exists (PoC published in the GHSA advisory), no CISA KEV listing, and the issue is fixed in version 0.0.30.
Detection bypass in picklescan before 0.0.28 allows attackers to smuggle arbitrary code through pickle files by abusing torch.utils._config_module.load_config inside __reduce__ methods, defeating the library's malicious-pickle scanning and enabling remote code execution when the file is later loaded. Publicly available exploit code exists (GHSA-vv6j-3g6g-2pvj includes a working PoC), and the flaw is significant for any ML pipeline that trusts picklescan to vet third-party PyTorch model files. No CISA KEV listing at time of analysis, so exploitation status is limited to public POC rather than confirmed in-the-wild use.
Unsafe deserialization in zhilink ADP Application Developer Platform 1.0.0 exposes the testConnection endpoint to remote exploitation by low-privilege authenticated users via manipulation of the jdbcUrl parameter. A public exploit has been published (linked via Feishu document) despite vendor non-response to coordinated disclosure. No public exploit identified at time of analysis meets the KEV threshold, but the combination of public PoC, network-accessible endpoint, and no patch raises operational risk - particularly for organizations running this Chinese low-code/RAD platform internally.
Unsafe pickle deserialization in picklescan before 1.0.1 allows unauthenticated remote attackers to create arbitrary zero-byte files on the server by crafting malicious pickle payloads that instantiate Python's standard-library logging.FileHandler class. This technique bypasses RCE-focused blocklists because it abuses legitimate standard library functionality rather than commonly blocked modules, making it a notable blocklist-evasion primitive. A publicly available proof-of-concept exploit exists; no public exploit identified at time of analysis for active KEV-confirmed exploitation, but the PoC demonstrates concrete filesystem impact including lock-file-based denial of service.
Unauthenticated remote code execution in JoomShaper's SP LMS (com_splms) Joomla extension versions 1.0.0 through 4.1.3 allows network attackers to run arbitrary code on the server by sending a crafted cookie that the component deserializes without validation. The flaw is a textbook PHP object injection (CWE-502) with a CVSS 4.0 base score of 9.5, but at time of analysis there is no public exploit identified and the issue is not on the CISA KEV list. Risk is elevated because the trigger is a cookie value parsed before any authentication check.
Arbitrary code execution in Stanford NLP's Stanza 1.12.0 (and ≤1.12.1) occurs when the library loads a malicious PyTorch checkpoint, because its pretrain loader silently falls back from torch.load(weights_only=True) to weights_only=False whenever an UnpicklingError is raised - a condition the attacker fully controls by embedding one unsupported pickle global. Publicly available exploit code exists (working PoC in the GHSA advisory), and any developer, CI pipeline, or production NLP service that downloads Stanza model files from HuggingFace, GitHub, or a shared cache can be compromised. Fixed in Stanza 1.12.2.
PHAR deserialization in PhpWeasyPrint versions prior to 2.6.0 allows remote code execution by bypassing the case-sensitive phar:// blacklist introduced for CVE-2023-28115 - because PHP stream wrappers are case-insensitive, schemes like PHAR:// or PhAr:// pass the check and reach file_exists() in prepareOutput(). When the library runs on PHP 7.4+ and an attacker can influence the output filename argument passed to generation methods, a crafted PHAR archive's metadata is unserialized via a gadget chain, yielding code execution. No CISA KEV listing and no public exploit identified at time of analysis for this specific CVE, although the equivalent upstream KnpLabs/snappy advisory (GHSA-92rv-4j2h-8mjj) ships a working phpggc-based PoC that is directly portable.
Unauthenticated callers can trigger server-side request forgery against NL Portal Backend Libraries (nl.nl-portal:form versions 1.1.0.RELEASE through 3.0.3) by invoking the public GraphQL resolvers `getFormDefinitionByObjectenApiUrl` or `getFormDefinitionById`, causing the backend to issue outbound HTTP requests bearing a privileged Objecten-API `Authorization: Token` header to a caller-influenced URL on the configured Objecten-API host. The SSRF is constrained to the same configured host by a host-equality guard, and arbitrary data disclosure is further limited by strict typed deserialization in Kotlin, which keeps practical real-world impact at Medium despite unauthenticated network access. A lab proof-of-concept was confirmed by the reporter against the real Spring WebFlux stack; no public exploit code has been independently identified and the vulnerability is not listed in CISA KEV.
Remote unauthenticated access to two SQL Editor endpoints in pgAdmin 4 server-mode deployments (versions 6.9 through 9.15) exposes a pickle.loads sink that can be reached without a valid pgAdmin session. The defect is the missing @pga_login_required decorator on DELETE /sqleditor/close/<trans_id> and POST /sqleditor/initialize/sqleditor/update_connection/<sgid>/<sid>/<did>; turning this into code execution additionally requires an attacker to possess the Flask SECRET_KEY and write access to the sessions/ directory from a separate channel. No public exploit identified at time of analysis, and the issue does not appear on CISA KEV.
Server-side template injection in JTL Shop 5.2.0 through 5.7.1 allows remote unauthenticated attackers to inject Smarty template syntax via unsanitized user input, exposing sensitive server-side values like database credentials and encryption keys. On versions 5.4.0 through 5.7.1, the flaw escalates to remote code execution by abusing registered Smarty modifiers (unserialize, file_get_contents) to drop a webshell and execute commands as the web server user. Publicly available exploit code exists via the Sansec research writeup, though no public exploit identified at time of analysis in CISA KEV.
Remote code execution in iba ibaPDA and ibaDatCoordinator allows unauthenticated network attackers to gain full system control by exploiting an unsafe deserialization flaw (CWE-502). The CVSS 4.0 score of 9.3 reflects network-reachable exploitation with no privileges or user interaction and high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the trivial attack profile makes it a high priority for industrial environments running these data acquisition products.
Remote code execution in PTC Windchill PDMlink and PTC FlexPLM allows unauthenticated network attackers to execute arbitrary code via deserialization of untrusted data. All releases prior to 11.0 M030 are affected, as are all CPS versions, and no public exploit identified at time of analysis. Reported by PTC themselves, the flaw carries a CVSS 4.0 base score of 9.3 (critical) reflecting high impact across confidentiality, integrity, and availability without requiring authentication or user interaction.
Denial of service in Steeltoe.Discovery.Eureka client (.NET) versions prior to 4.2.0 and 3.4.0 allows a remote Eureka registry containing service registrations with DataCenterInfo.name="Netflix" to permanently break the local service discovery cache. The client's DataCenterInfo.FromJson rejects any value other than "MyOwn" or "Amazon" with an ArgumentException that is silently swallowed by the periodic cache refresh task, leaving downstream .NET services unable to discover peers. No public exploit identified at time of analysis, but the trigger is trivially reachable in mixed Java/Spring-Cloud and Steeltoe environments.
Unauthenticated remote code execution in NVIDIA Spatial Intelligence Lab's GEN3C inference API server allows network attackers to execute arbitrary Python code by sending crafted pickle payloads to the /request-inference and /seed-model endpoints. The endpoints feed raw HTTP bodies directly into pickle.loads() with no authentication or validation, so a standard __reduce__ gadget yields code execution as the inference process. No public exploit identified at time of analysis, but the upstream patch and a VulnCheck advisory document the precise vulnerable code path.
Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle detection by obfuscating eval calls nested under callable objects via getattr, causing the very tool intended to detect malicious pickles to miss them. Publicly available exploit code exists via the GHSA advisory PoC, though no public exploit identified at time of analysis as actively used in attacks; the CVSS 4.0 score of 9.3 reflects unauthenticated network-reachable impact on confidentiality, integrity, and availability.
Arbitrary file read in picklescan versions before 0.0.35 allows remote unauthenticated attackers to exfiltrate sensitive server files by abusing standard-library callables that the tool's RCE-focused blocklist fails to detect. By chaining io.FileIO and urllib.request.urlopen inside a malicious pickle, an attacker can stream contents of files such as /etc/passwd to an attacker-controlled URL when the scanner processes untrusted model artifacts. Publicly available exploit code exists in the GHSA advisory, but there is no public exploit identified at time of analysis in the form of in-the-wild abuse.
Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing distutils.file_util.write_file inside crafted pickle payloads. Because picklescan is used as a safety gate before loading ML model pickles, a bypass means malicious models pass scanning and can overwrite files on disk to achieve denial of service or remote code execution. Publicly available exploit code exists in the GHSA advisory, though there is no public exploit identified at time of analysis indicating active exploitation.
PHP Object Injection in the EMV Creatify WordPress theme (versions up to and including 1.5) allows remote unauthenticated attackers to trigger insecure deserialization of attacker-supplied data, potentially leading to arbitrary code execution, file operations, or full site compromise depending on available gadget chains in the WordPress runtime. Patchstack catalogs this as a PHP Object Injection issue under CWE-502, and no public exploit was identified at time of analysis. EPSS data was not supplied, but the CVSS 9.8 rating reflects unauthenticated network-reachable impact.
Unauthenticated PHP Object Injection in the EMV "The Hospital" WordPress theme (nrghospital) through version 1.8.1 lets remote attackers trigger deserialization of attacker-controlled data, which can be chained with available POP gadgets to achieve full compromise of the host site. CVSS 9.8 reflects unauthenticated network exploitability with high CIA impact; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Unauthenticated PHP object injection in the Themeton 'The Barber Shop' WordPress theme (versions up to and including 1.9) allows remote attackers to deserialize attacker-controlled data, potentially leading to arbitrary code execution, file manipulation, or full site compromise when a usable POP gadget chain is present. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 9.8, though no public exploit identified at time of analysis and EPSS data was not provided. The vulnerability is rooted in CWE-502 (Deserialization of Untrusted Data), a class historically abused for RCE in WordPress plugin/theme ecosystems.
PHP object injection in the Themeton Lagom WordPress theme (versions up to and including 2.0) allows remote attackers to trigger unsafe deserialization of attacker-controlled data, potentially leading to full site compromise. The flaw is reported by Patchstack and carries a critical CVSS of 9.8 (AV:N/AC:L/PR:N/UI:N); no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Remote code execution via unauthenticated PHP Object Injection affects the Moderno WordPress theme in all versions prior to 1.43, enabling attackers to send crafted serialized payloads that trigger malicious object instantiation. With CVSS 9.8 and a fully remote, no-interaction attack vector, successful exploitation hinges on the presence of usable POP gadget chains in WordPress core or co-installed plugins. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Unauthenticated PHP Object Injection in the Mikado-Themes 'Château' WordPress theme (versions ≤ 1.2.1) allows remote attackers to deserialize attacker-controlled data, potentially leading to arbitrary code execution, file manipulation, or full site compromise when a suitable POP gadget chain is present in the WordPress stack. The flaw was disclosed via Patchstack with CVSS 8.1 (high) due to network-reachable, unauthenticated impact across confidentiality, integrity, and availability, though high attack complexity (AC:H) reflects the dependency on a usable gadget chain. No public exploit identified at time of analysis.
Unauthenticated PHP Object Injection in the Mikado-Themes Zoya WordPress theme versions 1.4 and earlier allows remote attackers to inject crafted serialized objects that are deserialized by the application. Successful exploitation can lead to arbitrary code execution, data tampering, or denial of service depending on the gadget chains present in WordPress core, plugins, or other themes loaded on the site. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Unauthenticated PHP object injection in the Manufaktur Solutions WordPress theme (versions 1.1.1 and earlier) allows remote attackers to deserialize attacker-controlled data, potentially leading to arbitrary code execution, data tampering, or denial of service when a suitable PHP gadget chain is present. The CVSS 3.1 score of 8.1 reflects high impact across confidentiality, integrity, and availability, tempered by AC:H due to dependency on exploitable gadget chains in the WordPress runtime. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Unauthenticated PHP Object Injection in the Eldon WordPress theme (versions <= 1.4.1) by Edge-Themes allows remote attackers to inject arbitrary PHP objects through unsafe deserialization, potentially leading to remote code execution, data theft, or site compromise when a suitable POP gadget chain is present in the WordPress environment. No public exploit identified at time of analysis, and Patchstack rates this CVSS 8.1 (High) with high attack complexity reflecting the need for a usable gadget chain.
Unauthenticated PHP object injection in the Mikado Themes ShiftUp WordPress theme (versions ≤ 1.3) allows remote attackers to pass attacker-controlled serialized data into a PHP unserialize() sink, potentially triggering gadget chains that can lead to remote code execution, data tampering, or site takeover. CVSS is rated 8.1 with high attack complexity but no privileges or user interaction required, and no public exploit identified at time of analysis. The issue was disclosed via Patchstack.
Unauthenticated PHP Object Injection in the SingleMalt WordPress theme (versions up to and including 1.5) allows remote attackers to deserialize attacker-controlled data, which can lead to compromise of confidentiality, integrity, and availability of affected WordPress sites. The flaw is exploitable without authentication or user interaction but has high attack complexity per its CVSS vector, and no public exploit identified at time of analysis.
Unauthenticated PHP object injection in the Select Themes 'Hiroshi' WordPress theme through version 1.5.1 allows remote attackers to supply crafted serialized payloads that are deserialized by the theme, potentially leading to code execution, file manipulation, or data compromise when a suitable PHP magic-method gadget chain is present in the WordPress stack. The flaw is reachable without authentication per the CVSS vector, and no public exploit has been identified at time of analysis.
Unauthenticated PHP Object Injection affects the Konsept WordPress theme (by elated-themes) in versions 1.9 and earlier, allowing remote attackers to inject crafted serialized PHP objects without authentication. Successful exploitation can lead to a full compromise of the WordPress site - high impact on confidentiality, integrity, and availability - though CVSS rates attack complexity as high, indicating non-trivial conditions are required. No public exploit identified at time of analysis.
Unauthenticated PHP Object Injection in the Alukas WordPress theme (versions prior to 3.0.0) allows remote attackers to inject crafted serialized PHP objects into the application, potentially leading to remote code execution, file manipulation, or full site compromise when a usable POP gadget chain is present. No public exploit identified at time of analysis, and the issue is tracked by Patchstack as a deserialization flaw affecting the presslayouts:alukas product line. Real-world impact depends on the gadget chains available in WordPress core or co-installed plugins.
Unauthenticated PHP Object Injection in the PressMart WordPress theme versions 1.2.26 and earlier allows remote attackers to deliver malicious serialized payloads that are deserialized by the theme, potentially leading to property-oriented gadget chain abuse and full site compromise. The flaw was disclosed via Patchstack and carries a CVSS 8.1 (AV:N/AC:H/PR:N/UI:N) - no public exploit identified at time of analysis, and the high attack complexity reflects the need for a usable gadget chain to escalate from deserialization to concrete impact.
PHP Object Injection in the Entrepreneur - Booking for Small Businesses WordPress theme through version 3.1.3 allows authenticated subscriber-level users to trigger unsafe deserialization, potentially leading to full site compromise. The flaw was disclosed via Patchstack and carries a CVSS 3.1 base score of 8.8 reflecting high impact on confidentiality, integrity, and availability. No public exploit identified at time of analysis.
Unauthenticated PHP Object Injection in the ThemeREX Plumbing WordPress theme versions 1.6 and earlier allows remote attackers to inject arbitrary PHP objects via untrusted deserialization, potentially leading to full site compromise when a suitable POP gadget chain is present. No public exploit identified at time of analysis, but the CVSS 9.8 rating and unauthenticated network attack vector make this a high-priority issue for any WordPress site running this theme.
Unauthenticated PHP object injection in the ThemeREX Reisen WordPress theme versions 1.4.1 and earlier allows remote attackers to trigger deserialization of attacker-controlled data without authentication. Successful exploitation can lead to full site compromise via gadget chains commonly available in WordPress core or active plugins, with CVSS rated 9.8 critical. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Local privilege escalation in Quanos SCHEMA ST4 on-premises allows an authenticated local user to gain NT AUTHORITY\SYSTEM by abusing insecure .NET Remoting deserialization in the Client Update Service. The endpoint, reachable through a local named pipe with TypeFilterLevel.Full, accepts attacker-controlled serialized objects and yields arbitrary code execution in the update process context. No public exploit identified at time of analysis, though a SEC-Consult/SEC-VLab advisory documents the issue.
Unauthenticated PHP object injection in the WP Activity Log WordPress plugin versions 5.6.3.1 and earlier allows remote attackers to deliver crafted serialized payloads that are deserialized by the plugin, enabling abuse of any POP (property-oriented programming) gadget chain present in WordPress core, other active plugins, or themes. With a CVSS 3.1 base of 9.8 (AV:N/AC:L/PR:N/UI:N) and no authentication required, successful exploitation typically yields remote code execution, arbitrary file operations, or database compromise on the affected site. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the unauthenticated network-reachable nature makes it a high-priority patch for any site running the plugin.
Unauthenticated PHP Object Injection in Crocoblock JetEngine WordPress plugin versions 3.8.10 and earlier allows remote attackers to inject arbitrary PHP objects, potentially leading to full site compromise via gadget-chain abuse. The CVSS 9.8 score reflects network-reachable, no-authentication, no-interaction exploitation against a widely deployed commercial WordPress plugin. No public exploit identified at time of analysis, but the unsafe-deserialization class (CWE-502) historically yields fast weaponization once a usable POP chain is published.
Unauthenticated PHP Object Injection in the Thrive Apprentice WordPress plugin (versions prior to 10.8.10.2) allows remote attackers to inject arbitrary PHP objects that get deserialized by the application, potentially leading to remote code execution when a suitable POP gadget chain is present. The flaw is reachable without authentication and carries a CVSS 9.8 critical rating with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
PHP Object Injection in the JetEngine WordPress plugin (versions through 3.8.9.1) allows authenticated users with the Contributor role to inject crafted serialized objects that are deserialized by the plugin, potentially leading to code execution or other gadget-chain abuse on the host site. The flaw, reported by Patchstack and tracked under CWE-502, requires only the low-privileged Contributor role rather than admin access, which significantly broadens the attacker pool on multi-author WordPress installations. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated PHP Object Injection in the AI Lab WordPress theme versions prior to 5.4.2 enables remote attackers to deliver crafted serialized payloads to a vulnerable deserialization sink. With a CVSS 9.8 rating and no authentication required, successful exploitation can lead to arbitrary code execution, data theft, or full site takeover depending on which POP gadget chains are available in WordPress core or installed plugins. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Unauthenticated PHP Object Injection affects the Mikado-Themes EasyMeals WordPress theme through version 1.5.1, allowing remote attackers to inject crafted serialized objects that are deserialized by vulnerable PHP code paths. Successful exploitation can lead to high-impact compromise of confidentiality, integrity, and availability on the underlying WordPress site, though no public exploit identified at time of analysis. The CVSS 8.1 score reflects high attack complexity, consistent with the typical need for a usable gadget chain in the host WordPress environment.
Unauthenticated PHP object injection in the Reina WordPress theme (versions 2.1 and earlier) by Edge Themes allows remote attackers to trigger insecure deserialization, potentially leading to arbitrary code execution, data tampering, or denial of service when a suitable PHP gadget chain is present in the WordPress instance. The flaw carries a CVSS 3.1 score of 8.1 (High) with no public exploit identified at time of analysis. The reference from Patchstack confirms the issue but no KEV listing or EPSS data is provided.
Unauthenticated PHP object injection in the WooCommerce Product Filters WordPress plugin (versions prior to 2.0.6) allows remote attackers to deserialize attacker-controlled data and trigger PHP magic methods on existing application gadgets. With a CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and CWE-502 root cause, successful exploitation can lead to remote code execution, arbitrary file operations, or full site takeover depending on available POP chains in WordPress core or co-installed plugins. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Unauthenticated PHP Object Injection affects the Select Themes Mildhill WordPress theme in versions 1.5 and earlier, allowing remote attackers to inject crafted serialized PHP objects that the application deserializes without validation. Successful exploitation can yield high confidentiality, integrity, and availability impact on the underlying WordPress site, typically by chaining the injected object with a POP gadget present in the theme, WordPress core, or another installed plugin. No public exploit identified at time of analysis, and the issue is reported via Patchstack rather than the CISA KEV catalog.
Unauthenticated PHP Object Injection in the Zermatt WordPress theme versions 1.6.1 and earlier allows remote attackers to deliver malicious serialized PHP objects to a vulnerable unserialize() sink without prior authentication. Successful exploitation can lead to high impact on confidentiality, integrity, and availability when a suitable POP gadget chain is reachable in the WordPress installation. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Unauthenticated deserialization of untrusted data in the Slimstat Analytics WordPress plugin (versions prior to 5.4.0) allows remote attackers to exploit PHP object injection without authentication. The CVSS vector indicates high attack complexity (AC:H) and scope change (S:C), meaning successful exploitation can affect components beyond the plugin itself - potentially the broader WordPress environment or server. No public exploit identified at time of analysis, and the fix version is confirmed as 5.4.0 per Patchstack reporting.
Detection bypass leading to arbitrary code execution in picklescan before 0.0.30 allows attackers to smuggle malicious payloads past the scanner by abusing the doctest.debug_script function, which picklescan's analyzer does not recognize as dangerous. Because picklescan is used to vet untrusted pickle/ML model files before loading, a crafted pickle marked 'safe' will execute attacker commands the moment pickle.load is invoked. There is no public exploit identified at time of analysis, and this is not listed in CISA KEV, but the technique is well-understood and was disclosed by VulnCheck.
Scanner-detection bypass in picklescan before 0.0.30 lets a crafted pickle file evade malicious-code detection and execute arbitrary code on deserialization. The tool - a Python security scanner used to vet untrusted pickle/ML model files - fails to flag `cProfile.run` calls embedded in a pickle object's `__reduce__` method, so a payload routed through `cProfile.run` passes the scan and then runs when the file is loaded. Reported by VulnCheck (CWE-502); no public exploit identified at time of analysis and it is not in CISA KEV.
Static-analysis bypass in Picklescan before 0.0.25 lets attackers smuggle malicious pickle files past its malware scanner, leading to arbitrary OS command execution when a victim deserializes the file. Picklescan's denylist fails to flag unsafe Numpy globals, so a reduce method invoking numpy.testing._private.utils.runstring can import os and run commands while being reported as safe. No public exploit has been identified at time of analysis, though VulnCheck's advisory documents the exact gadget; the issue is not in CISA KEV. CVSS 4.0 base score is 7.6.
Malicious-pickle detection bypass in picklescan before 0.0.28 lets attackers smuggle remote-code-execution payloads past the scanner by hiding them in a pickle reduce method that invokes torch.utils.collect_env.run, which picklescan's blocklist failed to flag. Because picklescan is the gatekeeper many ML pipelines rely on to vet untrusted models (notably scanning Hugging Face artifacts), a 'clean' verdict on a weaponized file directly leads to command execution when the victim deserializes it. Reported by VulnCheck with a fix in 0.0.28; no public exploit identified at time of analysis and not listed in CISA KEV.
Malicious pickle detection bypass in picklescan before 0.0.29 lets attackers smuggle arbitrary code execution payloads past the scanner by abusing the built-in trace.Trace.run function inside a pickle's __reduce__ method. Because picklescan does not flag trace.Trace.run as a dangerous global, a crafted model/pickle file is reported as safe yet executes arbitrary code when later deserialized via pickle.load. No public exploit identified at time of analysis; this is a classic deny-list gap in a security scanner that defenders rely on to gate untrusted ML artifacts.
Remote code execution in IBM WebSphere eXtreme Scale 8.6.1.0-8.6.1.6 arises because three bundled ObjectInputStream subclasses (WsObjectInputStream, ObjectStreamPool$ReusableInputStream, ObjectInputStreamResolver) deserialize untrusted data without any JEP-290 lookahead class filter. When Oracle Coherence is present on the classpath, confirmed working gadget chains (RemoteConstructor.readResolve, PriorityQueue/ExtractorComparator) let a low-privileged authenticated attacker who can write a session attribute - or a LAN-adjacent attacker on the unauthenticated grid replication wire - run arbitrary code on peer WebSphere Application Server JVMs. A vendor patch is available; there is no public exploit identified and EPSS is low (0.29%), but IBM confirms the gadget chains function, giving total technical impact per SSVC.
Remote code execution in IBM WebSphere eXtreme Scale 8.6.1.0 through 8.6.1.6 arises from roughly 50 generated CORBA stub classes in the shipped ogclient.jar that invoke ORB.string_to_object() on an attacker-controlled IOR string during Java deserialization, converting any unfiltered ObjectInputStream sink in the surrounding WebSphere Application Server into outbound IIOP server-side request forgery. When chained with the IBM ORB getUserException class-instantiation flaw (tracked as WAS-26), that SSRF escalates to code execution on the calling JVM. CVSS is 10.0 (scope-changed, full CIA impact); EPSS is 3.01% (86th percentile) and there is no public exploit identified at time of analysis.
Insecure deserialization (CWE-502) in IBM Langflow OSS versions 1.0.0 through 1.10.0 lets any party with access to the backing Redis store inject a malicious serialized object that Langflow deserializes, yielding arbitrary code execution with full application privileges. Successful exploitation exposes all stored secrets, flow data, and the underlying host, effectively a complete compromise of the Langflow instance. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; a vendor patch is available per IBM advisory node 7278443.
Arbitrary code execution in Delta Electronics DTMSoft arises from unsafe deserialization of untrusted data during project file parsing (CWE-502), allowing an attacker who supplies a malicious DTMSoft project file to run code in the context of the user who opens it. The flaw is local and requires victim interaction (opening the crafted file) rather than remote network exploitation, and impacts confidentiality, integrity, and availability fully. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; no EPSS score was supplied.
Arbitrary file deletion in the Export User Data plugin for WordPress (versions up to and including 2.2.6) allows an authenticated subscriber-level attacker to delete any file on the server, including wp-config.php, which can escalate to remote code execution. The flaw stems from unsafe deserialization of a PHP object embedded in a user's display name that is processed when an administrator exports user data. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; exploitation is gated by required administrator interaction.
Authenticated remote code execution affects the official openproject/openproject Docker image, which ships with a hardcoded Rails secret (ENV SECRET_KEY_BASE=OVERWRITE_ME). Because the application uses cookies_serializer = :marshal, any logged-in user who knows this deterministic key can forge a signed cookie containing a malicious Marshal payload that is deserialized when reaching the /my/two_factor_devices cookie reader, yielding code execution on the server (CVSS 9.9, scope-changed). At the time of analysis there is no public exploit identified and the issue is not in CISA KEV, but the predictability of the default key makes exploitation straightforward for anyone running an unmodified image.
Arbitrary code execution in the OWASP ZAP ViewState add-on (versions before 4) lets a malicious or attacker-controlled proxied web server compromise the security tester's own ZAP instance. By embedding a crafted serialized Java object in the javax.faces.ViewState response parameter, an attacker triggers unsafe Java deserialization inside the ZAP JVM the moment the operator views the ViewState panel in the Desktop UI. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the vendor has published an advisory and shipped a fix (viewstate-v4) that disables JSF support entirely.
PHP Object Injection in the Uncanny Automator Pro WordPress plugin (versions <= 7.3.0.6) allows authenticated users holding only the low-privileged Subscriber role to inject crafted serialized PHP objects into an unsafe deserialization sink (CWE-502). Depending on the gadget chains present in the plugin or co-installed software, this can escalate to remote code execution, arbitrary file operations, or database tampering. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; the input-supplied CVSS of 9.8 likely overstates privileges since the title explicitly scopes the flaw to the Subscriber role.
Authenticated PHP object injection in the RealHomes WordPress theme (versions 4.5.3 and earlier) lets a low-privileged Subscriber-level account inject crafted serialized objects into an unsafe deserialization sink (CWE-502). Because WordPress applications and plugins commonly contain POP gadget chains, this can escalate to arbitrary file operations, SQL injection, or remote code execution, which is reflected in the high CVSS 8.8 (C:H/I:H/A:H). Reported by Patchstack; no public exploit identified at time of analysis and it is not listed in CISA KEV.
PHP Object Injection in the BuddyBoss Platform WordPress plugin (versions 3.0.4 and earlier) allows attackers with low-privilege Subscriber access to inject crafted serialized objects that are deserialized unsafely, potentially leading to remote code execution, data tampering, or denial of service depending on available gadget chains. The flaw was reported by Patchstack and carries a CVSS base score of 9.8; however, the 'Subscriber' qualifier implies authenticated access is required, which conflicts with the PR:N in the published vector. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
PHP Object Injection in the Uncanny Automator WordPress plugin (versions 7.3.1.2 and earlier) lets unauthenticated remote attackers submit crafted serialized PHP objects that the application deserializes, potentially leading to full WordPress site compromise. The flaw is rooted in unsafe deserialization of untrusted data (CWE-502) and carries high confidentiality, integrity, and availability impact (CVSS 8.1). No public exploit identified at time of analysis and it is not in CISA KEV; the high attack complexity reflects the need for a usable POP gadget chain in the target environment.
Remote code execution in JetBrains Kotlin before 2.4.20 stems from unsafe deserialization (CWE-502) of build cache metadata, allowing an attacker who can influence cached build artifacts to execute arbitrary code during a build. The flaw carries a CVSS 9.8 (C:H/I:H/A:H) rating, but there is no public exploit identified at time of analysis and EPSS is very low (0.11%, 2nd percentile), and CISA SSVC marks exploitation as 'none'. JetBrains, who reported the issue, has released a fixed version (2.4.20).
Detection bypass in picklescan through version 0.0.26 lets attackers smuggle malicious pickle payloads past the scanner by invoking idlelib.pyshell.ModifiedInterpreter.runcode from a __reduce__ method, which picklescan does not blocklist. Because organizations rely on picklescan to vet PyTorch models and serialized Python objects, a payload it marks 'safe' still achieves arbitrary command execution the moment the victim calls pickle.load(), enabling ML supply-chain attacks. Publicly available exploit code exists (GHSA-3gf5-cxq9-w223 ships a working PoC); the CVE is not in CISA KEV and EPSS data was not provided, so active exploitation is unconfirmed.
Unsafe Java deserialization (CWE-502) in OpenAM Community Edition through 16.0.6 lets attackers abuse the anonymous Push Notification SNS callback REST route to force the server to load an attacker-named class and construct it from attacker-controlled JSON via Jackson. A low-privileged user who starts Push Registration can plant a malicious CTS predicate blob, then drive anonymous callbacks that yield a reliable class-loading and Jackson-construction primitive with classpath-dependent impacts ranging from token-record corruption and DoS to potential process execution and file writes. No public exploit is identified at time of analysis and confirmed arbitrary command execution was not demonstrated on stock classpaths; the issue is fixed in 16.1.1.
PHP Object Injection in the EventPrime event-calendar-management WordPress plugin (versions 4.3.4.1 and earlier) allows an authenticated attacker holding only a low-privilege Subscriber account to inject crafted serialized objects into an unsafe deserialization sink. Depending on the PHP gadget chains present in WordPress core, the plugin, or other installed plugins, this can escalate to data tampering, information disclosure, or remote code execution. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was reported by Patchstack.
Arbitrary code execution in MosaicML Composer arises when the library loads a model or resumption checkpoint, because checkpoint parsing deserializes attacker-controlled pickle data without validation (CWE-502). A user who loads a maliciously crafted checkpoint (.pt) file - for example one downloaded from a model hub or shared by a collaborator - runs arbitrary Python code in the context of the training process. Reported through ZDI (ZDI-26-384, ZDI-CAN-27990); no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but an upstream source fix is available.
Arbitrary code execution affects the WebAuthn authentication module of Open Identity Platform OpenAM Community Edition through 16.0.6, where untrusted Java deserialization (CWE-502) of a user-controllable storage attribute lets an attacker run code as the application server user. The vendor advisory (GHSA-6c99-87fr-6q7r) characterizes this as a pre-authentication RCE, but it is reachable only in non-default deployments where the WebAuthn storage/userAttribute has become attacker-writable. No public exploit has been identified at time of analysis, and the issue is fixed in 16.1.1.
Remote code execution in Feast (the open-source ML feature store) before 0.63.0 lets remote attackers run OS commands as the feast service account by sending a crafted ApplyFeatureView gRPC request to the registry server. The registry base64-decodes the user_defined_function.body field of an OnDemandFeatureView and passes it to dill.loads() before any authorization check, so no credentials are required. A publicly available exploit code exists (reported by VulnCheck via huntr) and a vendor patch is available, though the flaw is not listed in CISA KEV.
Detection bypass in picklescan before 0.0.29 allows attackers to craft malicious pickle files using idlelib.debugobj.ObjectTreeItem.SetText in __reduce__ methods that evade the scanner's dangerous-function checks, resulting in arbitrary command execution when the victim subsequently calls pickle.load(). The flaw turns picklescan from a security control into a false-assurance tool for ML pipelines that consume untrusted PyTorch models. Publicly available exploit code exists via the GHSA advisory, though no public exploit identified in active campaigns at time of analysis.
Integrity bypass in jackson-databind 2.21.0-2.21.3 and 3.0.0-3.1.3 allows unauthenticated network attackers to write to private backing fields that application developers intended as read-only. The flaw occurs when a POJO uses @JsonProperty on a getter with @JsonIgnore on the setter - a common read-only-over-the-wire pattern - and MapperFeature.INFER_PROPERTY_MUTATORS is enabled (the default). No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog. The GHSA advisory characterizes the impact as property tampering and mass assignment; maintainers rate it minor despite a reporter-assessed HIGH severity.
Eager DNS resolution during InetSocketAddress deserialization in jackson-databind (versions 2.0.0 through pre-fix releases across the 2.18, 2.21, and 3.x lines) allows any attacker who can supply untrusted JSON to an affected endpoint to force outbound DNS lookups for attacker-chosen hostnames at readValue() time - before application validation or connect logic can intervene. This DNS-based SSRF (CWE-918) enables internal resolver probing, network topology enumeration, and DNS out-of-band interaction signals against applications that deserialize untrusted JSON into types containing InetSocketAddress fields. No public exploit code and no CISA KEV listing have been identified at time of analysis; EPSS data was not available in the provided intelligence sources.
PolymorphicTypeValidator bypass in jackson-databind versions 2.10.0 through 2.18.7, 2.19.0 through 2.21.3, and 3.0.0 through 3.1.3 allows attackers controlling JSON type identifiers to smuggle denied gadget classes through allow-listed generic containers, leading to arbitrary class instantiation and potential remote code execution. The flaw stems from DatabindContext._resolveAndValidateGeneric() validating only the raw container class name while skipping all nested generic type arguments. No public exploit identified at time of analysis, but the GHSA advisory includes a proof-of-concept configuration and payload structure.
Remote code execution in Spring Statemachine 3.2.0-3.2.4 and 4.0.0-4.0.1 allows authenticated attackers to execute arbitrary code inside the application JVM by injecting malicious serialized Java objects into the Kryo-based persistence backends (JPA, MongoDB, Redis, or ZooKeeper). The flaw stems from deserializing persisted state-machine contexts without enforcing a class allowlist, a classic CWE-502 pattern that has historically yielded reliable gadget-chain exploitation in Java applications. No public exploit identified at time of analysis, but the deserialization sink and Kryo gadget ecosystem make weaponization straightforward once an attacker can write to the persistence store.
Detection bypass in picklescan versions prior to 0.0.29 allows attackers to smuggle arbitrary code execution payloads through malicious pickle files by leveraging idlelib.autocomplete.AutoComplete.fetch_completions inside the __reduce__ method. Because the scanner does not flag this built-in Python function as dangerous, victims who rely on picklescan to vet PyTorch models or other pickle artifacts will load attacker-controlled code under pickle.load(). Publicly available exploit code exists (in the GHSA advisory), though no active in-the-wild exploitation has been reported.
Detection bypass in picklescan before 0.0.28 allows attackers to embed malicious torch.jit.unsupported_tensor_ops.execWrapper calls in pickle files that evade the scanner and execute arbitrary code when later loaded via pickle.load(). Publicly available exploit code exists in the GHSA advisory, and the flaw directly undermines the security guarantee picklescan is meant to provide for PyTorch model files. No CISA KEV listing and no EPSS data are provided, but the scanner bypass nature makes this a meaningful supply-chain risk for ML pipelines.
Detection bypass in picklescan before 0.0.33 allows attackers to smuggle arbitrary code through malicious pickle files by abusing numpy.f2py.crackfortran.myeval in a __reduce__ method, which the scanner fails to flag as dangerous. Any ML pipeline or model-hosting workflow that trusts picklescan's verdict before calling pickle.load() will execute attacker-controlled commands; publicly available exploit code exists in the GHSA advisory, and the CVSS 4.0 score of 7.6 reflects high confidentiality and integrity impact contingent on user interaction.
Detection bypass in picklescan prior to 0.0.29 allows attackers to smuggle remote code execution payloads through pickle files that the scanner incorrectly classifies as safe. The library fails to flag the built-in profile.Profile.runctx function when used in a __reduce__ method, so a downstream pickle.load() of the scanned file executes arbitrary Python. Publicly available exploit code exists in the GHSA-6vqj-c2q5-j97w advisory, though no active exploitation has been reported.
Remote code execution in Pivotal CRM 6.6.04.08 Smart Client arises from insecure deserialization in the Pivotal.Core.Common.dll and Pivotal.Engine.Client.Services.Conversion.dll components, allowing remote attackers to execute arbitrary code on affected installations. The vendor (Aurea/Pivotal) has published a remediation advisory and a researcher has released a public technical advisory, but the issue is not currently listed in CISA KEV and SSVC indicates no observed exploitation. CVSS 8.1 reflects high impact tempered by high attack complexity, while no public exploit identified at time of analysis is corroborated by SSVC's 'Exploitation: none'.
Local arbitrary code execution in Glances versions prior to 4.5.5 occurs when the daemon deserializes its version-check cache file via pickle.load() without integrity validation. An attacker with write access to the Glances user's XDG cache directory (~/.cache/glances/glances-version.db) can plant a malicious pickle that executes as the Glances process user - frequently root - on next startup. Publicly available exploit code exists in the GHSA advisory, but no public exploit identified at time of analysis as actively weaponized.
Uncontrolled recursion in MessagePack-CSharp's JSON conversion helpers allows remote attackers to crash .NET host processes via an uncatchable StackOverflowException, producing a denial-of-service condition in applications that route untrusted input through these APIs. Three independent recursive code paths - ConvertFromJson's FromJsonCore(), TinyJsonReader.ReadNextToken() (which recurses once per comma or colon character, enabling exploitation via malformed JSON), and the ConvertToJson ext-100 typeless extension branch - all bypass the library's existing MessagePackSecurity depth-limit enforcement. No public exploit has been identified at time of analysis, and only applications explicitly using the JSON conversion helpers (not normal typed MessagePack deserialization) are exposed.
Uncontrolled recursion in MessagePack for C# allows network-reachable attackers to crash applications by submitting deeply nested union-type payloads that bypass the library's object graph depth protection. DynamicUnionResolver's runtime-generated deserializers omit the required MessagePackSecurity.DepthStep calls, leaving union code paths entirely outside the recursion guard that protects all other formatter paths. No public exploit or active KEV listing exists at time of analysis, but any application deserializing untrusted MessagePack data via union types over a network endpoint is exposed to availability-only impact.
Unauthenticated remote code execution in OpenDJ Community Edition through 5.1.0 occurs when the JMX RMI connector deserializes attacker-controlled Java objects before authentication is performed. Any deployment with the JMX Connection Handler enabled (commonly turned on for monitoring integrations) is exposed to pre-auth RCE over TCP, as demonstrated against OpenDJ 4.4.15 on JDK 11 with Jackson 2.12.6.1. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Detection bypass in picklescan before 0.0.29 allows attackers to smuggle arbitrary code execution payloads through pickle files by abusing the idlelib.autocomplete.AutoComplete.get_entity function inside __reduce__ methods. Because picklescan does not flag this function as dangerous, malicious ML model files (e.g., PyTorch checkpoints) appear safe to scan but execute attacker commands the moment a victim calls pickle.load(). Publicly available exploit code exists in the GHSA advisory, but no public exploit identified at time of analysis in CISA KEV.
Detection bypass in picklescan versions 0.0.26 and earlier (fixed in 0.0.30) allows attackers to smuggle arbitrary code through malicious pickle files by abusing Python's built-in ensurepip._run_pip function, which the scanner failed to flag as dangerous. Organizations relying on picklescan to vet PyTorch models or other serialized Python objects will load the file as safe and trigger remote code execution upon pickle.load(). Publicly available exploit code exists via the GHSA advisory PoC, though no public exploit identified in active campaigns at time of analysis.
Arbitrary code execution in Picklescan before 0.0.33 occurs because the scanner fails to flag the numpy.f2py.crackfortran._eval_length gadget when used inside a pickle __reduce__ method, allowing crafted pickle files to be marked safe while still executing attacker-supplied Python on load. Workflows that rely on Picklescan to vet untrusted pickle or PyTorch model artifacts are exposed to supply-chain poisoning, and publicly available exploit code exists in the GHSA advisory.
Typeless deserialization in MessagePack-CSharp allows blocked types to be instantiated by wrapping them inside arrays or generic type constructs, bypassing the ThrowIfDeserializingTypeIsDisallowed safety check. Applications using typeless deserialization on MessagePack-CSharp prior to versions 2.5.301 (2.x branch) and 3.1.7 (3.x branch) are exposed. No public exploit code or active exploitation has been identified at time of analysis; the CVSS 4.0 score of 6.3 reflects high attack complexity and the prerequisite that typeless deserialization must be enabled and attacker-controlled input must reach the deserializer.
Remote code execution in Spinnaker's Rosco and Orca services arises because YAML input is parsed with SnakeYAML's unsafe default Constructor rather than a SafeConstructor, letting authenticated users who trigger CloudFormation deployments or CloudFoundry baking load arbitrary Java classes. An attacker with pipeline access can supply a crafted YAML tag (e.g. !!javax.script.ScriptEngineManager) to instantiate dangerous classes and reach code execution on the affected service host. No public weaponized exploit is identified, though the vendor fix commit ships tests demonstrating the arbitrary-object-instantiation primitive, and the flaw is not listed in CISA KEV.
Detection bypass in picklescan versions before 0.0.30 allows malicious pickle files to evade security scanning by using cProfile.runctx in __reduce__ methods, leading to arbitrary code execution when the file is loaded via pickle.load(). The flaw undermines the core purpose of picklescan as a defensive tool for ML model security and was reported by VulnCheck with a published proof-of-concept in the GitHub Security Advisory. No public exploit identified at time of analysis as a weaponized in-the-wild attack, but PoC code is published in the GHSA.
Detection bypass in picklescan before 0.0.30 allows attackers to smuggle arbitrary code execution payloads through pickle files by abusing idlelib.pyshell.ModifiedInterpreter.runcommand inside a __reduce__ method, which the scanner fails to flag as dangerous. Any victim who relies on picklescan to vet PyTorch models or other pickle artifacts and then calls pickle.load() will execute attacker-supplied commands. Publicly available exploit code exists (PoC published in the GHSA advisory), no CISA KEV listing, and the issue is fixed in version 0.0.30.
Detection bypass in picklescan before 0.0.28 allows attackers to smuggle arbitrary code through pickle files by abusing torch.utils._config_module.load_config inside __reduce__ methods, defeating the library's malicious-pickle scanning and enabling remote code execution when the file is later loaded. Publicly available exploit code exists (GHSA-vv6j-3g6g-2pvj includes a working PoC), and the flaw is significant for any ML pipeline that trusts picklescan to vet third-party PyTorch model files. No CISA KEV listing at time of analysis, so exploitation status is limited to public POC rather than confirmed in-the-wild use.
Unsafe deserialization in zhilink ADP Application Developer Platform 1.0.0 exposes the testConnection endpoint to remote exploitation by low-privilege authenticated users via manipulation of the jdbcUrl parameter. A public exploit has been published (linked via Feishu document) despite vendor non-response to coordinated disclosure. No public exploit identified at time of analysis meets the KEV threshold, but the combination of public PoC, network-accessible endpoint, and no patch raises operational risk - particularly for organizations running this Chinese low-code/RAD platform internally.
Unsafe pickle deserialization in picklescan before 1.0.1 allows unauthenticated remote attackers to create arbitrary zero-byte files on the server by crafting malicious pickle payloads that instantiate Python's standard-library logging.FileHandler class. This technique bypasses RCE-focused blocklists because it abuses legitimate standard library functionality rather than commonly blocked modules, making it a notable blocklist-evasion primitive. A publicly available proof-of-concept exploit exists; no public exploit identified at time of analysis for active KEV-confirmed exploitation, but the PoC demonstrates concrete filesystem impact including lock-file-based denial of service.
Unauthenticated remote code execution in JoomShaper's SP LMS (com_splms) Joomla extension versions 1.0.0 through 4.1.3 allows network attackers to run arbitrary code on the server by sending a crafted cookie that the component deserializes without validation. The flaw is a textbook PHP object injection (CWE-502) with a CVSS 4.0 base score of 9.5, but at time of analysis there is no public exploit identified and the issue is not on the CISA KEV list. Risk is elevated because the trigger is a cookie value parsed before any authentication check.
Arbitrary code execution in Stanford NLP's Stanza 1.12.0 (and ≤1.12.1) occurs when the library loads a malicious PyTorch checkpoint, because its pretrain loader silently falls back from torch.load(weights_only=True) to weights_only=False whenever an UnpicklingError is raised - a condition the attacker fully controls by embedding one unsupported pickle global. Publicly available exploit code exists (working PoC in the GHSA advisory), and any developer, CI pipeline, or production NLP service that downloads Stanza model files from HuggingFace, GitHub, or a shared cache can be compromised. Fixed in Stanza 1.12.2.
PHAR deserialization in PhpWeasyPrint versions prior to 2.6.0 allows remote code execution by bypassing the case-sensitive phar:// blacklist introduced for CVE-2023-28115 - because PHP stream wrappers are case-insensitive, schemes like PHAR:// or PhAr:// pass the check and reach file_exists() in prepareOutput(). When the library runs on PHP 7.4+ and an attacker can influence the output filename argument passed to generation methods, a crafted PHAR archive's metadata is unserialized via a gadget chain, yielding code execution. No CISA KEV listing and no public exploit identified at time of analysis for this specific CVE, although the equivalent upstream KnpLabs/snappy advisory (GHSA-92rv-4j2h-8mjj) ships a working phpggc-based PoC that is directly portable.
Unauthenticated callers can trigger server-side request forgery against NL Portal Backend Libraries (nl.nl-portal:form versions 1.1.0.RELEASE through 3.0.3) by invoking the public GraphQL resolvers `getFormDefinitionByObjectenApiUrl` or `getFormDefinitionById`, causing the backend to issue outbound HTTP requests bearing a privileged Objecten-API `Authorization: Token` header to a caller-influenced URL on the configured Objecten-API host. The SSRF is constrained to the same configured host by a host-equality guard, and arbitrary data disclosure is further limited by strict typed deserialization in Kotlin, which keeps practical real-world impact at Medium despite unauthenticated network access. A lab proof-of-concept was confirmed by the reporter against the real Spring WebFlux stack; no public exploit code has been independently identified and the vulnerability is not listed in CISA KEV.
Remote unauthenticated access to two SQL Editor endpoints in pgAdmin 4 server-mode deployments (versions 6.9 through 9.15) exposes a pickle.loads sink that can be reached without a valid pgAdmin session. The defect is the missing @pga_login_required decorator on DELETE /sqleditor/close/<trans_id> and POST /sqleditor/initialize/sqleditor/update_connection/<sgid>/<sid>/<did>; turning this into code execution additionally requires an attacker to possess the Flask SECRET_KEY and write access to the sessions/ directory from a separate channel. No public exploit identified at time of analysis, and the issue does not appear on CISA KEV.
Server-side template injection in JTL Shop 5.2.0 through 5.7.1 allows remote unauthenticated attackers to inject Smarty template syntax via unsanitized user input, exposing sensitive server-side values like database credentials and encryption keys. On versions 5.4.0 through 5.7.1, the flaw escalates to remote code execution by abusing registered Smarty modifiers (unserialize, file_get_contents) to drop a webshell and execute commands as the web server user. Publicly available exploit code exists via the Sansec research writeup, though no public exploit identified at time of analysis in CISA KEV.
Remote code execution in iba ibaPDA and ibaDatCoordinator allows unauthenticated network attackers to gain full system control by exploiting an unsafe deserialization flaw (CWE-502). The CVSS 4.0 score of 9.3 reflects network-reachable exploitation with no privileges or user interaction and high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the trivial attack profile makes it a high priority for industrial environments running these data acquisition products.
Remote code execution in PTC Windchill PDMlink and PTC FlexPLM allows unauthenticated network attackers to execute arbitrary code via deserialization of untrusted data. All releases prior to 11.0 M030 are affected, as are all CPS versions, and no public exploit identified at time of analysis. Reported by PTC themselves, the flaw carries a CVSS 4.0 base score of 9.3 (critical) reflecting high impact across confidentiality, integrity, and availability without requiring authentication or user interaction.
Denial of service in Steeltoe.Discovery.Eureka client (.NET) versions prior to 4.2.0 and 3.4.0 allows a remote Eureka registry containing service registrations with DataCenterInfo.name="Netflix" to permanently break the local service discovery cache. The client's DataCenterInfo.FromJson rejects any value other than "MyOwn" or "Amazon" with an ArgumentException that is silently swallowed by the periodic cache refresh task, leaving downstream .NET services unable to discover peers. No public exploit identified at time of analysis, but the trigger is trivially reachable in mixed Java/Spring-Cloud and Steeltoe environments.
Unauthenticated remote code execution in NVIDIA Spatial Intelligence Lab's GEN3C inference API server allows network attackers to execute arbitrary Python code by sending crafted pickle payloads to the /request-inference and /seed-model endpoints. The endpoints feed raw HTTP bodies directly into pickle.loads() with no authentication or validation, so a standard __reduce__ gadget yields code execution as the inference process. No public exploit identified at time of analysis, but the upstream patch and a VulnCheck advisory document the precise vulnerable code path.
Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle detection by obfuscating eval calls nested under callable objects via getattr, causing the very tool intended to detect malicious pickles to miss them. Publicly available exploit code exists via the GHSA advisory PoC, though no public exploit identified at time of analysis as actively used in attacks; the CVSS 4.0 score of 9.3 reflects unauthenticated network-reachable impact on confidentiality, integrity, and availability.
Arbitrary file read in picklescan versions before 0.0.35 allows remote unauthenticated attackers to exfiltrate sensitive server files by abusing standard-library callables that the tool's RCE-focused blocklist fails to detect. By chaining io.FileIO and urllib.request.urlopen inside a malicious pickle, an attacker can stream contents of files such as /etc/passwd to an attacker-controlled URL when the scanner processes untrusted model artifacts. Publicly available exploit code exists in the GHSA advisory, but there is no public exploit identified at time of analysis in the form of in-the-wild abuse.
Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing distutils.file_util.write_file inside crafted pickle payloads. Because picklescan is used as a safety gate before loading ML model pickles, a bypass means malicious models pass scanning and can overwrite files on disk to achieve denial of service or remote code execution. Publicly available exploit code exists in the GHSA advisory, though there is no public exploit identified at time of analysis indicating active exploitation.
PHP Object Injection in the EMV Creatify WordPress theme (versions up to and including 1.5) allows remote unauthenticated attackers to trigger insecure deserialization of attacker-supplied data, potentially leading to arbitrary code execution, file operations, or full site compromise depending on available gadget chains in the WordPress runtime. Patchstack catalogs this as a PHP Object Injection issue under CWE-502, and no public exploit was identified at time of analysis. EPSS data was not supplied, but the CVSS 9.8 rating reflects unauthenticated network-reachable impact.
Unauthenticated PHP Object Injection in the EMV "The Hospital" WordPress theme (nrghospital) through version 1.8.1 lets remote attackers trigger deserialization of attacker-controlled data, which can be chained with available POP gadgets to achieve full compromise of the host site. CVSS 9.8 reflects unauthenticated network exploitability with high CIA impact; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Unauthenticated PHP object injection in the Themeton 'The Barber Shop' WordPress theme (versions up to and including 1.9) allows remote attackers to deserialize attacker-controlled data, potentially leading to arbitrary code execution, file manipulation, or full site compromise when a usable POP gadget chain is present. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 9.8, though no public exploit identified at time of analysis and EPSS data was not provided. The vulnerability is rooted in CWE-502 (Deserialization of Untrusted Data), a class historically abused for RCE in WordPress plugin/theme ecosystems.
PHP object injection in the Themeton Lagom WordPress theme (versions up to and including 2.0) allows remote attackers to trigger unsafe deserialization of attacker-controlled data, potentially leading to full site compromise. The flaw is reported by Patchstack and carries a critical CVSS of 9.8 (AV:N/AC:L/PR:N/UI:N); no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Remote code execution via unauthenticated PHP Object Injection affects the Moderno WordPress theme in all versions prior to 1.43, enabling attackers to send crafted serialized payloads that trigger malicious object instantiation. With CVSS 9.8 and a fully remote, no-interaction attack vector, successful exploitation hinges on the presence of usable POP gadget chains in WordPress core or co-installed plugins. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Unauthenticated PHP Object Injection in the Mikado-Themes 'Château' WordPress theme (versions ≤ 1.2.1) allows remote attackers to deserialize attacker-controlled data, potentially leading to arbitrary code execution, file manipulation, or full site compromise when a suitable POP gadget chain is present in the WordPress stack. The flaw was disclosed via Patchstack with CVSS 8.1 (high) due to network-reachable, unauthenticated impact across confidentiality, integrity, and availability, though high attack complexity (AC:H) reflects the dependency on a usable gadget chain. No public exploit identified at time of analysis.
Unauthenticated PHP Object Injection in the Mikado-Themes Zoya WordPress theme versions 1.4 and earlier allows remote attackers to inject crafted serialized objects that are deserialized by the application. Successful exploitation can lead to arbitrary code execution, data tampering, or denial of service depending on the gadget chains present in WordPress core, plugins, or other themes loaded on the site. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Unauthenticated PHP object injection in the Manufaktur Solutions WordPress theme (versions 1.1.1 and earlier) allows remote attackers to deserialize attacker-controlled data, potentially leading to arbitrary code execution, data tampering, or denial of service when a suitable PHP gadget chain is present. The CVSS 3.1 score of 8.1 reflects high impact across confidentiality, integrity, and availability, tempered by AC:H due to dependency on exploitable gadget chains in the WordPress runtime. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Unauthenticated PHP Object Injection in the Eldon WordPress theme (versions <= 1.4.1) by Edge-Themes allows remote attackers to inject arbitrary PHP objects through unsafe deserialization, potentially leading to remote code execution, data theft, or site compromise when a suitable POP gadget chain is present in the WordPress environment. No public exploit identified at time of analysis, and Patchstack rates this CVSS 8.1 (High) with high attack complexity reflecting the need for a usable gadget chain.
Unauthenticated PHP object injection in the Mikado Themes ShiftUp WordPress theme (versions ≤ 1.3) allows remote attackers to pass attacker-controlled serialized data into a PHP unserialize() sink, potentially triggering gadget chains that can lead to remote code execution, data tampering, or site takeover. CVSS is rated 8.1 with high attack complexity but no privileges or user interaction required, and no public exploit identified at time of analysis. The issue was disclosed via Patchstack.
Unauthenticated PHP Object Injection in the SingleMalt WordPress theme (versions up to and including 1.5) allows remote attackers to deserialize attacker-controlled data, which can lead to compromise of confidentiality, integrity, and availability of affected WordPress sites. The flaw is exploitable without authentication or user interaction but has high attack complexity per its CVSS vector, and no public exploit identified at time of analysis.
Unauthenticated PHP object injection in the Select Themes 'Hiroshi' WordPress theme through version 1.5.1 allows remote attackers to supply crafted serialized payloads that are deserialized by the theme, potentially leading to code execution, file manipulation, or data compromise when a suitable PHP magic-method gadget chain is present in the WordPress stack. The flaw is reachable without authentication per the CVSS vector, and no public exploit has been identified at time of analysis.
Unauthenticated PHP Object Injection affects the Konsept WordPress theme (by elated-themes) in versions 1.9 and earlier, allowing remote attackers to inject crafted serialized PHP objects without authentication. Successful exploitation can lead to a full compromise of the WordPress site - high impact on confidentiality, integrity, and availability - though CVSS rates attack complexity as high, indicating non-trivial conditions are required. No public exploit identified at time of analysis.
Unauthenticated PHP Object Injection in the Alukas WordPress theme (versions prior to 3.0.0) allows remote attackers to inject crafted serialized PHP objects into the application, potentially leading to remote code execution, file manipulation, or full site compromise when a usable POP gadget chain is present. No public exploit identified at time of analysis, and the issue is tracked by Patchstack as a deserialization flaw affecting the presslayouts:alukas product line. Real-world impact depends on the gadget chains available in WordPress core or co-installed plugins.
Unauthenticated PHP Object Injection in the PressMart WordPress theme versions 1.2.26 and earlier allows remote attackers to deliver malicious serialized payloads that are deserialized by the theme, potentially leading to property-oriented gadget chain abuse and full site compromise. The flaw was disclosed via Patchstack and carries a CVSS 8.1 (AV:N/AC:H/PR:N/UI:N) - no public exploit identified at time of analysis, and the high attack complexity reflects the need for a usable gadget chain to escalate from deserialization to concrete impact.
PHP Object Injection in the Entrepreneur - Booking for Small Businesses WordPress theme through version 3.1.3 allows authenticated subscriber-level users to trigger unsafe deserialization, potentially leading to full site compromise. The flaw was disclosed via Patchstack and carries a CVSS 3.1 base score of 8.8 reflecting high impact on confidentiality, integrity, and availability. No public exploit identified at time of analysis.
Unauthenticated PHP Object Injection in the ThemeREX Plumbing WordPress theme versions 1.6 and earlier allows remote attackers to inject arbitrary PHP objects via untrusted deserialization, potentially leading to full site compromise when a suitable POP gadget chain is present. No public exploit identified at time of analysis, but the CVSS 9.8 rating and unauthenticated network attack vector make this a high-priority issue for any WordPress site running this theme.
Unauthenticated PHP object injection in the ThemeREX Reisen WordPress theme versions 1.4.1 and earlier allows remote attackers to trigger deserialization of attacker-controlled data without authentication. Successful exploitation can lead to full site compromise via gadget chains commonly available in WordPress core or active plugins, with CVSS rated 9.8 critical. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Local privilege escalation in Quanos SCHEMA ST4 on-premises allows an authenticated local user to gain NT AUTHORITY\SYSTEM by abusing insecure .NET Remoting deserialization in the Client Update Service. The endpoint, reachable through a local named pipe with TypeFilterLevel.Full, accepts attacker-controlled serialized objects and yields arbitrary code execution in the update process context. No public exploit identified at time of analysis, though a SEC-Consult/SEC-VLab advisory documents the issue.
Unauthenticated PHP object injection in the WP Activity Log WordPress plugin versions 5.6.3.1 and earlier allows remote attackers to deliver crafted serialized payloads that are deserialized by the plugin, enabling abuse of any POP (property-oriented programming) gadget chain present in WordPress core, other active plugins, or themes. With a CVSS 3.1 base of 9.8 (AV:N/AC:L/PR:N/UI:N) and no authentication required, successful exploitation typically yields remote code execution, arbitrary file operations, or database compromise on the affected site. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the unauthenticated network-reachable nature makes it a high-priority patch for any site running the plugin.
Unauthenticated PHP Object Injection in Crocoblock JetEngine WordPress plugin versions 3.8.10 and earlier allows remote attackers to inject arbitrary PHP objects, potentially leading to full site compromise via gadget-chain abuse. The CVSS 9.8 score reflects network-reachable, no-authentication, no-interaction exploitation against a widely deployed commercial WordPress plugin. No public exploit identified at time of analysis, but the unsafe-deserialization class (CWE-502) historically yields fast weaponization once a usable POP chain is published.
Unauthenticated PHP Object Injection in the Thrive Apprentice WordPress plugin (versions prior to 10.8.10.2) allows remote attackers to inject arbitrary PHP objects that get deserialized by the application, potentially leading to remote code execution when a suitable POP gadget chain is present. The flaw is reachable without authentication and carries a CVSS 9.8 critical rating with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
PHP Object Injection in the JetEngine WordPress plugin (versions through 3.8.9.1) allows authenticated users with the Contributor role to inject crafted serialized objects that are deserialized by the plugin, potentially leading to code execution or other gadget-chain abuse on the host site. The flaw, reported by Patchstack and tracked under CWE-502, requires only the low-privileged Contributor role rather than admin access, which significantly broadens the attacker pool on multi-author WordPress installations. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated PHP Object Injection in the AI Lab WordPress theme versions prior to 5.4.2 enables remote attackers to deliver crafted serialized payloads to a vulnerable deserialization sink. With a CVSS 9.8 rating and no authentication required, successful exploitation can lead to arbitrary code execution, data theft, or full site takeover depending on which POP gadget chains are available in WordPress core or installed plugins. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Unauthenticated PHP Object Injection affects the Mikado-Themes EasyMeals WordPress theme through version 1.5.1, allowing remote attackers to inject crafted serialized objects that are deserialized by vulnerable PHP code paths. Successful exploitation can lead to high-impact compromise of confidentiality, integrity, and availability on the underlying WordPress site, though no public exploit identified at time of analysis. The CVSS 8.1 score reflects high attack complexity, consistent with the typical need for a usable gadget chain in the host WordPress environment.
Unauthenticated PHP object injection in the Reina WordPress theme (versions 2.1 and earlier) by Edge Themes allows remote attackers to trigger insecure deserialization, potentially leading to arbitrary code execution, data tampering, or denial of service when a suitable PHP gadget chain is present in the WordPress instance. The flaw carries a CVSS 3.1 score of 8.1 (High) with no public exploit identified at time of analysis. The reference from Patchstack confirms the issue but no KEV listing or EPSS data is provided.
Unauthenticated PHP object injection in the WooCommerce Product Filters WordPress plugin (versions prior to 2.0.6) allows remote attackers to deserialize attacker-controlled data and trigger PHP magic methods on existing application gadgets. With a CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and CWE-502 root cause, successful exploitation can lead to remote code execution, arbitrary file operations, or full site takeover depending on available POP chains in WordPress core or co-installed plugins. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Unauthenticated PHP Object Injection affects the Select Themes Mildhill WordPress theme in versions 1.5 and earlier, allowing remote attackers to inject crafted serialized PHP objects that the application deserializes without validation. Successful exploitation can yield high confidentiality, integrity, and availability impact on the underlying WordPress site, typically by chaining the injected object with a POP gadget present in the theme, WordPress core, or another installed plugin. No public exploit identified at time of analysis, and the issue is reported via Patchstack rather than the CISA KEV catalog.
Unauthenticated PHP Object Injection in the Zermatt WordPress theme versions 1.6.1 and earlier allows remote attackers to deliver malicious serialized PHP objects to a vulnerable unserialize() sink without prior authentication. Successful exploitation can lead to high impact on confidentiality, integrity, and availability when a suitable POP gadget chain is reachable in the WordPress installation. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Unauthenticated deserialization of untrusted data in the Slimstat Analytics WordPress plugin (versions prior to 5.4.0) allows remote attackers to exploit PHP object injection without authentication. The CVSS vector indicates high attack complexity (AC:H) and scope change (S:C), meaning successful exploitation can affect components beyond the plugin itself - potentially the broader WordPress environment or server. No public exploit identified at time of analysis, and the fix version is confirmed as 5.4.0 per Patchstack reporting.