Skip to main content

Deserialization

2663 CVEs technique

Monthly

CVE-2023-27372 CRITICAL POC PATCH THREAT Act Now

SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Deserialization Spip Debian Linux
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
99.6%
CVE-2023-20944 HIGH PATCH This Week

In run of ChooseTypeAndAccountActivity.java, there is a possible escalation of privilege due to unsafe deserialization. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Privilege Escalation Google Deserialization Android
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2023-26326 CRITICAL POC Act Now

The BuddyForms WordPress plugin, in versions prior to 2.7.8, was affected by an unauthenticated insecure deserialization issue. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP Deserialization Buddyforms
NVD
CVSS 3.1
9.8
EPSS
3.8%
CVE-2023-0960 CRITICAL POC Act Now

A vulnerability was found in SeaCMS 11.6 and classified as problematic. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Deserialization Seacms
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
1.0%
CVE-2023-26234 CRITICAL POC Act Now

JD-GUI 1.6.6 allows deserialization via UIMainWindowPreferencesProvider.singleInstance. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Jd Gui
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2023-23836 HIGH This Week

SolarWinds Platform version 2022.4.1 was found to be susceptible to the Deserialization of Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Orion Platform
NVD
CVSS 3.1
7.2
EPSS
80.3%
CVE-2023-21713 HIGH PATCH This Week

Microsoft SQL Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Microsoft Deserialization Sql Server
NVD
CVSS 3.1
8.8
EPSS
1.8%
CVE-2023-21710 HIGH PATCH This Week

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Microsoft Deserialization Exchange Server
NVD
CVSS 3.1
7.2
EPSS
7.9%
CVE-2023-21707 HIGH PATCH This Week

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Microsoft Deserialization Exchange Server
NVD
CVSS 3.1
8.8
EPSS
82.0%
CVE-2023-21706 HIGH PATCH This Week

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Microsoft Deserialization Exchange Server
NVD
CVSS 3.1
8.8
EPSS
4.1%
CVE-2023-21703 HIGH PATCH This Week

Azure Data Box Gateway Remote Code Execution Vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Microsoft Deserialization Azure Data Box Gateway Azure Stack Edge
NVD
CVSS 3.1
7.2
EPSS
1.5%
CVE-2023-21568 HIGH PATCH This Week

Microsoft SQL Server Integration Service (VS extension) Remote Code Execution Vulnerability. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Microsoft Deserialization Sql Server 2019 Integration Services Sql Server 2022 Integration Services
NVD
CVSS 3.1
7.3
EPSS
0.9%
CVE-2023-21529 HIGH POC KEV PATCH THREAT Act Now

Remote code execution in Microsoft Exchange Server 2013, 2016, and 2019 allows authenticated attackers to execute arbitrary code on the server via insecure deserialization of untrusted data (CWE-502). The vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code, and carries an EPSS score of 36.68% (97th percentile), placing it among the highest-risk vulnerabilities. Successful exploitation yields full compromise of confidentiality, integrity, and availability on the targeted Exchange Server.

RCE Microsoft Deserialization
NVD VulDB
CVSS 3.1
8.8
EPSS
36.7%
Threat
5.9
CVE-2023-25558 HIGH PATCH This Week

DataHub is an open-source metadata platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Java RCE Deserialization Datahub
NVD GitHub
CVSS 3.1
8.8
EPSS
1.0%
CVE-2022-3568 HIGH PATCH This Week

The ImageMagick Engine plugin for WordPress is vulnerable to deserialization of untrusted input via the 'cli_path' parameter in versions up to, and including 1.7.5. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

PHP Deserialization WordPress Imagemagick Engine
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.7%
CVE-2023-25194 Maven HIGH POC PATCH THREAT Act Now

A possible security vulnerability has been identified in Apache Kafka Connect API. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Java Apache Deserialization Kafka Connect
NVD
CVSS 3.1
8.8
EPSS
95.3%
CVE-2023-24813 PHP CRITICAL POC PATCH Act Now

Dompdf is an HTML to PDF converter written in php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE PHP Deserialization Dompdf
NVD GitHub
CVSS 3.1
9.8
EPSS
2.5%
CVE-2023-0669 HIGH POC KEV PATCH THREAT Act Now

Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Command Injection Deserialization Goanywhere Managed File Transfer
NVD GitHub Exploit-DB
CVSS 3.1
7.2
EPSS
100.0%
CVE-2023-25135 CRITICAL POC THREAT Act Now

vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Vbulletin
NVD
CVSS 3.1
9.8
EPSS
23.9%
CVE-2023-24997 Maven CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong.1.0 through 1.5.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization Inlong
NVD
CVSS 3.1
9.8
EPSS
1.4%
CVE-2023-23924 PHP CRITICAL POC PATCH Act Now

Dompdf is an HTML to PDF converter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE PHP Deserialization Dompdf
NVD GitHub
CVSS 3.1
9.8
EPSS
3.6%
CVE-2023-24162 Maven CRITICAL POC Act Now

Deserialization vulnerability in Dromara Hutool v5.8.11 allows attacker to execute arbitrary code via the XmlUtil.readObjectFromXml parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Hutool
NVD GitHub
CVSS 3.1
9.8
EPSS
1.3%
CVE-2023-21839 HIGH POC KEV PATCH THREAT Act Now

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Oracle Deserialization Weblogic Server
NVD
CVSS 3.1
7.5
EPSS
99.8%
CVE-2023-22851 HIGH POC This Week

Tiki before 24.2 allows lib/importer/tikiimporter_blog_wordpress.php PHP Object Injection by an admin because of an unserialize call. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload PHP Deserialization Tiki
NVD
CVSS 3.1
7.2
EPSS
1.0%
CVE-2023-22850 HIGH POC This Week

Tiki before 24.1, when the Spreadsheets feature is enabled, allows lib/sheet/grid.php PHP Object Injection because of an unserialize call. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Deserialization Tiki
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2023-21779 HIGH This Week

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Visual Studio Code
NVD
CVSS 3.1
7.8
EPSS
2.3%
CVE-2023-21762 HIGH This Week

Microsoft Exchange Server Spoofing Vulnerability. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

Microsoft Deserialization Exchange Server
NVD
CVSS 3.1
8.0
EPSS
1.6%
CVE-2023-21745 HIGH This Week

Microsoft Exchange Server Spoofing Vulnerability. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

Microsoft Deserialization Exchange Server
NVD
CVSS 3.1
8.0
EPSS
1.5%
CVE-2023-21744 HIGH This Week

Microsoft SharePoint Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Microsoft Deserialization Sharepoint Foundation Sharepoint Server
NVD
CVSS 3.1
8.8
EPSS
2.8%
CVE-2023-21538 NuGet HIGH PATCH This Week

.NET Denial of Service Vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Deserialization Net Powershell Fedora
NVD
CVSS 3.1
7.5
EPSS
2.7%
CVE-2022-4120 CRITICAL POC THREAT Act Now

The Stop Spammers Security | Block Spam Users, Comments, Forms WordPress plugin before 2022.6 passes base64 encoded user input to the unserialize() PHP function when CAPTCHA are used as second. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress Deserialization Stop Spammers
NVD WPScan
CVSS 3.1
9.8
EPSS
18.1%
CVE-2022-41596 HIGH PATCH This Week

The system tool has inconsistent serialization and deserialization. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Harmonyos Emui
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2022-44351 CRITICAL POC Act Now

Skycaiji v2.5.1 was discovered to contain a deserialization vulnerability via /SkycaijiApp/admin/controller/Mystore.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Deserialization Skycaiji
NVD GitHub
CVSS 3.1
9.8
EPSS
0.9%
CVE-2022-44371 CRITICAL POC Act Now

hope-boot 1.0.0 has a deserialization vulnerability that can cause Remote Code Execution (RCE). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Hope Boot
NVD GitHub
CVSS 3.1
9.8
EPSS
1.3%
CVE-2022-32224 Ruby CRITICAL POC PATCH GHSA Act Now

A possible escalation to RCE vulnerability exists when using YAML serialized columns in Active Record < 7.0.3.1, <6.1.6.1, <6.0.5.1 and <5.2.8.1 which could allow an attacker, that can manipulate. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization SQLi Activerecord
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
1.9%
CVE-2022-46366 Maven CRITICAL PATCH Act Now

Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Apache Deserialization Tapestry
NVD GitHub
CVSS 3.1
9.8
EPSS
3.6%
CVE-2022-1471 Maven CRITICAL POC PATCH THREAT Act Now

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Snakeyaml
NVD GitHub
CVSS 3.1
9.8
EPSS
99.6%
CVE-2022-36964 HIGH This Week

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Orion Platform
NVD
CVSS 3.1
8.8
EPSS
16.8%
CVE-2022-41958 HIGH POC PATCH This Week

super-xray is a web vulnerability scanning tool. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Deserialization Super Xray
NVD GitHub
CVSS 3.1
7.8
EPSS
0.4%
CVE-2022-41875 CRITICAL Act Now

A remote code execution (RCE) vulnerability in Optica allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Optica
NVD GitHub
CVSS 3.1
9.8
EPSS
1.6%
CVE-2022-41922 PHP CRITICAL PATCH Act Now

`yiisoft/yii` before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization Yii
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2022-3861 HIGH POC This Week

The Betheme theme for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 26.5.1.4 via deserialization of untrusted input supplied via the import, mfn-items-import-page,. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization PHP Information Disclosure WordPress Betheme
NVD VulDB GitHub
CVSS 3.1
8.8
EPSS
3.4%
CVE-2022-3525 PHP HIGH PATCH This Week

Deserialization of Untrusted Data in GitHub repository librenms/librenms prior to 22.10.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Deserialization Librenms
NVD GitHub
CVSS 3.1
8.8
EPSS
0.9%
CVE-2022-45077 HIGH This Week

Auth. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP WordPress Deserialization Betheme
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2022-45047 Maven CRITICAL PATCH Act Now

Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Java Apache Sshd
NVD VulDB
CVSS 3.1
9.8
EPSS
5.7%
CVE-2022-45136 Maven CRITICAL Act Now

Apache Jena SDB 3.17.0 and earlier is vulnerable to a JDBC Deserialisation attack if the attacker is able to control the JDBC URL used or cause the underlying database server to return malicious. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization Jena Sdb
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2022-38652 CRITICAL Act Now

A remote insecure deserialization vulnerability exixsts in VMWare Hyperic Agent 5.8.6. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Microsoft VMware Deserialization Hyperic Agent
NVD
CVSS 3.1
9.9
EPSS
0.8%
CVE-2022-38650 CRITICAL Act Now

A remote unauthenticated insecure deserialization vulnerability exists in VMware Hyperic Server 5.8.6. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE VMware Deserialization Hyperic Server
NVD
CVSS 3.1
10.0
EPSS
0.8%
CVE-2022-44562 CRITICAL Act Now

The system framework layer has a vulnerability of serialization/deserialization mismatch. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Deserialization Emui Harmonyos
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2022-44559 CRITICAL Act Now

The AMS module has a vulnerability of serialization/deserialization mismatch. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Deserialization Harmonyos Emui
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2022-44558 CRITICAL Act Now

The AMS module has a vulnerability of serialization/deserialization mismatch. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Deserialization Harmonyos Emui
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2022-41203 HIGH This Week

In some workflow of SAP BusinessObjects BI Platform (Central Management Console and BI LaunchPad), an authenticated attacker with low privileges can intercept a serialized object in the parameters. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Deserialization Businessobjects Business Intelligence
NVD
CVSS 3.1
8.8
EPSS
0.9%
CVE-2022-32601 HIGH This Week

In telephony, there is a possible permission bypass due to a parcel format mismatch. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Deserialization Android
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2022-31199 CRITICAL POC KEV THREAT Act Now

Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents installed on monitored systems. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Auditor
NVD
CVSS 3.1
9.8
EPSS
36.0%
CVE-2022-3536 HIGH POC This Week

The Role Based Pricing for WooCommerce WordPress plugin before 1.6.3 does not have authorisation and proper CSRF checks, as well as does not validate path given via user input, allowing any. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Deserialization Role Based Pricing For Woocommerce
NVD WPScan VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2022-42919 HIGH This Week

Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Python RCE Privilege Escalation Deserialization Fedora
NVD GitHub
CVSS 3.1
7.8
EPSS
0.6%
CVE-2022-43567 HIGH POC This Week

In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run arbitrary operating system commands remotely through the use of specially crafted requests to the mobile. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Splunk Splunk Cloud Platform
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2022-39379 Ruby CRITICAL PATCH Act Now

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization Fluentd Fedora
NVD GitHub
CVSS 3.1
9.8
EPSS
44.7%
CVE-2022-44542 CRITICAL PATCH Act Now

lesspipe before 2.06 allows attackers to execute code via Perl Storable (pst) files, because of deserialized object destructor execution via a key/value pair in a hash. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Lesspipe
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2022-41779 CRITICAL PATCH Act Now

Delta Electronics InfraSuite Device Master versions 00.00.01a and prior deserialize network packets without proper verification. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization Infrasuite Device Master
NVD
CVSS 3.1
9.8
EPSS
1.1%
CVE-2022-38142 CRITICAL PATCH Act Now

Delta Electronics InfraSuite Device Master versions 00.00.01a and prior deserialize user-supplied data provided through the Device-Gateway service port without proper verification. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization Infrasuite Device Master
NVD
CVSS 3.1
9.8
EPSS
18.2%
CVE-2022-3380 HIGH POC This Week

The Customizer Export/Import WordPress plugin before 0.9.5 unserializes the content of an imported file, which could lead to PHP object injection issues when an admin imports (intentionally or not) a. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization PHP WordPress Customizer Export Import
NVD WPScan VulDB
CVSS 3.1
7.2
EPSS
0.9%
CVE-2022-3374 HIGH POC This Week

The Ocean Extra WordPress plugin before 2.0.5 unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import (intentionally or not) a. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization WordPress PHP Ocean Extra
NVD WPScan VulDB
CVSS 3.1
7.2
EPSS
1.1%
CVE-2022-3366 HIGH POC This Week

The PublishPress Capabilities WordPress plugin before 2.5.2, PublishPress Capabilities Pro WordPress plugin before 2.5.2 unserializes the content of imported files, which could lead to PHP object. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization WordPress PHP Capabilities
NVD WPScan VulDB
CVSS 3.1
7.2
EPSS
1.1%
CVE-2022-3360 HIGH POC This Week

The LearnPress WordPress plugin before 4.1.7.2 unserialises user input in a REST API endpoint available to unauthenticated users, which could lead to PHP Object Injection when a suitable gadget is. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

RCE Deserialization WordPress PHP Learnpress
NVD WPScan
CVSS 3.1
8.1
EPSS
1.8%
CVE-2022-3357 HIGH POC This Week

The Smart Slider 3 WordPress plugin before 3.5.1.11 unserialises the content of an imported file, which could lead to PHP object injection issues when a user import (intentionally or not) a malicious. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization WordPress PHP Smart Slider 3
NVD WPScan
CVSS 3.1
8.8
EPSS
1.9%
CVE-2022-3334 HIGH POC This Week

The Easy WP SMTP WordPress plugin before 1.5.0 unserialises the content of an imported file, which could lead to PHP object injection issue when an admin import (intentionally or not) a malicious. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization WordPress PHP Easy Wp Smtp
NVD WPScan
CVSS 3.1
7.2
EPSS
1.1%
CVE-2022-40238 HIGH This Week

A Remote Code Injection vulnerability exists in CERT software prior to version 1.50.5. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Deserialization Vince
NVD GitHub
CVSS 3.1
8.8
EPSS
1.2%
CVE-2022-39944 Maven HIGH PATCH This Week

In Apache Linkis <=1.2.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Deserialization RCE Linkis
NVD
CVSS 3.1
8.8
EPSS
1.7%
CVE-2022-3335 HIGH POC This Week

The Kadence WooCommerce Email Designer WordPress plugin before 1.5.7 unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import (intentionally. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization WordPress PHP Kadence Woocommerce Email Designer
NVD WPScan
CVSS 3.1
7.2
EPSS
1.1%
CVE-2022-39312 Maven CRITICAL POC PATCH Act Now

Dataease is an open source data visualization analysis tool. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Java Dataease
NVD GitHub
CVSS 3.1
9.8
EPSS
1.5%
CVE-2022-38108 HIGH POC THREAT Act Now

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Orion Platform
NVD
CVSS 3.1
7.2
EPSS
69.5%
CVE-2022-36958 HIGH This Week

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Orion Platform
NVD
CVSS 3.1
8.8
EPSS
82.7%
CVE-2022-36957 HIGH This Week

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Orion Platform
NVD
CVSS 3.1
7.2
EPSS
12.3%
CVE-2022-43019 CRITICAL POC Act Now

OpenCATS v0.9.6 was discovered to contain a remote code execution (RCE) vulnerability via the getDataGridPager's ajax functionality. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Opencats
NVD GitHub
CVSS 3.1
9.8
EPSS
1.8%
CVE-2022-23734 HIGH This Week

A deserialization of untrusted data vulnerability was identified in GitHub Enterprise Server that could potentially lead to remote code execution on the SVNBridge. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Deserialization SSRF Enterprise Server
NVD GitHub
CVSS 3.1
8.8
EPSS
1.9%
CVE-2022-21624 LOW PATCH Monitor

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Oracle Java Graalvm Jdk +13
NVD VulDB
CVSS 3.1
3.7
EPSS
0.2%
CVE-2022-39198 Maven CRITICAL PATCH Act Now

A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution.7.x version 2.7.17 and prior versions; Apache Dubbo 3.0.x. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization RCE Dubbo
NVD
CVSS 3.1
9.8
EPSS
2.4%
CVE-2022-40889 CRITICAL POC Act Now

Phpok 6.1 has a deserialization vulnerability via framework/phpok_call.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization PHP Phpok
NVD GitHub
CVSS 3.1
9.8
EPSS
1.0%
CVE-2022-22241 CRITICAL Act Now

An Improper Input Validation vulnerability in the J-Web component of Juniper Networks Junos OS may allow an unauthenticated attacker to access data without proper authorization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Juniper Deserialization Junos
NVD
CVSS 3.1
9.8
EPSS
1.1%
CVE-2022-3291 MEDIUM This Month

Serialization of sensitive data in GitLab EE affecting all versions from 14.9 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 can leak sensitive information via cache. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Gitlab Deserialization Information Disclosure
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2022-39311 HIGH PATCH This Week

GoCD is a continuous delivery server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization Java Gocd
NVD GitHub
CVSS 3.1
8.8
EPSS
1.6%
CVE-2022-39298 PHP CRITICAL PATCH Act Now

MelisFront is the engine that displays website hosted on Melis Platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization PHP Meliscms
NVD GitHub
CVSS 3.1
9.8
EPSS
0.9%
CVE-2022-39297 PHP CRITICAL PATCH Act Now

MelisCms provides a full CMS for Melis Platform, including templating system, drag'n'drop of plugins, SEO and many administration tools. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization PHP Meliscms
NVD GitHub
CVSS 3.1
9.8
EPSS
0.9%
CVE-2022-31680 CRITICAL POC THREAT Act Now

The vCenter Server contains an unsafe deserialisation vulnerability in the PSC (Platform services controller). Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization VMware Vcenter Server
NVD
CVSS 3.1
9.1
EPSS
33.1%
CVE-2022-26472 HIGH This Week

In ims, there is a possible escalation of privilege due to a parcel format mismatch. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Deserialization Privilege Escalation Android
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2022-26471 HIGH This Week

In telephony, there is a possible escalation of privilege due to a parcel format mismatch. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Deserialization Privilege Escalation Android
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2022-42004 Maven HIGH POC PATCH This Week

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Denial Of Service Jackson Databind Quarkus Debian Linux +1
NVD GitHub
CVSS 3.1
7.5
EPSS
2.7%
CVE-2022-42003 Maven HIGH POC PATCH This Week

In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Denial Of Service Jackson Databind Quarkus Debian Linux +1
NVD GitHub
CVSS 3.1
7.5
EPSS
2.7%
CVE-2022-40314 PHP CRITICAL PATCH Act Now

A remote code execution risk when restoring backup files originating from Moodle 1.9 was identified. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization Moodle
NVD
CVSS 3.1
9.8
EPSS
1.6%
EPSS 100% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Deserialization Spip +1
NVD Exploit-DB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

In run of ChooseTypeAndAccountActivity.java, there is a possible escalation of privilege due to unsafe deserialization. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Privilege Escalation Google Deserialization +1
NVD
EPSS 4% CVSS 9.8
CRITICAL POC Act Now

The BuddyForms WordPress plugin, in versions prior to 2.7.8, was affected by an unauthenticated insecure deserialization issue. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP Deserialization +1
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

A vulnerability was found in SeaCMS 11.6 and classified as problematic. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Deserialization Seacms
NVD GitHub VulDB
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

JD-GUI 1.6.6 allows deserialization via UIMainWindowPreferencesProvider.singleInstance. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Jd Gui
NVD GitHub
EPSS 80% CVSS 7.2
HIGH This Week

SolarWinds Platform version 2022.4.1 was found to be susceptible to the Deserialization of Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Orion Platform
NVD
EPSS 2% CVSS 8.8
HIGH PATCH This Week

Microsoft SQL Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Microsoft Deserialization +1
NVD
EPSS 8% CVSS 7.2
HIGH PATCH This Week

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Microsoft Deserialization +1
NVD
EPSS 82% CVSS 8.8
HIGH PATCH This Week

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Microsoft Deserialization +1
NVD
EPSS 4% CVSS 8.8
HIGH PATCH This Week

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Microsoft Deserialization +1
NVD
EPSS 1% CVSS 7.2
HIGH PATCH This Week

Azure Data Box Gateway Remote Code Execution Vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Microsoft Deserialization +2
NVD
EPSS 1% CVSS 7.3
HIGH PATCH This Week

Microsoft SQL Server Integration Service (VS extension) Remote Code Execution Vulnerability. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Microsoft Deserialization +2
NVD
EPSS 37% 5.9 CVSS 8.8
HIGH POC KEV PATCH THREAT Act Now

Remote code execution in Microsoft Exchange Server 2013, 2016, and 2019 allows authenticated attackers to execute arbitrary code on the server via insecure deserialization of untrusted data (CWE-502). The vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code, and carries an EPSS score of 36.68% (97th percentile), placing it among the highest-risk vulnerabilities. Successful exploitation yields full compromise of confidentiality, integrity, and availability on the targeted Exchange Server.

RCE Microsoft Deserialization
NVD VulDB
EPSS 1% CVSS 8.8
HIGH PATCH This Week

DataHub is an open-source metadata platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Java RCE Deserialization +1
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

The ImageMagick Engine plugin for WordPress is vulnerable to deserialization of untrusted input via the 'cli_path' parameter in versions up to, and including 1.7.5. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

PHP Deserialization WordPress +1
NVD GitHub VulDB
EPSS 95% CVSS 8.8
HIGH POC PATCH THREAT Act Now

A possible security vulnerability has been identified in Apache Kafka Connect API. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Java Apache Deserialization +1
NVD
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

Dompdf is an HTML to PDF converter written in php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE PHP Deserialization +1
NVD GitHub
EPSS 100% CVSS 7.2
HIGH POC KEV PATCH THREAT Act Now

Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Command Injection Deserialization Goanywhere Managed File Transfer
NVD GitHub Exploit-DB
EPSS 24% CVSS 9.8
CRITICAL POC THREAT Act Now

vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Vbulletin
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong.1.0 through 1.5.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization Inlong
NVD
EPSS 4% CVSS 9.8
CRITICAL POC PATCH Act Now

Dompdf is an HTML to PDF converter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE PHP Deserialization +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Deserialization vulnerability in Dromara Hutool v5.8.11 allows attacker to execute arbitrary code via the XmlUtil.readObjectFromXml parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Hutool
NVD GitHub
EPSS 100% CVSS 7.5
HIGH POC KEV PATCH THREAT Act Now

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Oracle Deserialization +1
NVD
EPSS 1% CVSS 7.2
HIGH POC This Week

Tiki before 24.2 allows lib/importer/tikiimporter_blog_wordpress.php PHP Object Injection by an admin because of an unserialize call. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload PHP Deserialization +1
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

Tiki before 24.1, when the Spreadsheets feature is enabled, allows lib/sheet/grid.php PHP Object Injection because of an unserialize call. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Deserialization Tiki
NVD
EPSS 2% CVSS 7.8
HIGH This Week

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Visual Studio Code
NVD
EPSS 2% CVSS 8.0
HIGH This Week

Microsoft Exchange Server Spoofing Vulnerability. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

Microsoft Deserialization Exchange Server
NVD
EPSS 1% CVSS 8.0
HIGH This Week

Microsoft Exchange Server Spoofing Vulnerability. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

Microsoft Deserialization Exchange Server
NVD
EPSS 3% CVSS 8.8
HIGH This Week

Microsoft SharePoint Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Microsoft Deserialization +2
NVD
EPSS 3% CVSS 7.5
HIGH PATCH This Week

.NET Denial of Service Vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Deserialization Net +2
NVD
EPSS 18% CVSS 9.8
CRITICAL POC THREAT Act Now

The Stop Spammers Security | Block Spam Users, Comments, Forms WordPress plugin before 2022.6 passes base64 encoded user input to the unserialize() PHP function when CAPTCHA are used as second. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress Deserialization +1
NVD WPScan
EPSS 0% CVSS 7.5
HIGH PATCH This Week

The system tool has inconsistent serialization and deserialization. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Harmonyos Emui
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Skycaiji v2.5.1 was discovered to contain a deserialization vulnerability via /SkycaijiApp/admin/controller/Mystore.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Deserialization Skycaiji
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

hope-boot 1.0.0 has a deserialization vulnerability that can cause Remote Code Execution (RCE). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Hope Boot
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

A possible escalation to RCE vulnerability exists when using YAML serialized columns in Active Record < 7.0.3.1, <6.1.6.1, <6.0.5.1 and <5.2.8.1 which could allow an attacker, that can manipulate. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization SQLi Activerecord
NVD GitHub VulDB
EPSS 4% CVSS 9.8
CRITICAL PATCH Act Now

Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Apache Deserialization +1
NVD GitHub
EPSS 100% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Snakeyaml
NVD GitHub
EPSS 17% CVSS 8.8
HIGH This Week

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Orion Platform
NVD
EPSS 0% CVSS 7.8
HIGH POC PATCH This Week

super-xray is a web vulnerability scanning tool. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Deserialization Super Xray
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL Act Now

A remote code execution (RCE) vulnerability in Optica allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Optica
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

`yiisoft/yii` before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization Yii
NVD GitHub
EPSS 3% CVSS 8.8
HIGH POC This Week

The Betheme theme for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 26.5.1.4 via deserialization of untrusted input supplied via the import, mfn-items-import-page,. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization PHP Information Disclosure +2
NVD VulDB GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Deserialization of Untrusted Data in GitHub repository librenms/librenms prior to 22.10.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Deserialization Librenms
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

Auth. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP WordPress Deserialization +1
NVD
EPSS 6% CVSS 9.8
CRITICAL PATCH Act Now

Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Java Apache +1
NVD VulDB
EPSS 2% CVSS 9.8
CRITICAL Act Now

Apache Jena SDB 3.17.0 and earlier is vulnerable to a JDBC Deserialisation attack if the attacker is able to control the JDBC URL used or cause the underlying database server to return malicious. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization Jena Sdb
NVD
EPSS 1% CVSS 9.9
CRITICAL Act Now

A remote insecure deserialization vulnerability exixsts in VMWare Hyperic Agent 5.8.6. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Microsoft VMware +2
NVD
EPSS 1% CVSS 10.0
CRITICAL Act Now

A remote unauthenticated insecure deserialization vulnerability exists in VMware Hyperic Server 5.8.6. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE VMware Deserialization +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

The system framework layer has a vulnerability of serialization/deserialization mismatch. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Deserialization Emui +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

The AMS module has a vulnerability of serialization/deserialization mismatch. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Deserialization Harmonyos +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

The AMS module has a vulnerability of serialization/deserialization mismatch. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Deserialization Harmonyos +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

In some workflow of SAP BusinessObjects BI Platform (Central Management Console and BI LaunchPad), an authenticated attacker with low privileges can intercept a serialized object in the parameters. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Deserialization Businessobjects Business Intelligence
NVD
EPSS 0% CVSS 7.8
HIGH This Week

In telephony, there is a possible permission bypass due to a parcel format mismatch. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Deserialization Android
NVD
EPSS 36% CVSS 9.8
CRITICAL POC KEV THREAT Act Now

Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents installed on monitored systems. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Auditor
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

The Role Based Pricing for WooCommerce WordPress plugin before 1.6.3 does not have authorisation and proper CSRF checks, as well as does not validate path given via user input, allowing any. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Deserialization +1
NVD WPScan VulDB
EPSS 1% CVSS 7.8
HIGH This Week

Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Python RCE Privilege Escalation +2
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run arbitrary operating system commands remotely through the use of specially crafted requests to the mobile. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Splunk Splunk Cloud Platform
NVD
EPSS 45% CVSS 9.8
CRITICAL PATCH Act Now

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization Fluentd +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

lesspipe before 2.06 allows attackers to execute code via Perl Storable (pst) files, because of deserialized object destructor execution via a key/value pair in a hash. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Lesspipe
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Delta Electronics InfraSuite Device Master versions 00.00.01a and prior deserialize network packets without proper verification. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization Infrasuite Device Master
NVD
EPSS 18% CVSS 9.8
CRITICAL PATCH Act Now

Delta Electronics InfraSuite Device Master versions 00.00.01a and prior deserialize user-supplied data provided through the Device-Gateway service port without proper verification. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization Infrasuite Device Master
NVD
EPSS 1% CVSS 7.2
HIGH POC This Week

The Customizer Export/Import WordPress plugin before 0.9.5 unserializes the content of an imported file, which could lead to PHP object injection issues when an admin imports (intentionally or not) a. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization PHP WordPress +1
NVD WPScan VulDB
EPSS 1% CVSS 7.2
HIGH POC This Week

The Ocean Extra WordPress plugin before 2.0.5 unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import (intentionally or not) a. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization WordPress PHP +1
NVD WPScan VulDB
EPSS 1% CVSS 7.2
HIGH POC This Week

The PublishPress Capabilities WordPress plugin before 2.5.2, PublishPress Capabilities Pro WordPress plugin before 2.5.2 unserializes the content of imported files, which could lead to PHP object. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization WordPress PHP +1
NVD WPScan VulDB
EPSS 2% CVSS 8.1
HIGH POC This Week

The LearnPress WordPress plugin before 4.1.7.2 unserialises user input in a REST API endpoint available to unauthenticated users, which could lead to PHP Object Injection when a suitable gadget is. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

RCE Deserialization WordPress +2
NVD WPScan
EPSS 2% CVSS 8.8
HIGH POC This Week

The Smart Slider 3 WordPress plugin before 3.5.1.11 unserialises the content of an imported file, which could lead to PHP object injection issues when a user import (intentionally or not) a malicious. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization WordPress PHP +1
NVD WPScan
EPSS 1% CVSS 7.2
HIGH POC This Week

The Easy WP SMTP WordPress plugin before 1.5.0 unserialises the content of an imported file, which could lead to PHP object injection issue when an admin import (intentionally or not) a malicious. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization WordPress PHP +1
NVD WPScan
EPSS 1% CVSS 8.8
HIGH This Week

A Remote Code Injection vulnerability exists in CERT software prior to version 1.50.5. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Deserialization Vince
NVD GitHub
EPSS 2% CVSS 8.8
HIGH PATCH This Week

In Apache Linkis <=1.2.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Deserialization RCE +1
NVD
EPSS 1% CVSS 7.2
HIGH POC This Week

The Kadence WooCommerce Email Designer WordPress plugin before 1.5.7 unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import (intentionally. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization WordPress PHP +1
NVD WPScan
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

Dataease is an open source data visualization analysis tool. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Java Dataease
NVD GitHub
EPSS 70% CVSS 7.2
HIGH POC THREAT Act Now

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Orion Platform
NVD
EPSS 83% CVSS 8.8
HIGH This Week

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Orion Platform
NVD
EPSS 12% CVSS 7.2
HIGH This Week

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Orion Platform
NVD
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

OpenCATS v0.9.6 was discovered to contain a remote code execution (RCE) vulnerability via the getDataGridPager's ajax functionality. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Opencats
NVD GitHub
EPSS 2% CVSS 8.8
HIGH This Week

A deserialization of untrusted data vulnerability was identified in GitHub Enterprise Server that could potentially lead to remote code execution on the SVNBridge. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Deserialization SSRF +1
NVD GitHub
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Oracle Java +15
NVD VulDB
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution.7.x version 2.7.17 and prior versions; Apache Dubbo 3.0.x. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization RCE +1
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Phpok 6.1 has a deserialization vulnerability via framework/phpok_call.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization PHP Phpok
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

An Improper Input Validation vulnerability in the J-Web component of Juniper Networks Junos OS may allow an unauthenticated attacker to access data without proper authorization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Juniper Deserialization Junos
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Serialization of sensitive data in GitLab EE affecting all versions from 14.9 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 can leak sensitive information via cache. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Gitlab Deserialization Information Disclosure
NVD
EPSS 2% CVSS 8.8
HIGH PATCH This Week

GoCD is a continuous delivery server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization Java +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

MelisFront is the engine that displays website hosted on Melis Platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization PHP Meliscms
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

MelisCms provides a full CMS for Melis Platform, including templating system, drag'n'drop of plugins, SEO and many administration tools. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization PHP Meliscms
NVD GitHub
EPSS 33% CVSS 9.1
CRITICAL POC THREAT Act Now

The vCenter Server contains an unsafe deserialisation vulnerability in the PSC (Platform services controller). Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization VMware +1
NVD
EPSS 0% CVSS 7.8
HIGH This Week

In ims, there is a possible escalation of privilege due to a parcel format mismatch. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Deserialization Privilege Escalation Android
NVD
EPSS 0% CVSS 7.8
HIGH This Week

In telephony, there is a possible escalation of privilege due to a parcel format mismatch. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Deserialization Privilege Escalation Android
NVD
EPSS 3% CVSS 7.5
HIGH POC PATCH This Week

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Denial Of Service Jackson Databind +3
NVD GitHub
EPSS 3% CVSS 7.5
HIGH POC PATCH This Week

In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Denial Of Service Jackson Databind +3
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

A remote code execution risk when restoring backup files originating from Moodle 1.9 was identified. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization Moodle
NVD
Prev Page 22 of 30 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy