Skip to main content

Deserialization

2663 CVEs technique

Monthly

CVE-2022-39256 NuGet HIGH PATCH This Week

Orckestra C1 CMS is a .NET based Web Content Management System. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization C1 Cms
NVD GitHub
CVSS 3.1
8.0
EPSS
1.2%
CVE-2022-2903 HIGH POC This Week

The Ninja Forms Contact Form WordPress plugin before 3.6.13 unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import (intentionally or not). Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization WordPress PHP Ninja Forms
NVD WPScan
CVSS 3.1
7.2
EPSS
1.1%
CVE-2022-36944 Maven CRITICAL POC PATCH Act Now

Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Java Scala Scala Collection Compat +1
NVD GitHub
CVSS 3.1
9.8
EPSS
8.3%
CVE-2022-41237 Maven CRITICAL Act Now

Jenkins DotCi Plugin 2.40.00 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Jenkins Dotci
NVD
CVSS 3.1
9.8
EPSS
1.4%
CVE-2022-40955 Maven HIGH PATCH This Week

In versions of Apache InLong prior to 1.3.0, an attacker with sufficient privileges to specify MySQL JDBC connection URL parameters and to write arbitrary data to the MySQL database, could cause this. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Deserialization RCE Inlong
NVD
CVSS 3.1
8.8
EPSS
2.1%
CVE-2022-39008 CRITICAL Act Now

The NFC module has bundle serialization/deserialization vulnerabilities. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Emui Harmonyos
NVD
CVSS 3.1
9.1
EPSS
0.5%
CVE-2022-38352 PHP CRITICAL POC THREAT Act Now

ThinkPHP v6.0.13 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\Psr6Cache. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Thinkphp
NVD GitHub
CVSS 3.1
9.8
EPSS
20.2%
CVE-2022-36038 HIGH PATCH This Week

CircuitVerse is an open-source platform which allows users to construct digital logic circuits online. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization Circuitverse
NVD GitHub
CVSS 3.1
7.8
EPSS
0.9%
CVE-2022-2442 HIGH PATCH This Week

The Migration, Backup, Staging - WPvivid plugin for WordPress is vulnerable to deserialization of untrusted input via the 'path' parameter in versions up to, and including 0.9.74. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization PHP WordPress Migration Backup Staging
NVD VulDB
CVSS 3.1
7.2
EPSS
2.8%
CVE-2022-2438 HIGH PATCH This Week

The Broken Link Checker plugin for WordPress is vulnerable to deserialization of untrusted input via the '$log_file' value in versions up to, and including 1.11.16. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

PHP Deserialization WordPress Broken Link Checker
NVD VulDB
CVSS 3.1
7.2
EPSS
1.3%
CVE-2022-2436 HIGH PATCH This Week

The Download Manager plugin for WordPress is vulnerable to deserialization of untrusted input via the 'file[package_dir]' parameter in versions up to, and including 3.2.49. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

PHP Deserialization WordPress Download Manager
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2022-2434 HIGH PATCH This Week

The String Locator plugin for WordPress is vulnerable to deserialization of untrusted input via the 'string-locator-path' parameter in versions up to, and including 2.5.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

WordPress Deserialization PHP String Locator
NVD VulDB
CVSS 3.1
8.8
EPSS
4.2%
CVE-2022-2433 HIGH PATCH This Week

The WordPress Infinite Scroll - Ajax Load More plugin for WordPress is vulnerable to deserialization of untrusted input via the 'alm_repeaters_export' parameter in versions up to, and including. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization WordPress PHP Ajax Load More
NVD GitHub
CVSS 3.1
7.5
EPSS
1.3%
CVE-2022-2830 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in the message processing component of Bitdefender GravityZone Console allows an attacker to pass unsafe commands to the environment. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Gravityzone
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2022-29063 CRITICAL PATCH Act Now

The Solr plugin of Apache OFBiz is configured by default to automatically make a RMI request on localhost, port 1099. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Atlassian Deserialization RCE Ofbiz
NVD
CVSS 3.1
9.8
EPSS
3.7%
CVE-2022-37023 Maven MEDIUM PATCH This Month

Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data flaw when using REST API on Java 8 or Java 11. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Deserialization Java Geode
NVD
CVSS 3.1
6.5
EPSS
1.3%
CVE-2022-37022 Maven HIGH PATCH This Week

Apache Geode versions up to 1.12.2 and 1.13.2 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 11. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Deserialization Java Geode
NVD
CVSS 3.1
8.8
EPSS
1.3%
CVE-2022-37021 Maven CRITICAL PATCH Act Now

Apache Geode versions up to 1.12.5, 1.13.4 and 1.14.0 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization Java Geode
NVD
CVSS 3.1
9.8
EPSS
2.4%
CVE-2022-34668 PyPI CRITICAL POC PATCH Act Now

NVFLARE, versions prior to 2.1.4, contains a vulnerability that deserialization of Untrusted Data due to Pickle usage may allow an unprivileged network attacker to cause Remote Code Execution, Denial. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Denial Of Service Nvflare
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
8.5%
CVE-2022-36119 HIGH This Week

An issue was discovered in Blue Prism Enterprise 6.0 through 7.01. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Deserialization Blue Prism
NVD
CVSS 3.1
8.8
EPSS
1.5%
CVE-2022-2465 HIGH PATCH This Week

Rockwell Automation ISaGRAF Workbench software versions 6.0 through 6.6.9 are affected by a Deserialization of Untrusted Data vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

Rockwell Deserialization RCE Isagraf Workbench
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2022-33900 HIGH PATCH This Week

PHP Object Injection vulnerability in Easy Digital Downloads plugin <= 3.0.1 at WordPress. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization WordPress PHP Easy Digital Downloads
NVD
CVSS 3.1
7.2
EPSS
0.7%
CVE-2022-29805 CRITICAL POC THREAT Act Now

A Java Deserialization vulnerability in the Fishbowl Server in Fishbowl Inventory before 2022.4.1 allows remote attackers to execute arbitrary code via a crafted XML payload. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Java Fishbowl
NVD
CVSS 3.1
9.8
EPSS
27.4%
CVE-2022-2886 HIGH POC This Week

A vulnerability, which was classified as critical, was found in Laravel 5.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Laravel
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2022-2870 CRITICAL POC Act Now

A vulnerability was found in laravel 5.1 and classified as problematic. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Laravel
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.7%
CVE-2022-33947 MEDIUM This Month

In BIG-IP Versions 16.1.x before 16.1.3, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5, and all versions of 13.1.x, a vulnerability exists in undisclosed pages of the BIG-IP DNS Traffic Management. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tomcat Deserialization Big Ip Domain Name System
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2022-28684 HIGH This Week

This vulnerability allows remote attackers to execute arbitrary code on affected installations of DevExpress. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Deserialization Devexpress
NVD
CVSS 3.1
8.8
EPSS
2.6%
CVE-2022-35223 CRITICAL Act Now

EasyUse MailHunter Ultimate’s cookie deserialization function has an inadequate validation vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Mailhunter Ultimate
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2022-30287 HIGH POC THREAT This Week

Horde Groupware Webmail Edition through 5.2.22 allows a reflection injection attack through which an attacker can instantiate a driver class. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization PHP Groupware Debian Linux
NVD
CVSS 3.1
8.0
EPSS
70.5%
CVE-2022-35872 HIGH This Week

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition 8.1.15 (b2022030114). Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Ignition
NVD
CVSS 3.1
7.8
EPSS
0.7%
CVE-2022-35870 HIGH This Week

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition 8.1.15 (b2022030114). Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Ignition
NVD
CVSS 3.1
7.8
EPSS
43.1%
CVE-2022-33320 HIGH This Week

Deserialization of Untrusted Data vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97 to 10.97.1,. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization Genesis64 Mc Works64
NVD
CVSS 3.1
7.8
EPSS
0.4%
CVE-2022-33318 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97 to 10.97.1,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Genesis64 Mc Works64
NVD
CVSS 3.1
9.8
EPSS
45.5%
CVE-2022-33316 HIGH This Week

Deserialization of Untrusted Data vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97 to 10.97.1,. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization Genesis64 Mc Works64
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2022-33315 HIGH This Week

Deserialization of Untrusted Data vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97 to 10.97.1,. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization Genesis64 Mc Works64
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2022-21549 MEDIUM PATCH This Month

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Oracle Java Graalvm Jdk +12
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2022-2444 HIGH PATCH This Week

The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to deserialization of untrusted input via the 'remote_data' parameter in versions up to, and including. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization PHP WordPress Visualizer
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
2.7%
CVE-2022-2437 CRITICAL PATCH Act Now

The Feed Them Social - for Twitter feed, Youtube and more plugin for WordPress is vulnerable to deserialization of untrusted input via the 'fts_url' parameter in versions up to, and including. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

PHP Deserialization WordPress Feed Them Social
NVD VulDB
CVSS 3.1
9.8
EPSS
9.1%
CVE-2022-30981 HIGH This Week

An issue was discovered in Gentics CMS before 5.43.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Java RCE Gentics Cms
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2022-35857 CRITICAL POC Act Now

kvf-admin through 2022-02-12 allows remote attackers to execute arbitrary code because deserialization is mishandled. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Authentication Bypass RCE Kvf Admin
NVD GitHub
CVSS 3.1
9.8
EPSS
1.7%
CVE-2021-36665 HIGH POC This Week

An issue was discovered in Druva 6.9.0 for macOS, allows attackers to gain escalated local privileges via the inSyncUpgradeDaemon. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Apple Deserialization Insync Client
NVD VulDB
CVSS 3.1
7.8
EPSS
0.5%
CVE-2022-31605 PyPI CRITICAL PATCH Act Now

NVFLARE, versions prior to 2.1.2, contains a vulnerability in its utils module, where YAML files are loaded via yaml.load() instead of yaml.safe_load(). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Denial Of Service Nvflare
NVD GitHub
CVSS 3.1
9.8
EPSS
1.9%
CVE-2022-31604 PyPI CRITICAL PATCH Act Now

NVFLARE, versions prior to 2.1.2, contains a vulnerability in its PKI implementation module, where The CA credentials are transported via pickle and no safe deserialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Denial Of Service Nvflare
NVD GitHub
CVSS 3.1
9.8
EPSS
1.9%
CVE-2022-31115 Ruby HIGH POC PATCH This Week

opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Elastic Opensearch
NVD GitHub
CVSS 3.1
8.8
EPSS
1.5%
CVE-2022-33107 PHP CRITICAL POC THREAT Act Now

ThinkPHP v6.0.12 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\AbstractCache.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE PHP Thinkphp
NVD GitHub
CVSS 3.1
9.8
EPSS
22.3%
CVE-2022-1642 HIGH This Week

A program using swift-corelibs-foundation is vulnerable to a denial of service attack caused by a potentially malicious source producing a JSON document containing a type mismatch. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Microsoft Deserialization Swift
NVD GitHub
CVSS 3.1
7.5
EPSS
0.6%
CVE-2022-20195 MEDIUM This Month

In the keystore library, there is a possible prevention of access to system Settings due to unsafe deserialization. Rated medium severity (CVSS 5.0), this vulnerability is low attack complexity. No vendor patch available.

Deserialization Denial Of Service Google Android
NVD
CVSS 3.1
5.0
EPSS
0.2%
CVE-2022-29615 LOW Monitor

SAP NetWeaver Developer Studio (NWDS) - version 7.50, is based on Eclipse, which contains the logging framework log4j in version 1.x. Rated low severity (CVSS 3.4), this vulnerability is low attack complexity. No vendor patch available.

Deserialization SAP Netweaver Developer Studio
NVD
CVSS 3.1
3.4
EPSS
0.2%
CVE-2022-25863 npm CRITICAL POC PATCH Act Now

The package gatsby-plugin-mdx before 2.14.1, from 3.0.0 and before 3.15.2 are vulnerable to Deserialization of Untrusted Data when passing input through to the gray-matter package, due to its default. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Gatsby
NVD GitHub
CVSS 3.1
9.8
EPSS
1.9%
CVE-2022-25845 Maven CRITICAL POC PATCH THREAT Act Now

The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Fastjson Communications Cloud Native Core Unified Data Repository
NVD GitHub
CVSS 3.1
9.8
EPSS
17.8%
CVE-2022-1660 CRITICAL Act Now

The affected products are vulnerable of untrusted data due to deserialization without prior authorization/authentication, which may allow an attacker to remotely execute arbitrary code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE N6854A Firmware N6841A Rf Firmware
NVD
CVSS 3.1
9.8
EPSS
16.0%
CVE-2022-29875 CRITICAL Act Now

A vulnerability has been identified in Biograph Horizon PET/CT Systems (All VJ30 versions < VJ30C-UD01), MAGNETOM Family (NUMARIS X: VA12M, VA12S, VA10B, VA20A, VA30A, VA31A), MAMMOMAT Revelation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Biograph Horizon Pet Ct Systems Firmware Magnetom Numaris X Firmware Mammomat Revelation Firmware Naeotom Alpha Firmware +14
NVD
CVSS 3.1
9.8
EPSS
1.6%
CVE-2022-28948 Go HIGH POC PATCH This Week

An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Yaml Astra Trident
NVD GitHub
CVSS 3.1
7.5
EPSS
3.7%
CVE-2022-1118 HIGH This Week

Connected Components Workbench (v13.00.00 and prior), ISaGRAF Workbench (v6.0 though v6.6.9), and Safety Instrumented System Workstation (v1.2 and prior (for Trusted Controllers)) do not limit the. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Connected Component Workbench Isagraf Workbench Safety Instrumented Systems Workstation
NVD
CVSS 3.1
7.8
EPSS
11.7%
CVE-2022-24108 CRITICAL POC THREAT Act Now

The Skyoftech So Listing Tabs module 2.2.0 for OpenCart allows a remote attacker to inject a serialized PHP object via the setting parameter, potentially resulting in the ability to write to files on. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE PHP So Listing Tabs
NVD
CVSS 3.1
9.8
EPSS
33.0%
CVE-2022-0573 HIGH PATCH This Week

JFrog Artifactory before 7.36.1 and 6.23.41, is vulnerable to Insecure Deserialization of untrusted data which can lead to DoS, Privilege Escalation and Remote Code Execution when a specially crafted. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Deserialization Privilege Escalation RCE Artifactory
NVD
CVSS 3.1
8.8
EPSS
1.9%
CVE-2022-29363 CRITICAL POC Act Now

Phpok v6.1 was discovered to contain a deserialization vulnerability via the update_f() function in login_control.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization PHP Phpok
NVD GitHub
CVSS 3.1
9.8
EPSS
1.3%
CVE-2022-1463 HIGH POC This Week

The Booking Calendar plugin for WordPress is vulnerable to PHP Object Injection via the [bookingflextimeline] shortcode in versions up to, and including, 9.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization PHP WordPress Booking Calendar
NVD
CVSS 3.1
8.8
EPSS
1.7%
CVE-2022-25767 Maven CRITICAL POC Act Now

All versions of package com.bstek.ureport:ureport2-console are vulnerable to Remote Code Execution by connecting to a malicious database server, causing arbitrary file read and deserialization of. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE Ureport2
NVD GitHub
CVSS 3.1
9.8
EPSS
2.9%
CVE-2022-25647 Maven HIGH PATCH This Week

The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required.

Deserialization Google Gson Debian Linux Active Iq Unified Manager +3
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
2.8%
CVE-2022-29936 HIGH POC This Week

USU Oracle Optimization before 5.17 allows authenticated quantum users to achieve remote code execution because of /v2/quantum/save-data-upload-big-file Java deserialization. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Java RCE Oracle Oracle Optimization
NVD GitHub
CVSS 3.1
8.8
EPSS
2.0%
CVE-2022-1390 CRITICAL POC THREAT Act Now

The Admin Word Count Column WordPress plugin through 2.2 does not validate the path parameter given to readfile(), which could allow unauthenticated attackers to read arbitrary files on server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress Deserialization Path Traversal Admin Word Count Column
NVD WPScan
CVSS 3.1
9.8
EPSS
21.9%
CVE-2022-29528 CRITICAL POC PATCH Act Now

An issue was discovered in MISP before 2.4.158. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Misp
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
2.1%
CVE-2022-26133 CRITICAL POC PATCH THREAT Act Now

SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Java RCE Atlassian Bitbucket Data Center
NVD GitHub
CVSS 3.1
9.8
EPSS
71.1%
CVE-2022-21445 CRITICAL KEV THREAT Act Now

Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Faces). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Oracle Application Development Framework
NVD
CVSS 3.1
9.8
EPSS
62.5%
CVE-2022-27158 CRITICAL PATCH Act Now

pearweb < 1.32 suffers from Deserialization of Untrusted Data. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Deserialization Pearweb
NVD GitHub
CVSS 3.1
9.8
EPSS
1.2%
CVE-2022-24846 HIGH This Week

GeoWebCache is a tile caching server implemented in Java. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Geowebcache
NVD GitHub
CVSS 3.1
7.2
EPSS
1.2%
CVE-2022-24847 Maven HIGH PATCH This Week

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Java RCE Geoserver
NVD GitHub
CVSS 3.1
7.2
EPSS
1.5%
CVE-2022-24818 HIGH PATCH This Week

GeoTools is an open source Java library that provides tools for geospatial data. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

Deserialization Java RCE Geotools
NVD GitHub
CVSS 3.1
7.2
EPSS
2.3%
CVE-2022-22958 HIGH PATCH This Week

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities (CVE-2022-22957 & CVE-2022-22958). Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization VMware RCE Cloud Foundation Identity Manager +3
NVD
CVSS 3.1
7.2
EPSS
3.0%
CVE-2022-22957 HIGH POC PATCH THREAT Act Now

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities (CVE-2022-22957 & CVE-2022-22958). Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization VMware RCE Cloud Foundation Identity Manager +3
NVD GitHub
CVSS 3.1
7.2
EPSS
23.1%
CVE-2022-23450 CRITICAL PATCH Act Now

A vulnerability has been identified in SIMATIC Energy Manager Basic (All versions < V7.3 Update 1), SIMATIC Energy Manager PRO (All versions < V7.3 Update 1). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Simatic Energy Manager Basic Simatic Energy Manager Pro
NVD
CVSS 3.1
9.8
EPSS
35.8%
CVE-2022-20763 HIGH This Week

A vulnerability in the login authorization components of Cisco Webex Meetings could allow an authenticated, remote attacker to inject arbitrary Java code. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Java Cisco Webex Meetings Online
NVD
CVSS 3.1
8.8
EPSS
0.9%
CVE-2022-1032 HIGH POC PATCH This Week

Insecure deserialization of not validated module file in GitHub repository crater-invoice/crater prior to 6.0.6. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Deserialization Crater
NVD GitHub
CVSS 3.1
7.2
EPSS
1.6%
CVE-2022-26503 HIGH This Week

Deserialization of untrusted data in Veeam Agent for Windows 2.0, 2.1, 2.2, 3.0.2, 4.x, and 5.x allows local users to run arbitrary code with local system privileges. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Deserialization RCE Microsoft Veeam
NVD
CVSS 3.1
7.8
EPSS
0.7%
CVE-2022-0749 NuGet CRITICAL POC Act Now

This affects all versions of package SinGooCMS.Utility. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Singoocms Utility
NVD GitHub
CVSS 3.1
9.8
EPSS
1.7%
CVE-2022-23940 HIGH POC THREAT This Week

SuiteCRM through 7.12.1 and 8.x through 8.0.1 allows Remote Code Execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE PHP Suitecrm
NVD GitHub
CVSS 3.1
8.8
EPSS
53.2%
CVE-2022-24282 HIGH This Week

A vulnerability has been identified in SINEC NMS (All versions >= V1.0.3 < V2.0), SINEC NMS (All versions < V1.0.3), SINEMA Server V14 (All versions). Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Java RCE Sinec Network Management System
NVD
CVSS 3.1
7.2
EPSS
1.4%
CVE-2022-21828 HIGH POC This Week

A user with high privilege access to the Incapptic Connect web console can remotely execute code on the Incapptic Connect server using a unspecified attack vector in Incapptic Connect version 1.40.0,. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Incapptic Connect
NVD
CVSS 3.1
7.2
EPSS
3.7%
CVE-2022-0138 HIGH This Week

MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 has a deserialization function that does not validate. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Mimosa Management Platform C6X Firmware C5X Firmware C5C Firmware +1
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2021-42631 HIGH POC This Week

PrinterLogic Web Stack versions 19.1.1.13 SP9 and below deserializes attacker controlled leading to pre-auth remote code execution. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

RCE Deserialization Virtual Appliance Web Stack
NVD VulDB
CVSS 3.1
8.1
EPSS
6.3%
CVE-2022-21341 MEDIUM This Month

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Oracle Denial Of Service Java Graalvm +18
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2022-23307 Maven HIGH PATCH This Week

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Apache Chainsaw Log4J Reload4J +23
NVD VulDB
CVSS 3.1
8.8
EPSS
2.7%
CVE-2022-23302 Maven HIGH PATCH This Week

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

RCE Deserialization Apache Log4J Snapmanager +24
NVD VulDB
CVSS 3.1
8.8
EPSS
0.8%
CVE-2022-21647 PHP CRITICAL PATCH Act Now

CodeIgniter is an open source PHP full-stack web framework. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization PHP SQLi Codeigniter
NVD GitHub
CVSS 3.1
9.8
EPSS
37.7%
CVE-2021-20318 HIGH This Week

The HornetQ component of Artemis in EAP 7 was not updated with the fix for CVE-2016-4978. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Jboss Enterprise Application Platform
NVD
CVSS 3.1
7.2
EPSS
1.7%
CVE-2021-4118 PyPI HIGH POC PATCH This Week

pytorch-lightning is vulnerable to Deserialization of Untrusted Data. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Deserialization Pytorch Lightning
NVD GitHub
CVSS 3.1
7.8
EPSS
1.0%
CVE-2021-44029 CRITICAL Act Now

An issue was discovered in Quest KACE Desktop Authority before 11.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Kace Desktop Authority
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2021-36336 CRITICAL PATCH Act Now

Wyse Management Suite 3.3.1 and below versions contain a deserialization vulnerability that could allow an unauthenticated attacker to execute code on the affected system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Wyse Management Suite
NVD
CVSS 3.1
9.8
EPSS
1.7%
CVE-2021-42550 Maven MEDIUM POC PATCH This Month

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Deserialization RCE Logback Satellite Cloud Manager +3
NVD GitHub
CVSS 3.1
6.6
EPSS
4.4%
EPSS 1% CVSS 8.0
HIGH PATCH This Week

Orckestra C1 CMS is a .NET based Web Content Management System. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization C1 Cms
NVD GitHub
EPSS 1% CVSS 7.2
HIGH POC This Week

The Ninja Forms Contact Form WordPress plugin before 3.6.13 unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import (intentionally or not). Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization WordPress PHP +1
NVD WPScan
EPSS 8% CVSS 9.8
CRITICAL POC PATCH Act Now

Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Java +3
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

Jenkins DotCi Plugin 2.40.00 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Jenkins +1
NVD
EPSS 2% CVSS 8.8
HIGH PATCH This Week

In versions of Apache InLong prior to 1.3.0, an attacker with sufficient privileges to specify MySQL JDBC connection URL parameters and to write arbitrary data to the MySQL database, could cause this. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Deserialization RCE +1
NVD
EPSS 1% CVSS 9.1
CRITICAL Act Now

The NFC module has bundle serialization/deserialization vulnerabilities. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Emui Harmonyos
NVD
EPSS 20% CVSS 9.8
CRITICAL POC THREAT Act Now

ThinkPHP v6.0.13 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\Psr6Cache. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Thinkphp
NVD GitHub
EPSS 1% CVSS 7.8
HIGH PATCH This Week

CircuitVerse is an open-source platform which allows users to construct digital logic circuits online. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization Circuitverse
NVD GitHub
EPSS 3% CVSS 7.2
HIGH PATCH This Week

The Migration, Backup, Staging - WPvivid plugin for WordPress is vulnerable to deserialization of untrusted input via the 'path' parameter in versions up to, and including 0.9.74. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization PHP WordPress +1
NVD VulDB
EPSS 1% CVSS 7.2
HIGH PATCH This Week

The Broken Link Checker plugin for WordPress is vulnerable to deserialization of untrusted input via the '$log_file' value in versions up to, and including 1.11.16. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

PHP Deserialization WordPress +1
NVD VulDB
EPSS 1% CVSS 8.8
HIGH PATCH This Week

The Download Manager plugin for WordPress is vulnerable to deserialization of untrusted input via the 'file[package_dir]' parameter in versions up to, and including 3.2.49. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

PHP Deserialization WordPress +1
NVD
EPSS 4% CVSS 8.8
HIGH PATCH This Week

The String Locator plugin for WordPress is vulnerable to deserialization of untrusted input via the 'string-locator-path' parameter in versions up to, and including 2.5.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

WordPress Deserialization PHP +1
NVD VulDB
EPSS 1% CVSS 7.5
HIGH PATCH This Week

The WordPress Infinite Scroll - Ajax Load More plugin for WordPress is vulnerable to deserialization of untrusted input via the 'alm_repeaters_export' parameter in versions up to, and including. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization WordPress PHP +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in the message processing component of Bitdefender GravityZone Console allows an attacker to pass unsafe commands to the environment. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Gravityzone
NVD
EPSS 4% CVSS 9.8
CRITICAL PATCH Act Now

The Solr plugin of Apache OFBiz is configured by default to automatically make a RMI request on localhost, port 1099. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Atlassian Deserialization +2
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data flaw when using REST API on Java 8 or Java 11. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Deserialization Java +1
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Apache Geode versions up to 1.12.2 and 1.13.2 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 11. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Deserialization Java +1
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

Apache Geode versions up to 1.12.5, 1.13.4 and 1.14.0 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization Java +1
NVD
EPSS 9% CVSS 9.8
CRITICAL POC PATCH Act Now

NVFLARE, versions prior to 2.1.4, contains a vulnerability that deserialization of Untrusted Data due to Pickle usage may allow an unprivileged network attacker to cause Remote Code Execution, Denial. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Denial Of Service +1
NVD GitHub Exploit-DB
EPSS 2% CVSS 8.8
HIGH This Week

An issue was discovered in Blue Prism Enterprise 6.0 through 7.01. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Deserialization Blue Prism
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Rockwell Automation ISaGRAF Workbench software versions 6.0 through 6.6.9 are affected by a Deserialization of Untrusted Data vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

Rockwell Deserialization RCE +1
NVD
EPSS 1% CVSS 7.2
HIGH PATCH This Week

PHP Object Injection vulnerability in Easy Digital Downloads plugin <= 3.0.1 at WordPress. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization WordPress PHP +1
NVD
EPSS 27% CVSS 9.8
CRITICAL POC THREAT Act Now

A Java Deserialization vulnerability in the Fishbowl Server in Fishbowl Inventory before 2022.4.1 allows remote attackers to execute arbitrary code via a crafted XML payload. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Java +1
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

A vulnerability, which was classified as critical, was found in Laravel 5.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Laravel
NVD GitHub VulDB
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

A vulnerability was found in laravel 5.1 and classified as problematic. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Laravel
NVD GitHub VulDB
EPSS 1% CVSS 6.5
MEDIUM This Month

In BIG-IP Versions 16.1.x before 16.1.3, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5, and all versions of 13.1.x, a vulnerability exists in undisclosed pages of the BIG-IP DNS Traffic Management. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tomcat Deserialization Big Ip Domain Name System
NVD
EPSS 3% CVSS 8.8
HIGH This Week

This vulnerability allows remote attackers to execute arbitrary code on affected installations of DevExpress. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Deserialization Devexpress
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

EasyUse MailHunter Ultimate’s cookie deserialization function has an inadequate validation vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Mailhunter Ultimate
NVD
EPSS 70% CVSS 8.0
HIGH POC THREAT This Week

Horde Groupware Webmail Edition through 5.2.22 allows a reflection injection attack through which an attacker can instantiate a driver class. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization PHP Groupware +1
NVD
EPSS 1% CVSS 7.8
HIGH This Week

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition 8.1.15 (b2022030114). Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Ignition
NVD
EPSS 43% CVSS 7.8
HIGH This Week

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition 8.1.15 (b2022030114). Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Ignition
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97 to 10.97.1,. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization Genesis64 Mc Works64
NVD
EPSS 45% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97 to 10.97.1,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Genesis64 Mc Works64
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97 to 10.97.1,. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization Genesis64 Mc Works64
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97 to 10.97.1,. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization Genesis64 Mc Works64
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Oracle Java +14
NVD VulDB
EPSS 3% CVSS 8.8
HIGH PATCH This Week

The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to deserialization of untrusted input via the 'remote_data' parameter in versions up to, and including. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization PHP WordPress +1
NVD GitHub VulDB
EPSS 9% CVSS 9.8
CRITICAL PATCH Act Now

The Feed Them Social - for Twitter feed, Youtube and more plugin for WordPress is vulnerable to deserialization of untrusted input via the 'fts_url' parameter in versions up to, and including. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

PHP Deserialization WordPress +1
NVD VulDB
EPSS 1% CVSS 8.8
HIGH This Week

An issue was discovered in Gentics CMS before 5.43.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Java RCE +1
NVD
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

kvf-admin through 2022-02-12 allows remote attackers to execute arbitrary code because deserialization is mishandled. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Authentication Bypass RCE +1
NVD GitHub
EPSS 0% CVSS 7.8
HIGH POC This Week

An issue was discovered in Druva 6.9.0 for macOS, allows attackers to gain escalated local privileges via the inSyncUpgradeDaemon. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Apple Deserialization Insync Client
NVD VulDB
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

NVFLARE, versions prior to 2.1.2, contains a vulnerability in its utils module, where YAML files are loaded via yaml.load() instead of yaml.safe_load(). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Denial Of Service +1
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

NVFLARE, versions prior to 2.1.2, contains a vulnerability in its PKI implementation module, where The CA credentials are transported via pickle and no safe deserialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Denial Of Service +1
NVD GitHub
EPSS 2% CVSS 8.8
HIGH POC PATCH This Week

opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Elastic Opensearch
NVD GitHub
EPSS 22% CVSS 9.8
CRITICAL POC THREAT Act Now

ThinkPHP v6.0.12 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\AbstractCache.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE PHP +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

A program using swift-corelibs-foundation is vulnerable to a denial of service attack caused by a potentially malicious source producing a JSON document containing a type mismatch. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Microsoft Deserialization +1
NVD GitHub
EPSS 0% CVSS 5.0
MEDIUM This Month

In the keystore library, there is a possible prevention of access to system Settings due to unsafe deserialization. Rated medium severity (CVSS 5.0), this vulnerability is low attack complexity. No vendor patch available.

Deserialization Denial Of Service Google +1
NVD
EPSS 0% CVSS 3.4
LOW Monitor

SAP NetWeaver Developer Studio (NWDS) - version 7.50, is based on Eclipse, which contains the logging framework log4j in version 1.x. Rated low severity (CVSS 3.4), this vulnerability is low attack complexity. No vendor patch available.

Deserialization SAP Netweaver Developer Studio
NVD
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

The package gatsby-plugin-mdx before 2.14.1, from 3.0.0 and before 3.15.2 are vulnerable to Deserialization of Untrusted Data when passing input through to the gray-matter package, due to its default. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Gatsby
NVD GitHub
EPSS 18% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Fastjson Communications Cloud Native Core Unified Data Repository
NVD GitHub
EPSS 16% CVSS 9.8
CRITICAL Act Now

The affected products are vulnerable of untrusted data due to deserialization without prior authorization/authentication, which may allow an attacker to remotely execute arbitrary code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE N6854A Firmware +1
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

A vulnerability has been identified in Biograph Horizon PET/CT Systems (All VJ30 versions < VJ30C-UD01), MAGNETOM Family (NUMARIS X: VA12M, VA12S, VA10B, VA20A, VA30A, VA31A), MAMMOMAT Revelation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Biograph Horizon Pet Ct Systems Firmware Magnetom Numaris X Firmware +16
NVD
EPSS 4% CVSS 7.5
HIGH POC PATCH This Week

An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Yaml Astra Trident
NVD GitHub
EPSS 12% CVSS 7.8
HIGH This Week

Connected Components Workbench (v13.00.00 and prior), ISaGRAF Workbench (v6.0 though v6.6.9), and Safety Instrumented System Workstation (v1.2 and prior (for Trusted Controllers)) do not limit the. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Connected Component Workbench +2
NVD
EPSS 33% CVSS 9.8
CRITICAL POC THREAT Act Now

The Skyoftech So Listing Tabs module 2.2.0 for OpenCart allows a remote attacker to inject a serialized PHP object via the setting parameter, potentially resulting in the ability to write to files on. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE PHP +1
NVD
EPSS 2% CVSS 8.8
HIGH PATCH This Week

JFrog Artifactory before 7.36.1 and 6.23.41, is vulnerable to Insecure Deserialization of untrusted data which can lead to DoS, Privilege Escalation and Remote Code Execution when a specially crafted. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Deserialization Privilege Escalation RCE +1
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Phpok v6.1 was discovered to contain a deserialization vulnerability via the update_f() function in login_control.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization PHP Phpok
NVD GitHub
EPSS 2% CVSS 8.8
HIGH POC This Week

The Booking Calendar plugin for WordPress is vulnerable to PHP Object Injection via the [bookingflextimeline] shortcode in versions up to, and including, 9.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization PHP WordPress +1
NVD
EPSS 3% CVSS 9.8
CRITICAL POC Act Now

All versions of package com.bstek.ureport:ureport2-console are vulnerable to Remote Code Execution by connecting to a malicious database server, causing arbitrary file read and deserialization of. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE Ureport2
NVD GitHub
EPSS 3% CVSS 7.7
HIGH PATCH This Week

The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required.

Deserialization Google Gson +5
NVD GitHub VulDB
EPSS 2% CVSS 8.8
HIGH POC This Week

USU Oracle Optimization before 5.17 allows authenticated quantum users to achieve remote code execution because of /v2/quantum/save-data-upload-big-file Java deserialization. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Java RCE +2
NVD GitHub
EPSS 22% CVSS 9.8
CRITICAL POC THREAT Act Now

The Admin Word Count Column WordPress plugin through 2.2 does not validate the path parameter given to readfile(), which could allow unauthenticated attackers to read arbitrary files on server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress Deserialization +2
NVD WPScan
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

An issue was discovered in MISP before 2.4.158. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Misp
NVD GitHub VulDB
EPSS 71% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Java RCE +2
NVD GitHub
EPSS 62% CVSS 9.8
CRITICAL KEV THREAT Act Now

Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Faces). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Oracle Application Development Framework
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

pearweb < 1.32 suffers from Deserialization of Untrusted Data. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Deserialization Pearweb
NVD GitHub
EPSS 1% CVSS 7.2
HIGH This Week

GeoWebCache is a tile caching server implemented in Java. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Geowebcache
NVD GitHub
EPSS 1% CVSS 7.2
HIGH PATCH This Week

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Java RCE +1
NVD GitHub
EPSS 2% CVSS 7.2
HIGH PATCH This Week

GeoTools is an open source Java library that provides tools for geospatial data. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

Deserialization Java RCE +1
NVD GitHub
EPSS 3% CVSS 7.2
HIGH PATCH This Week

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities (CVE-2022-22957 & CVE-2022-22958). Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization VMware RCE +5
NVD
EPSS 23% CVSS 7.2
HIGH POC PATCH THREAT Act Now

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities (CVE-2022-22957 & CVE-2022-22958). Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization VMware RCE +5
NVD GitHub
EPSS 36% CVSS 9.8
CRITICAL PATCH Act Now

A vulnerability has been identified in SIMATIC Energy Manager Basic (All versions < V7.3 Update 1), SIMATIC Energy Manager PRO (All versions < V7.3 Update 1). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Simatic Energy Manager Basic +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

A vulnerability in the login authorization components of Cisco Webex Meetings could allow an authenticated, remote attacker to inject arbitrary Java code. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Java Cisco +1
NVD
EPSS 2% CVSS 7.2
HIGH POC PATCH This Week

Insecure deserialization of not validated module file in GitHub repository crater-invoice/crater prior to 6.0.6. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Deserialization Crater
NVD GitHub
EPSS 1% CVSS 7.8
HIGH This Week

Deserialization of untrusted data in Veeam Agent for Windows 2.0, 2.1, 2.2, 3.0.2, 4.x, and 5.x allows local users to run arbitrary code with local system privileges. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Deserialization RCE Microsoft +1
NVD
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

This affects all versions of package SinGooCMS.Utility. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Singoocms Utility
NVD GitHub
EPSS 53% CVSS 8.8
HIGH POC THREAT This Week

SuiteCRM through 7.12.1 and 8.x through 8.0.1 allows Remote Code Execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE PHP +1
NVD GitHub
EPSS 1% CVSS 7.2
HIGH This Week

A vulnerability has been identified in SINEC NMS (All versions >= V1.0.3 < V2.0), SINEC NMS (All versions < V1.0.3), SINEMA Server V14 (All versions). Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Java RCE +1
NVD
EPSS 4% CVSS 7.2
HIGH POC This Week

A user with high privilege access to the Incapptic Connect web console can remotely execute code on the Incapptic Connect server using a unspecified attack vector in Incapptic Connect version 1.40.0,. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Incapptic Connect
NVD
EPSS 1% CVSS 7.5
HIGH This Week

MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 has a deserialization function that does not validate. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Mimosa Management Platform C6X Firmware +3
NVD
EPSS 6% CVSS 8.1
HIGH POC This Week

PrinterLogic Web Stack versions 19.1.1.13 SP9 and below deserializes attacker controlled leading to pre-auth remote code execution. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

RCE Deserialization Virtual Appliance +1
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Oracle Denial Of Service +20
NVD VulDB
EPSS 3% CVSS 8.8
HIGH PATCH This Week

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Apache Chainsaw +25
NVD VulDB
EPSS 1% CVSS 8.8
HIGH PATCH This Week

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

RCE Deserialization Apache +26
NVD VulDB
EPSS 38% CVSS 9.8
CRITICAL PATCH Act Now

CodeIgniter is an open source PHP full-stack web framework. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization PHP SQLi +1
NVD GitHub
EPSS 2% CVSS 7.2
HIGH This Week

The HornetQ component of Artemis in EAP 7 was not updated with the fix for CVE-2016-4978. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Jboss Enterprise Application Platform
NVD
EPSS 1% CVSS 7.8
HIGH POC PATCH This Week

pytorch-lightning is vulnerable to Deserialization of Untrusted Data. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Deserialization Pytorch Lightning
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue was discovered in Quest KACE Desktop Authority before 11.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Kace Desktop Authority
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

Wyse Management Suite 3.3.1 and below versions contain a deserialization vulnerability that could allow an unauthenticated attacker to execute code on the affected system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Wyse Management Suite
NVD
EPSS 4% CVSS 6.6
MEDIUM POC PATCH This Month

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Deserialization RCE Logback +5
NVD GitHub
Prev Page 23 of 30 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy