Skip to main content

Deserialization

2663 CVEs technique

Monthly

CVE-2021-0970 HIGH PATCH This Week

In createFromParcel of GpsNavigationMessage.java, there is a possible Parcel serialization/deserialization mismatch. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Google Deserialization Privilege Escalation Android
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2021-0928 HIGH This Week

In createFromParcel of OutputConfiguration.java, there is a possible parcel serialization/deserialization mismatch due to improper input validation. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Google Deserialization Privilege Escalation Android
NVD
CVSS 3.1
7.8
EPSS
0.4%
CVE-2021-0921 HIGH This Week

In ParsingPackageImpl of ParsingPackageImpl.java, there is a possible parcel serialization/deserialization mismatch due to improper input validation. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Google Deserialization Privilege Escalation Android
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2021-4104 Maven HIGH Act Now

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Epss exploitation probability 72.2% and no vendor patch available.

RCE Deserialization Apache Log4J Fedora +44
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
72.2%
CVE-2021-24857 CRITICAL POC Act Now

The ToTop Link WordPress plugin through 1.7.1 passes base64 encoded user input to the unserialize() PHP function, which could lead to PHP Object injection if a plugin installed on the blog has a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization WordPress PHP Totop Link
NVD WPScan
CVSS 3.1
9.8
EPSS
1.8%
CVE-2021-42130 HIGH This Week

A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Ivanti Avalanche
NVD
CVSS 3.1
8.8
EPSS
62.2%
CVE-2021-42127 CRITICAL Act Now

A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 using Inforail Service allows arbitrary code execution via Data Repository Service. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Ivanti Avalanche
NVD
CVSS 3.1
9.8
EPSS
65.8%
CVE-2021-42125 HIGH This Week

An unrestricted file upload vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to write dangerous files. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization File Upload Ivanti Avalanche
NVD
CVSS 3.1
8.8
EPSS
81.6%
CVE-2021-44682 CRITICAL Act Now

An issue (6 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Hashicorp Enterprise Vault
NVD
CVSS 3.1
9.8
EPSS
1.8%
CVE-2021-44681 CRITICAL Act Now

An issue (5 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Hashicorp Enterprise Vault
NVD
CVSS 3.1
9.8
EPSS
1.8%
CVE-2021-44680 CRITICAL Act Now

An issue (4 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Hashicorp Enterprise Vault
NVD
CVSS 3.1
9.8
EPSS
1.8%
CVE-2021-44679 CRITICAL Act Now

An issue (3 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Hashicorp Enterprise Vault
NVD
CVSS 3.1
9.8
EPSS
1.8%
CVE-2021-44678 CRITICAL Act Now

An issue (2 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Hashicorp Enterprise Vault
NVD
CVSS 3.1
9.8
EPSS
1.8%
CVE-2021-44677 CRITICAL Act Now

An issue (1 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Hashicorp Enterprise Vault
NVD
CVSS 3.1
9.8
EPSS
1.8%
CVE-2021-36567 PHP CRITICAL POC Act Now

ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\AbstractCache. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Thinkphp
NVD GitHub
CVSS 3.1
9.8
EPSS
2.4%
CVE-2021-36564 PHP CRITICAL POC PATCH Act Now

ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\Adapter.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization PHP Thinkphp
NVD GitHub
CVSS 3.1
9.8
EPSS
1.8%
CVE-2021-23758 NuGet CRITICAL POC PATCH THREAT Act Now

All versions of package ajaxpro.2 are vulnerable to Deserialization of Untrusted Data due to the possibility of deserialization of arbitrary .NET classes, which can be abused to gain remote code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Deserialization RCE Ajaxpro 2
NVD GitHub
CVSS 3.1
9.8
EPSS
88.8%
CVE-2021-43360 HIGH This Week

Sunnet eHRD e-mail delivery task schedule’s serialization function has inadequate input object validation and restriction, which allows a post-authenticated remote attacker with database access. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Ehrd
NVD
CVSS 3.1
8.8
EPSS
2.3%
CVE-2021-22095 Maven MEDIUM PATCH This Month

In Spring AMQP versions 2.2.0 - 2.2.19 and 2.3.0 - 2.3.11, the Spring AMQP Message object, in its toString() method, will create a new String object from the message body, regardless of its size. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Java Spring Advanced Message Queuing Protocol
NVD
CVSS 3.1
6.5
EPSS
1.0%
CVE-2021-34992 HIGH PATCH This Week

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS 6.10. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE C1 Cms
NVD GitHub
CVSS 3.1
8.8
EPSS
4.1%
CVE-2021-26558 HIGH This Week

Deserialization of Untrusted Data vulnerability of Apache ShardingSphere-UI allows an attacker to inject outer link resources.1.1 and later versions; Apache ShardingSphere-UI versions prior to 5.0.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Apache Shardingsphere Ui
NVD
CVSS 3.1
7.5
EPSS
2.4%
CVE-2021-42698 HIGH This Week

Project files are stored memory objects in the form of binary serialized data that can later be read and deserialized again to instantiate the original objects in memory. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization Daqfactory
NVD
CVSS 3.1
7.8
EPSS
0.8%
CVE-2021-42237 CRITICAL POC KEV THREAT Emergency

Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Deserialization Experience Platform
NVD VulDB
CVSS 3.1
9.8
EPSS
99.2%
Threat
7.9
CVE-2021-22097 Maven MEDIUM PATCH This Month

In Spring AMQP versions 2.2.0 - 2.2.18 and 2.3.0 - 2.3.10, the Spring AMQP Message object, in its toString() method, will deserialize a body for a message with content type. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Java Spring Advanced Message Queuing Protocol
NVD
CVSS 3.1
6.5
EPSS
1.0%
CVE-2021-41078 PyPI HIGH POC PATCH This Week

Nameko through 2.13.0 can be tricked into performing arbitrary code execution when deserializing the config file. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE Nameko
NVD GitHub
CVSS 3.1
7.8
EPSS
1.5%
CVE-2021-40865 Maven CRITICAL PATCH Act Now

An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Apache RCE Storm
NVD
CVSS 3.1
9.8
EPSS
65.6%
CVE-2021-40719 CRITICAL Act Now

Adobe Connect version 11.2.3 (and earlier) is affected by a Deserialization of Untrusted Data vulnerability to achieve arbitrary method invocation when AMF messages are deserialized on an Adobe. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Adobe Connect
NVD
CVSS 3.0
9.8
EPSS
3.4%
CVE-2021-39321 HIGH POC PATCH This Week

Version 3.3.23 of the Sassy Social Share WordPress plugin is vulnerable to PHP Object Injection via the wp_ajax_heateor_sss_import_config AJAX action due to deserialization of unvalidated user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Deserialization WordPress PHP Sassy Social Share
NVD
CVSS 3.1
8.8
EPSS
2.0%
CVE-2021-40720 PyPI CRITICAL PATCH Act Now

Ops CLI version 2.0.4 (and earlier) is affected by a Deserialization of Untrusted Data vulnerability to achieve arbitrary code execution when the checkout_repo function is called on a maliciously. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Deserialization RCE Ops Cli
NVD
CVSS 3.1
9.8
EPSS
9.2%
CVE-2021-40843 HIGH This Week

Proofpoint Insider Threat Management Server contains an unsafe deserialization vulnerability in the Web Console. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.

SQLi Deserialization RCE Insider Threat Management Server
NVD
CVSS 3.1
7.3
EPSS
0.4%
CVE-2021-33728 HIGH PATCH This Week

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Java Sinec Nms
NVD
CVSS 3.1
7.2
EPSS
1.5%
CVE-2021-42090 CRITICAL Act Now

An issue was discovered in Zammad before 4.1.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Zammad
NVD
CVSS 3.1
9.8
EPSS
2.3%
CVE-2021-41129 PHP HIGH PATCH This Week

Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization PHP Panel
NVD GitHub
CVSS 3.1
8.1
EPSS
1.7%
CVE-2021-0685 HIGH PATCH This Week

In ParsedIntentInfo of ParsedIntentInfo.java, there is a possible parcel serialization/deserialization mismatch due to unsafe deserialization. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Google Deserialization Privilege Escalation Android
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2021-41110 CRITICAL POC PATCH Act Now

cwlviewer is a web application to view and share Common Workflow Language workflows. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Cwlviewer
NVD GitHub
CVSS 3.1
9.8
EPSS
2.7%
CVE-2021-41616 Maven CRITICAL Act Now

Apache DB DdlUtils 1.0 included a BinaryObjectsHelper that was intended for use when migrating database data with a SQL data type of BINARY, VARBINARY, LONGVARBINARY, or BLOB between databases using. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Apache Java Ddlutils
NVD
CVSS 3.1
9.8
EPSS
3.2%
CVE-2021-41588 HIGH This Week

In Gradle Enterprise before 2021.1.3, a crafted request can trigger deserialization of arbitrary unsafe Java objects. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization Java Gradle
NVD
CVSS 3.1
8.1
EPSS
0.8%
CVE-2021-40102 CRITICAL Act Now

An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization PHP Concrete Cms
NVD
CVSS 3.1
9.1
EPSS
1.3%
CVE-2021-31819 NuGet CRITICAL PATCH Act Now

In Halibut versions prior to 4.4.7 there is a deserialisation vulnerability that could allow remote code execution on systems that already trust each other based on certificate verification. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Halibut
NVD
CVSS 3.1
9.8
EPSS
2.3%
CVE-2021-39392 CRITICAL Act Now

The management tool in MyLittleBackup up to and including 1.7 allows remote attackers to execute arbitrary code because machineKey is hardcoded (the same for all customers' installations) in. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Mylittlebackup
NVD GitHub
CVSS 3.1
9.8
EPSS
2.3%
CVE-2021-37181 CRITICAL PATCH Act Now

A vulnerability has been identified in Cerberus DMS V4.0 (All versions), Cerberus DMS V4.1 (All versions), Cerberus DMS V4.2 (All versions), Cerberus DMS V5.0 (All versions < v5.0 QU1), Desigo CC. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Microsoft Cerberus Dms Desigo Cc Desigo Cc Compact
NVD
CVSS 3.1
10.0
EPSS
1.9%
CVE-2021-39207 PyPI HIGH PATCH This Week

parlai is a framework for training and evaluating AI models on a variety of openly available dialogue datasets. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Parlai
NVD GitHub
CVSS 3.1
8.8
EPSS
1.8%
CVE-2021-24040 PyPI CRITICAL POC PATCH THREAT Act Now

Due to use of unsafe YAML deserialization logic, an attacker with the ability to modify local YAML configuration files could provide malicious input, resulting in remote code execution or similar. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization RCE Parlai
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
17.4%
CVE-2021-37579 Maven CRITICAL PATCH Act Now

The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Apache Java Dubbo
NVD
CVSS 3.1
9.8
EPSS
6.7%
CVE-2021-32836 HIGH POC This Week

ZStack is open source IaaS(infrastructure as a service) software. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Deserialization RCE Denial Of Service Code Injection Zstack
NVD GitHub
CVSS 3.1
8.1
EPSS
2.0%
CVE-2021-35217 HIGH This Week

Insecure Deseralization of untrusted data remote code execution vulnerability was discovered in Patch Manager Orion Platform Integration module and reported to us by ZDI. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Patch Manager
NVD
CVSS 3.1
8.8
EPSS
73.9%
CVE-2021-36163 Maven CRITICAL PATCH Act Now

In Apache Dubbo, users may choose to use the Hessian protocol. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Apache Dubbo
NVD
CVSS 3.1
9.8
EPSS
2.9%
CVE-2021-32568 HIGH POC PATCH This Week

mrdoc is vulnerable to Deserialization of Untrusted Data. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Deserialization Mrdoc
NVD GitHub
CVSS 3.1
7.8
EPSS
0.8%
CVE-2021-35218 HIGH This Week

Deserialization of Untrusted Data in the Web Console Chart Endpoint can lead to remote code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Orion Platform
NVD
CVSS 3.1
8.8
EPSS
76.4%
CVE-2021-35216 HIGH PATCH This Week

Insecure Deserialization of untrusted data remote code execution vulnerability was discovered in Patch Manager Orion Platform Integration module. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Deserialization RCE Patch Manager
NVD
CVSS 3.1
8.8
EPSS
81.4%
CVE-2021-35215 HIGH PATCH This Week

Insecure deserialization leading to Remote Code Execution was detected in the Orion Platform version 2020.2.5. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Orion Platform
NVD
CVSS 3.1
8.8
EPSS
69.7%
CVE-2021-36231 HIGH POC This Week

Deserialization of untrusted data in multiple functions in MIK.starlight 7.9.5.24363 allows authenticated remote attackers to execute operating system commands by crafting serialized objects. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Mik Starlight
NVD
CVSS 3.1
8.8
EPSS
2.6%
CVE-2021-21677 Maven HIGH PATCH This Week

Jenkins Code Coverage API Plugin 1.4.0 and earlier does not apply Jenkins JEP-200 deserialization protection to Java objects it deserializes from disk, resulting in a remote code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Jenkins Java Code Coverage Api
NVD
CVSS 3.1
8.8
EPSS
2.2%
CVE-2021-36981 HIGH POC PATCH This Week

In the server in SerNet verinice before 1.22.2, insecure Java deserialization allows remote authenticated attackers to execute arbitrary code. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Deserialization RCE Java Verinice
NVD GitHub
CVSS 3.1
8.8
EPSS
6.0%
CVE-2021-39132 Maven HIGH PATCH This Week

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization File Upload Rundeck
NVD GitHub
CVSS 3.1
8.8
EPSS
1.4%
CVE-2021-34066 CRITICAL POC Act Now

An issue was discovered in EdgeGallery/developer before v1.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Developer Be
NVD GitHub
CVSS 3.1
9.8
EPSS
2.0%
CVE-2021-21741 CRITICAL Act Now

There is a command execution vulnerability in a ZTE conference management system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Zte Zxv10 M910 Firmware
NVD
CVSS 3.1
9.8
EPSS
1.9%
CVE-2021-24579 HIGH POC This Week

The bt_bb_get_grid AJAX action of the Bold Page Builder WordPress plugin before 3.1.6 passes user input into the unserialize() function without any validation or sanitisation, which could lead to a. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization WordPress PHP Bold Page Builder
NVD WPScan
CVSS 3.1
8.8
EPSS
8.2%
CVE-2021-21869 HIGH POC PATCH This Week

An unsafe deserialization vulnerability exists in the Engine.plugin ProfileInformation ProfileData functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Deserialization Codesys
NVD
CVSS 3.1
7.8
EPSS
1.8%
CVE-2021-31010 HIGH KEV THREAT This Week

A deserialization issue was addressed through improved validation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Apple Ipados Iphone Os Mac Os X +2
NVD
CVSS 3.1
7.5
EPSS
3.7%
CVE-2021-39152 Maven HIGH POC PATCH THREAT This Week

XStream is a simple library to serialize objects to XML and back again. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. Public exploit code available.

Deserialization Java Xstream Fedora Debian Linux +12
NVD GitHub
CVSS 3.1
8.5
EPSS
11.5%
CVE-2021-39150 Maven HIGH POC PATCH This Week

XStream is a simple library to serialize objects to XML and back again. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. Public exploit code available.

Deserialization Java Xstream Fedora Debian Linux +12
NVD GitHub
CVSS 3.1
8.5
EPSS
3.4%
CVE-2021-39140 Maven MEDIUM POC PATCH This Month

XStream is a simple library to serialize objects to XML and back again. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable. Public exploit code available.

Deserialization Denial Of Service Xstream Debian Linux Fedora +12
NVD GitHub
CVSS 3.1
6.3
EPSS
5.9%
CVE-2021-21868 HIGH POC PATCH This Week

An unsafe deserialization vulnerability exists in the ObjectManager.plugin Project.get_MissingTypes() functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Deserialization Codesys
NVD
CVSS 3.1
7.8
EPSS
1.6%
CVE-2021-21867 HIGH POC PATCH This Week

An unsafe deserialization vulnerability exists in the ObjectManager.plugin ObjectStream.ProfileByteArray functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Deserialization Codesys
NVD
CVSS 3.1
7.8
EPSS
1.6%
CVE-2021-37678 PyPI HIGH PATCH This Week

TensorFlow is an end-to-end open source platform for machine learning. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Python RCE Tensorflow
NVD GitHub
CVSS 3.1
8.8
EPSS
0.5%
CVE-2021-38585 HIGH This Week

The WHM Locale Upload feature in cPanel before 98.0.1 allows unserialization attacks (SEC-585). Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Cpanel
NVD
CVSS 3.1
7.2
EPSS
1.0%
CVE-2021-23420 PHP CRITICAL POC PATCH Act Now

This affects the package codeception/codeception from 4.0.0 and before 4.1.22, before 3.1.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Codeception
NVD GitHub
CVSS 3.1
9.8
EPSS
2.7%
CVE-2021-37544 CRITICAL Act Now

In JetBrains TeamCity before 2020.2.4, there was an insecure deserialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Teamcity
NVD
CVSS 3.1
9.8
EPSS
1.2%
CVE-2021-37632 HIGH This Week

SuperMartijn642's Config Lib is a library used by a number of mods for the game Minecraft. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization RCE Config Lib
NVD GitHub
CVSS 3.1
8.1
EPSS
1.7%
CVE-2021-34371 Maven CRITICAL POC PATCH THREAT Act Now

Neo4j through 3.4.18 (with the shell server enabled) exposes an RMI service that arbitrarily deserializes Java objects, e.g., through setSessionVariable. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE Java Neo4j
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
13.4%
CVE-2021-21863 HIGH PATCH This Week

A unsafe deserialization vulnerability exists in the ComponentModel Profile.FromFile() functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Development System
NVD
CVSS 3.1
7.8
EPSS
1.2%
CVE-2021-36483 HIGH This Week

DevExpress.XtraReports.UI through v21.1 allows attackers to execute arbitrary code via insecure deserialization. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Devexpress
NVD GitHub
CVSS 3.1
8.8
EPSS
2.9%
CVE-2021-21866 HIGH POC PATCH This Week

A unsafe deserialization vulnerability exists in the ObjectManager.plugin ProfileInformation.ProfileData functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Deserialization Development System
NVD
CVSS 3.1
7.8
EPSS
1.7%
CVE-2021-21865 HIGH PATCH This Week

A unsafe deserialization vulnerability exists in the PackageManagement.plugin ExtensionMethods.Clone() functionality of CODESYS GmbH CODESYS Development System 3.5.16. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Development System
NVD
CVSS 3.1
7.8
EPSS
1.3%
CVE-2021-21864 HIGH POC PATCH This Week

A unsafe deserialization vulnerability exists in the ComponentModel ComponentManager.StartupCultureSettings functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Deserialization Development System
NVD
CVSS 3.1
7.8
EPSS
1.7%
CVE-2021-36766 HIGH POC This Week

Concrete5 through 8.5.5 deserializes Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization PHP Concrete Cms
NVD
CVSS 3.1
7.2
EPSS
3.7%
CVE-2021-29781 CRITICAL PATCH Act Now

IBM Partner Engagement Manager 2.0 could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization IBM RCE Partner Engagement Manager
NVD
CVSS 3.1
9.8
EPSS
2.9%
CVE-2021-37578 Maven CRITICAL PATCH Act Now

Apache jUDDI uses several classes related to Java's Remote Method Invocation (RMI) which (as an extension to UDDI) provides an alternate transport for accessing UDDI services. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Apache Java Juddi
NVD
CVSS 3.1
9.8
EPSS
4.1%
CVE-2021-22777 HIGH This Week

A CWE-502: Deserialization of Untrusted Data vulnerability exists that could cause code execution by opening a malicious project file. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Sosafe Configurable
NVD
CVSS 3.1
7.8
EPSS
0.9%
CVE-2021-34520 HIGH PATCH This Week

Microsoft SharePoint Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Microsoft RCE Sharepoint Foundation Sharepoint Server
NVD
CVSS 3.1
8.1
EPSS
3.3%
CVE-2021-32742 CRITICAL Act Now

Vapor is a web framework for Swift. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Denial Of Service Vapor
NVD GitHub
CVSS 3.1
9.1
EPSS
1.2%
CVE-2021-29150 HIGH This Week

A remote insecure deserialization vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.10.0, 6.9.6 and 6.8.9. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Aruba Clearpass Policy Manager
NVD
CVSS 3.1
7.2
EPSS
1.3%
CVE-2021-24384 CRITICAL POC Act Now

The joomsport_md_load AJAX action of the JoomSport WordPress plugin before 5.1.8, registered for both unauthenticated and unauthenticated users, unserialised user input from the shattr POST. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization WordPress PHP Joomsport
NVD WPScan
CVSS 3.1
9.8
EPSS
2.1%
CVE-2021-35971 CRITICAL Act Now

Veeam Backup and Replication 10 before 10.0.1.4854 P20210609 and 11 before 11.0.0.837 P20210507 mishandles deserialization during Microsoft .NET remoting. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Microsoft Veeam Backup Replication
NVD
CVSS 3.1
9.8
EPSS
1.2%
CVE-2021-29485 Maven HIGH PATCH This Week

Ratpack is a toolkit for creating web applications. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Java Ratpack
NVD GitHub
CVSS 3.1
8.8
EPSS
2.0%
CVE-2021-22439 HIGH This Week

There is a deserialization vulnerability in Huawei AnyOffice V200R006C10. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization Huawei Anyoffice
NVD
CVSS 3.1
8.1
EPSS
0.8%
CVE-2021-31649 Maven CRITICAL POC Act Now

In applications using jfinal 4.9.08 and below, there is a deserialization vulnerability when using redis,may be vulnerable to remote code execute. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Redis Jfinal
NVD
CVSS 3.1
9.8
EPSS
1.8%
CVE-2021-34394 MEDIUM This Month

Trusty contains a vulnerability in the NVIDIA OTE protocol that is present in all TAs. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Deserialization Nvidia Information Disclosure Jetson Linux
NVD
CVSS 3.1
6.7
EPSS
0.3%
CVE-2021-34393 MEDIUM This Month

Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. No vendor patch available.

Deserialization RCE Information Disclosure Jetson Linux
NVD
CVSS 3.1
4.4
EPSS
0.3%
EPSS 0% CVSS 7.8
HIGH PATCH This Week

In createFromParcel of GpsNavigationMessage.java, there is a possible Parcel serialization/deserialization mismatch. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Google Deserialization Privilege Escalation +1
NVD
EPSS 0% CVSS 7.8
HIGH This Week

In createFromParcel of OutputConfiguration.java, there is a possible parcel serialization/deserialization mismatch due to improper input validation. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Google Deserialization Privilege Escalation +1
NVD
EPSS 0% CVSS 7.8
HIGH This Week

In ParsingPackageImpl of ParsingPackageImpl.java, there is a possible parcel serialization/deserialization mismatch due to improper input validation. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Google Deserialization Privilege Escalation +1
NVD
EPSS 72% CVSS 7.5
HIGH Act Now

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Epss exploitation probability 72.2% and no vendor patch available.

RCE Deserialization Apache +46
NVD GitHub VulDB
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

The ToTop Link WordPress plugin through 1.7.1 passes base64 encoded user input to the unserialize() PHP function, which could lead to PHP Object injection if a plugin installed on the blog has a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization WordPress PHP +1
NVD WPScan
EPSS 62% CVSS 8.8
HIGH This Week

A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Ivanti +1
NVD
EPSS 66% CVSS 9.8
CRITICAL Act Now

A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 using Inforail Service allows arbitrary code execution via Data Repository Service. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Ivanti +1
NVD
EPSS 82% CVSS 8.8
HIGH This Week

An unrestricted file upload vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to write dangerous files. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization File Upload Ivanti +1
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

An issue (6 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Hashicorp Enterprise Vault
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

An issue (5 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Hashicorp Enterprise Vault
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

An issue (4 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Hashicorp Enterprise Vault
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

An issue (3 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Hashicorp Enterprise Vault
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

An issue (2 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Hashicorp Enterprise Vault
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

An issue (1 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Hashicorp Enterprise Vault
NVD
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\AbstractCache. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Thinkphp
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\Adapter.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization PHP Thinkphp
NVD GitHub
EPSS 89% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

All versions of package ajaxpro.2 are vulnerable to Deserialization of Untrusted Data due to the possibility of deserialization of arbitrary .NET classes, which can be abused to gain remote code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Deserialization RCE Ajaxpro 2
NVD GitHub
EPSS 2% CVSS 8.8
HIGH This Week

Sunnet eHRD e-mail delivery task schedule’s serialization function has inadequate input object validation and restriction, which allows a post-authenticated remote attacker with database access. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Ehrd
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

In Spring AMQP versions 2.2.0 - 2.2.19 and 2.3.0 - 2.3.11, the Spring AMQP Message object, in its toString() method, will create a new String object from the message body, regardless of its size. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Java Spring Advanced Message Queuing Protocol
NVD
EPSS 4% CVSS 8.8
HIGH PATCH This Week

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS 6.10. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE C1 Cms
NVD GitHub
EPSS 2% CVSS 7.5
HIGH This Week

Deserialization of Untrusted Data vulnerability of Apache ShardingSphere-UI allows an attacker to inject outer link resources.1.1 and later versions; Apache ShardingSphere-UI versions prior to 5.0.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Apache Shardingsphere Ui
NVD
EPSS 1% CVSS 7.8
HIGH This Week

Project files are stored memory objects in the form of binary serialized data that can later be read and deserialized again to instantiate the original objects in memory. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization Daqfactory
NVD
EPSS 99% 7.9 CVSS 9.8
CRITICAL POC KEV THREAT Emergency

Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Deserialization Experience Platform
NVD VulDB
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

In Spring AMQP versions 2.2.0 - 2.2.18 and 2.3.0 - 2.3.10, the Spring AMQP Message object, in its toString() method, will deserialize a body for a message with content type. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Java Spring Advanced Message Queuing Protocol
NVD
EPSS 1% CVSS 7.8
HIGH POC PATCH This Week

Nameko through 2.13.0 can be tricked into performing arbitrary code execution when deserializing the config file. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE Nameko
NVD GitHub
EPSS 66% CVSS 9.8
CRITICAL PATCH Act Now

An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Apache RCE +1
NVD
EPSS 3% CVSS 9.8
CRITICAL Act Now

Adobe Connect version 11.2.3 (and earlier) is affected by a Deserialization of Untrusted Data vulnerability to achieve arbitrary method invocation when AMF messages are deserialized on an Adobe. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Adobe +1
NVD
EPSS 2% CVSS 8.8
HIGH POC PATCH This Week

Version 3.3.23 of the Sassy Social Share WordPress plugin is vulnerable to PHP Object Injection via the wp_ajax_heateor_sss_import_config AJAX action due to deserialization of unvalidated user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Deserialization WordPress PHP +1
NVD
EPSS 9% CVSS 9.8
CRITICAL PATCH Act Now

Ops CLI version 2.0.4 (and earlier) is affected by a Deserialization of Untrusted Data vulnerability to achieve arbitrary code execution when the checkout_repo function is called on a maliciously. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Deserialization RCE Ops Cli
NVD
EPSS 0% CVSS 7.3
HIGH This Week

Proofpoint Insider Threat Management Server contains an unsafe deserialization vulnerability in the Web Console. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.

SQLi Deserialization RCE +1
NVD
EPSS 2% CVSS 7.2
HIGH PATCH This Week

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Java +1
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

An issue was discovered in Zammad before 4.1.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Zammad
NVD
EPSS 2% CVSS 8.1
HIGH PATCH This Week

Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization PHP Panel
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

In ParsedIntentInfo of ParsedIntentInfo.java, there is a possible parcel serialization/deserialization mismatch due to unsafe deserialization. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Google Deserialization Privilege Escalation +1
NVD
EPSS 3% CVSS 9.8
CRITICAL POC PATCH Act Now

cwlviewer is a web application to view and share Common Workflow Language workflows. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Cwlviewer
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL Act Now

Apache DB DdlUtils 1.0 included a BinaryObjectsHelper that was intended for use when migrating database data with a SQL data type of BINARY, VARBINARY, LONGVARBINARY, or BLOB between databases using. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Apache Java +1
NVD
EPSS 1% CVSS 8.1
HIGH This Week

In Gradle Enterprise before 2021.1.3, a crafted request can trigger deserialization of arbitrary unsafe Java objects. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization Java Gradle
NVD
EPSS 1% CVSS 9.1
CRITICAL Act Now

An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization PHP Concrete Cms
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

In Halibut versions prior to 4.4.7 there is a deserialisation vulnerability that could allow remote code execution on systems that already trust each other based on certificate verification. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Halibut
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

The management tool in MyLittleBackup up to and including 1.7 allows remote attackers to execute arbitrary code because machineKey is hardcoded (the same for all customers' installations) in. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Mylittlebackup
NVD GitHub
EPSS 2% CVSS 10.0
CRITICAL PATCH Act Now

A vulnerability has been identified in Cerberus DMS V4.0 (All versions), Cerberus DMS V4.1 (All versions), Cerberus DMS V4.2 (All versions), Cerberus DMS V5.0 (All versions < v5.0 QU1), Desigo CC. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Microsoft Cerberus Dms +2
NVD
EPSS 2% CVSS 8.8
HIGH PATCH This Week

parlai is a framework for training and evaluating AI models on a variety of openly available dialogue datasets. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Parlai
NVD GitHub
EPSS 17% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

Due to use of unsafe YAML deserialization logic, an attacker with the ability to modify local YAML configuration files could provide malicious input, resulting in remote code execution or similar. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization RCE Parlai
NVD GitHub Exploit-DB
EPSS 7% CVSS 9.8
CRITICAL PATCH Act Now

The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Apache Java +1
NVD
EPSS 2% CVSS 8.1
HIGH POC This Week

ZStack is open source IaaS(infrastructure as a service) software. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Deserialization RCE Denial Of Service +2
NVD GitHub
EPSS 74% CVSS 8.8
HIGH This Week

Insecure Deseralization of untrusted data remote code execution vulnerability was discovered in Patch Manager Orion Platform Integration module and reported to us by ZDI. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Patch Manager
NVD
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

In Apache Dubbo, users may choose to use the Hessian protocol. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Apache Dubbo
NVD
EPSS 1% CVSS 7.8
HIGH POC PATCH This Week

mrdoc is vulnerable to Deserialization of Untrusted Data. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Deserialization Mrdoc
NVD GitHub
EPSS 76% CVSS 8.8
HIGH This Week

Deserialization of Untrusted Data in the Web Console Chart Endpoint can lead to remote code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Orion Platform
NVD
EPSS 81% CVSS 8.8
HIGH PATCH This Week

Insecure Deserialization of untrusted data remote code execution vulnerability was discovered in Patch Manager Orion Platform Integration module. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Deserialization RCE Patch Manager
NVD
EPSS 70% CVSS 8.8
HIGH PATCH This Week

Insecure deserialization leading to Remote Code Execution was detected in the Orion Platform version 2020.2.5. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Orion Platform
NVD
EPSS 3% CVSS 8.8
HIGH POC This Week

Deserialization of untrusted data in multiple functions in MIK.starlight 7.9.5.24363 allows authenticated remote attackers to execute operating system commands by crafting serialized objects. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Mik Starlight
NVD
EPSS 2% CVSS 8.8
HIGH PATCH This Week

Jenkins Code Coverage API Plugin 1.4.0 and earlier does not apply Jenkins JEP-200 deserialization protection to Java objects it deserializes from disk, resulting in a remote code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Jenkins +2
NVD
EPSS 6% CVSS 8.8
HIGH POC PATCH This Week

In the server in SerNet verinice before 1.22.2, insecure Java deserialization allows remote authenticated attackers to execute arbitrary code. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Deserialization RCE Java +1
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization File Upload Rundeck
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

An issue was discovered in EdgeGallery/developer before v1.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Developer Be
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL Act Now

There is a command execution vulnerability in a ZTE conference management system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Zte Zxv10 M910 Firmware
NVD
EPSS 8% CVSS 8.8
HIGH POC This Week

The bt_bb_get_grid AJAX action of the Bold Page Builder WordPress plugin before 3.1.6 passes user input into the unserialize() function without any validation or sanitisation, which could lead to a. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization WordPress PHP +1
NVD WPScan
EPSS 2% CVSS 7.8
HIGH POC PATCH This Week

An unsafe deserialization vulnerability exists in the Engine.plugin ProfileInformation ProfileData functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Deserialization Codesys
NVD
EPSS 4% CVSS 7.5
HIGH KEV THREAT This Week

A deserialization issue was addressed through improved validation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Apple Ipados +4
NVD
EPSS 11% CVSS 8.5
HIGH POC PATCH THREAT This Week

XStream is a simple library to serialize objects to XML and back again. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. Public exploit code available.

Deserialization Java Xstream +14
NVD GitHub
EPSS 3% CVSS 8.5
HIGH POC PATCH This Week

XStream is a simple library to serialize objects to XML and back again. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. Public exploit code available.

Deserialization Java Xstream +14
NVD GitHub
EPSS 6% CVSS 6.3
MEDIUM POC PATCH This Month

XStream is a simple library to serialize objects to XML and back again. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable. Public exploit code available.

Deserialization Denial Of Service Xstream +14
NVD GitHub
EPSS 2% CVSS 7.8
HIGH POC PATCH This Week

An unsafe deserialization vulnerability exists in the ObjectManager.plugin Project.get_MissingTypes() functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Deserialization Codesys
NVD
EPSS 2% CVSS 7.8
HIGH POC PATCH This Week

An unsafe deserialization vulnerability exists in the ObjectManager.plugin ObjectStream.ProfileByteArray functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Deserialization Codesys
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

TensorFlow is an end-to-end open source platform for machine learning. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Python RCE +1
NVD GitHub
EPSS 1% CVSS 7.2
HIGH This Week

The WHM Locale Upload feature in cPanel before 98.0.1 allows unserialization attacks (SEC-585). Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Cpanel
NVD
EPSS 3% CVSS 9.8
CRITICAL POC PATCH Act Now

This affects the package codeception/codeception from 4.0.0 and before 4.1.22, before 3.1.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Codeception
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

In JetBrains TeamCity before 2020.2.4, there was an insecure deserialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Teamcity
NVD
EPSS 2% CVSS 8.1
HIGH This Week

SuperMartijn642's Config Lib is a library used by a number of mods for the game Minecraft. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization RCE Config Lib
NVD GitHub
EPSS 13% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

Neo4j through 3.4.18 (with the shell server enabled) exposes an RMI service that arbitrarily deserializes Java objects, e.g., through setSessionVariable. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE Java +1
NVD Exploit-DB
EPSS 1% CVSS 7.8
HIGH PATCH This Week

A unsafe deserialization vulnerability exists in the ComponentModel Profile.FromFile() functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Development System
NVD
EPSS 3% CVSS 8.8
HIGH This Week

DevExpress.XtraReports.UI through v21.1 allows attackers to execute arbitrary code via insecure deserialization. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Devexpress
NVD GitHub
EPSS 2% CVSS 7.8
HIGH POC PATCH This Week

A unsafe deserialization vulnerability exists in the ObjectManager.plugin ProfileInformation.ProfileData functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Deserialization Development System
NVD
EPSS 1% CVSS 7.8
HIGH PATCH This Week

A unsafe deserialization vulnerability exists in the PackageManagement.plugin ExtensionMethods.Clone() functionality of CODESYS GmbH CODESYS Development System 3.5.16. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Development System
NVD
EPSS 2% CVSS 7.8
HIGH POC PATCH This Week

A unsafe deserialization vulnerability exists in the ComponentModel ComponentManager.StartupCultureSettings functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Deserialization Development System
NVD
EPSS 4% CVSS 7.2
HIGH POC This Week

Concrete5 through 8.5.5 deserializes Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization PHP Concrete Cms
NVD
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

IBM Partner Engagement Manager 2.0 could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization IBM RCE +1
NVD
EPSS 4% CVSS 9.8
CRITICAL PATCH Act Now

Apache jUDDI uses several classes related to Java's Remote Method Invocation (RMI) which (as an extension to UDDI) provides an alternate transport for accessing UDDI services. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Apache +2
NVD
EPSS 1% CVSS 7.8
HIGH This Week

A CWE-502: Deserialization of Untrusted Data vulnerability exists that could cause code execution by opening a malicious project file. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Sosafe Configurable
NVD
EPSS 3% CVSS 8.1
HIGH PATCH This Week

Microsoft SharePoint Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Microsoft RCE +2
NVD
EPSS 1% CVSS 9.1
CRITICAL Act Now

Vapor is a web framework for Swift. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Denial Of Service Vapor
NVD GitHub
EPSS 1% CVSS 7.2
HIGH This Week

A remote insecure deserialization vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.10.0, 6.9.6 and 6.8.9. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Aruba Clearpass Policy Manager
NVD
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

The joomsport_md_load AJAX action of the JoomSport WordPress plugin before 5.1.8, registered for both unauthenticated and unauthenticated users, unserialised user input from the shattr POST. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization WordPress PHP +1
NVD WPScan
EPSS 1% CVSS 9.8
CRITICAL Act Now

Veeam Backup and Replication 10 before 10.0.1.4854 P20210609 and 11 before 11.0.0.837 P20210507 mishandles deserialization during Microsoft .NET remoting. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Microsoft Veeam Backup Replication
NVD
EPSS 2% CVSS 8.8
HIGH PATCH This Week

Ratpack is a toolkit for creating web applications. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Java +1
NVD GitHub
EPSS 1% CVSS 8.1
HIGH This Week

There is a deserialization vulnerability in Huawei AnyOffice V200R006C10. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization Huawei Anyoffice
NVD
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

In applications using jfinal 4.9.08 and below, there is a deserialization vulnerability when using redis,may be vulnerable to remote code execute. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Redis Jfinal
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

Trusty contains a vulnerability in the NVIDIA OTE protocol that is present in all TAs. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Deserialization Nvidia +2
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. No vendor patch available.

Deserialization RCE Information Disclosure +1
NVD
Prev Page 24 of 30 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy