Skip to main content

Deserialization

2663 CVEs technique

Monthly

CVE-2021-35196 HIGH POC This Week

Manuskript through 0.12.0 allows remote attackers to execute arbitrary code via a crafted settings.pickle file in a project file, because there is insecure deserialization via the pickle.load(). Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE Manuskript
NVD GitHub
CVSS 3.1
7.8
EPSS
1.9%
CVE-2021-3040 HIGH This Week

An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Hashicorp Bridgecrew Checkov
NVD
CVSS 3.1
7.2
EPSS
1.3%
CVE-2021-33176 HIGH This Week

VerneMQ MQTT Broker versions prior to 1.12.0 are vulnerable to a denial of service attack as a result of excessive memory consumption due to the handling of untrusted inputs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Denial Of Service Vernemq
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2021-33175 HIGH PATCH This Week

EMQ X Broker versions prior to 4.2.8 are vulnerable to a denial of service attack as a result of excessive memory consumption due to the handling of untrusted inputs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Denial Of Service Emq X Broker
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2021-33898 HIGH PATCH This Week

In Invoice Ninja before 4.4.0, there is an unsafe call to unserialize() in app/Ninja/Repositories/AccountRepository.php that may allow an attacker to deserialize arbitrary PHP classes. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE PHP Invoice Ninja
NVD GitHub
CVSS 3.1
8.1
EPSS
1.8%
CVE-2021-33806 CRITICAL PATCH Act Now

The BDew BdLib library before 1.16.1.7 for Minecraft allows remote code execution because it deserializes untrusted data in ObjectInputStream.readObject as part of its use of Java serialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Java Bdlib
NVD GitHub
CVSS 3.1
9.8
EPSS
3.0%
CVE-2021-23895 HIGH This Week

Deserialization of untrusted data vulnerability in McAfee Database Security (DBSec) prior to 4.8.2 allows a remote authenticated attacker to create a reverse shell with administrator privileges on. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

Deserialization Java Database Security
NVD
CVSS 3.1
8.0
EPSS
1.9%
CVE-2021-23894 HIGH This Week

Deserialization of untrusted data vulnerability in McAfee Database Security (DBSec) prior to 4.8.2 allows a remote unauthenticated attacker to create a reverse shell with administrator privileges on. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization Java Database Security
NVD
CVSS 3.1
8.8
EPSS
2.2%
CVE-2021-30179 Maven CRITICAL PATCH Act Now

Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Apache Java Dubbo
NVD
CVSS 3.1
9.8
EPSS
4.2%
CVE-2021-25641 Maven CRITICAL PATCH Act Now

Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Apache Dubbo
NVD
CVSS 3.1
9.8
EPSS
17.7%
CVE-2021-33790 CRITICAL Act Now

The RebornCore library before 4.7.3 allows remote code execution because it deserializes untrusted data in ObjectInputStream.readObject as part of reborncore.common.network.ExtendedPacketBuffer. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Reborncore
NVD GitHub
CVSS 3.1
9.8
EPSS
2.8%
CVE-2021-27852 CRITICAL KEV THREAT Act Now

Deserialization of Untrusted Data vulnerability in CheckboxWeb.dll of Checkbox Survey allows an unauthenticated remote attacker to execute arbitrary code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Survey
NVD
CVSS 3.1
9.8
EPSS
31.9%
CVE-2021-32075 CRITICAL Act Now

Re-Logic Terraria before 1.4.2.3 performs Insecure Deserialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Terraria
NVD
CVSS 3.1
9.8
EPSS
1.8%
CVE-2021-24307 HIGH POC THREAT This Week

The All in One SEO - Best WordPress SEO Plugin - Easily Improve Your SEO Rankings before 4.1.0.2 enables authenticated users with "aioseo_tools_settings" privilege (most of the time admin) to execute. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization WordPress RCE All In One Seo
NVD WPScan
CVSS 3.1
8.8
EPSS
53.3%
CVE-2021-32634 HIGH PATCH This Week

Emissary is a distributed, peer-to-peer, data-driven workflow framework. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Java Emissary
NVD GitHub
CVSS 3.1
7.2
EPSS
1.3%
CVE-2021-31474 CRITICAL Act Now

This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Network Performance Monitor 2020.2.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Network Performance Monitor
NVD
CVSS 3.1
9.8
EPSS
94.4%
CVE-2021-24280 HIGH POC This Week

In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the import_from_debug AJAX action to inject PHP objects. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization WordPress PHP Redirection For Contact Form 7
NVD WPScan
CVSS 3.1
8.8
EPSS
2.0%
CVE-2021-33026 PyPI CRITICAL PATCH Act Now

The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Python RCE Redis Privilege Escalation +1
NVD GitHub
CVSS 3.1
9.8
EPSS
7.3%
CVE-2021-29508 NuGet CRITICAL POC Act Now

Due to how Wire handles type information in its serialization format, malicious payloads can be passed to a deserializer. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Microsoft Wire
NVD GitHub
CVSS 3.1
9.1
EPSS
1.6%
CVE-2021-32098 CRITICAL POC Act Now

Artica Pandora FMS 742 allows unauthenticated attackers to perform Phar deserialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Pandora Fms
NVD
CVSS 3.1
9.8
EPSS
2.5%
CVE-2021-25152 HIGH This Week

A remote insecure deserialization vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Aruba Airwave
NVD
CVSS 3.1
7.2
EPSS
1.2%
CVE-2021-25151 HIGH This Week

A remote insecure deserialization vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Aruba Airwave
NVD
CVSS 3.1
8.8
EPSS
12.6%
CVE-2021-29476 PHP CRITICAL PATCH Act Now

Requests is a HTTP library written in PHP. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Requests
NVD GitHub
CVSS 3.1
9.8
EPSS
2.1%
CVE-2021-30128 CRITICAL POC PATCH THREAT Act Now

Apache OFBiz has unsafe deserialization prior to 17.12.07 version. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Apache Ofbiz
NVD
CVSS 3.1
9.8
EPSS
81.1%
CVE-2021-29200 CRITICAL POC PATCH THREAT Act Now

Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Apache Ofbiz
NVD
CVSS 3.1
9.8
EPSS
55.4%
CVE-2021-27277 HIGH This Week

This vulnerability allows local attackers to escalate privileges on affected installations of SolarWinds Orion Virtual Infrastructure Monitor 2020.2. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Deserialization RCE Orion Platform
NVD
CVSS 3.1
7.8
EPSS
1.1%
CVE-2021-3287 CRITICAL POC THREAT Emergency

Zoho ManageEngine OpManager before 12.5.329 allows unauthenticated Remote Code Execution due to a general bypass in the deserialization class. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE Zoho Manageengine Opmanager
NVD
CVSS 3.1
9.8
EPSS
51.3%
CVE-2021-21426 PHP CRITICAL PATCH Act Now

Magento-lts is a long-term support alternative to Magento Community Edition (CE). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Adobe Magento
NVD GitHub
CVSS 3.1
9.8
EPSS
1.2%
CVE-2021-3035 HIGH This Week

An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Hashicorp Bridgecrew Checkov
NVD
CVSS 3.1
7.2
EPSS
1.3%
CVE-2021-29654 HIGH POC This Week

AjaxSearchPro before 4.20.8 allows Deserialization of Untrusted Data (in the import database feature of the administration panel), leading to Remote Code execution. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE Ajaxsearchpro
NVD
CVSS 3.1
7.2
EPSS
2.2%
CVE-2021-21524 CRITICAL PATCH Act Now

Dell SRM versions prior to 4.5.0.1 and Dell SMR versions prior to 4.5.0.1 contain an Untrusted Deserialization Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Dell Deserialization RCE Storage Monitoring And Reporting Storage Resource Manager
NVD
CVSS 3.1
9.8
EPSS
3.2%
CVE-2021-24217 HIGH POC This Week

The run_action function of the Facebook for WordPress plugin before 3.0.0 deserializes user supplied data making it possible for PHP objects to be supplied creating an Object Injection vulnerability. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Deserialization WordPress RCE PHP Facebook
NVD WPScan
CVSS 3.1
8.1
EPSS
3.5%
CVE-2021-1415 MEDIUM This Month

Multiple vulnerabilities in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to execute. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco Deserialization RCE Rv340 Firmware Rv340W Firmware +2
NVD
CVSS 3.1
6.3
EPSS
1.6%
CVE-2021-1414 MEDIUM This Month

Multiple vulnerabilities in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to execute. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco Deserialization RCE Rv340 Firmware Rv340W Firmware +2
NVD
CVSS 3.1
6.3
EPSS
1.9%
CVE-2021-1413 MEDIUM This Month

Multiple vulnerabilities in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to execute. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco Deserialization RCE Rv340 Firmware Rv340W Firmware +2
NVD
CVSS 3.1
6.3
EPSS
1.6%
CVE-2021-27240 HIGH This Week

This vulnerability allows local attackers to escalate privileges on affected installations of SolarWinds Patch Manager 2020.2.1. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Deserialization RCE Patch Manager
NVD
CVSS 3.1
7.8
EPSS
0.4%
CVE-2021-21349 Maven HIGH POC PATCH THREAT This Week

XStream is a Java library to serialize objects to XML and back again. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Java Oncommand Insight Activemq Jmeter +14
NVD GitHub
CVSS 3.1
8.6
EPSS
46.8%
CVE-2021-21342 Maven CRITICAL POC PATCH THREAT Act Now

XStream is a Java library to serialize objects to XML and back again. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Java Oncommand Insight Activemq Jmeter +12
NVD GitHub
CVSS 3.1
9.1
EPSS
50.0%
CVE-2021-26295 CRITICAL POC PATCH THREAT Act Now

Apache OFBiz has unsafe deserialization prior to 17.12.06. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Apache Ofbiz
NVD
CVSS 3.1
9.8
EPSS
97.8%
CVE-2021-21371 PyPI HIGH PATCH This Week

Tenable for Jira Cloud is an open source project designed to pull Tenable.io vulnerability data, then generate Jira Tasks and sub-tasks based on the vulnerabilities' current state. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Atlassian Jira Cloud
NVD GitHub
CVSS 3.1
8.6
EPSS
0.5%
CVE-2021-21488 MEDIUM This Month

Knowledge Management versions 7.01, 7.02, 7.30, 7.31, 7.40, 7.50 allows a remote attacker with basic privileges to deserialize user-controlled data without verification, leading to insecure. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Netweaver Knowledge Management
NVD
CVSS 3.1
6.5
EPSS
1.3%
CVE-2021-28033 Cargo CRITICAL PATCH Act Now

An issue was discovered in the byte_struct crate before 0.6.1 for Rust. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use of Uninitialized Resource vulnerability could allow attackers to access uninitialized memory causing crashes or information disclosure.

Deserialization Byte Struct
NVD
CVSS 3.1
9.8
EPSS
1.2%
CVE-2020-24914 PHP CRITICAL POC PATCH Act Now

A PHP object injection bug in profile.php in qcubed (all versions including 3.1.1) unserializes the untrusted data of the POST-variable "strProfileData" and allows an unauthenticated attacker to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization PHP Qcubed
NVD VulDB
CVSS 3.1
9.8
EPSS
5.6%
CVE-2020-24036 HIGH POC This Week

PHP object injection in the Ajax endpoint of the backend in ForkCMS below version 5.8.3 allows an authenticated remote user to execute malicious code. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization PHP Fork Cms
NVD VulDB
CVSS 3.1
8.8
EPSS
2.9%
CVE-2021-20076 HIGH This Week

Tenable.sc and Tenable.sc Core versions 5.13.0 through 5.17.0 were found to contain a vulnerability that could allow an authenticated, unprivileged user to perform Remote Code Execution (RCE) on the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Tenable Sc
NVD
CVSS 3.1
8.8
EPSS
2.0%
CVE-2021-24066 HIGH PATCH This Week

Microsoft SharePoint Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Microsoft RCE Sharepoint Enterprise Server Sharepoint Foundation +1
NVD
CVSS 3.1
8.8
EPSS
5.9%
CVE-2021-27335 CRITICAL POC Act Now

KollectApps before 4.8.16c is affected by insecure Java deserialization, leading to Remote Code Execution via a ysoserial.payloads.CommonsCollections parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE Java Kollect
NVD
CVSS 3.1
9.8
EPSS
3.0%
CVE-2021-22855 CRITICAL Act Now

The specific function of HR Portal of Soar Cloud System accepts any type of object to be deserialized. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Hr Portal
NVD
CVSS 3.1
9.8
EPSS
2.0%
CVE-2021-23338 PyPI HIGH POC PATCH This Week

This affects all versions of package qlib. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Qlib
NVD GitHub
CVSS 3.1
7.2
EPSS
3.6%
CVE-2021-27213 CRITICAL POC PATCH Act Now

config.py in pystemon before 2021-02-13 allows code execution via YAML deserialization because SafeLoader and safe_load are not used. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization RCE Pystemon
NVD GitHub
CVSS 3.1
9.8
EPSS
2.6%
CVE-2021-26915 HIGH POC THREAT This Week

NetMotion Mobility before 11.73 and 12.x before 12.02 allows unauthenticated remote attackers to execute arbitrary code as SYSTEM because of Java deserialization in webrepdb StatusServlet. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Deserialization RCE Java Netmotion Mobility
NVD
CVSS 3.1
8.1
EPSS
41.8%
CVE-2021-26914 HIGH POC THREAT Act Now

NetMotion Mobility before 11.73 and 12.x before 12.02 allows unauthenticated remote attackers to execute arbitrary code as SYSTEM because of Java deserialization in MvcUtil valueStringToObject. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Deserialization RCE Java Netmotion Mobility
NVD
CVSS 3.1
8.1
EPSS
77.7%
CVE-2021-26913 HIGH POC THREAT This Week

NetMotion Mobility before 11.73 and 12.x before 12.02 allows unauthenticated remote attackers to execute arbitrary code as SYSTEM because of Java deserialization in RpcServlet. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Deserialization RCE Java Netmotion Mobility
NVD
CVSS 3.1
8.1
EPSS
13.3%
CVE-2021-26912 HIGH POC THREAT This Week

NetMotion Mobility before 11.73 and 12.x before 12.02 allows unauthenticated remote attackers to execute arbitrary code as SYSTEM because of Java deserialization in SupportRpcServlet. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Deserialization RCE Java Netmotion Mobility
NVD
CVSS 3.1
8.1
EPSS
41.0%
CVE-2021-25274 CRITICAL POC THREAT Act Now

The Collector Service in SolarWinds Orion Platform before 2020.2.4 uses MSMQ (Microsoft Message Queue) and doesn't set permissions on its private queues. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Microsoft RCE Orion Platform
NVD
CVSS 3.1
9.8
EPSS
36.4%
CVE-2021-25758 HIGH This Week

In JetBrains IntelliJ IDEA before 2020.3, potentially insecure deserialization of the workspace model could lead to local code execution. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Deserialization RCE Intellij Idea
NVD
CVSS 3.1
7.8
EPSS
1.0%
CVE-2021-3160 CRITICAL Act Now

Deserialization of untrusted data in the login page of ASSUWEB 359.3 build 1 subcomponent of ACA ASSUREX RENTES product allows a remote attacker to inject unsecure serialized Java object using a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Java Assuweb
NVD
CVSS 3.1
9.8
EPSS
4.7%
CVE-2021-20190 Maven HIGH PATCH This Week

A flaw was found in jackson-databind before 2.9.10.7. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Active Iq Unified Manager Oncommand Api Services Oncommand Insight +4
NVD GitHub
CVSS 3.1
8.1
EPSS
7.5%
CVE-2021-25294 CRITICAL POC PATCH THREAT Act Now

OpenCATS through 0.9.5-3 unsafely deserializes index.php?m=activity requests, leading to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization RCE PHP Opencats
NVD GitHub
CVSS 3.1
9.8
EPSS
10.7%
CVE-2021-21242 CRITICAL PATCH Act Now

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Deserialization RCE Onedev
NVD GitHub
CVSS 3.1
9.8
EPSS
74.2%
CVE-2021-21243 CRITICAL PATCH Act Now

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Deserialization Kubernetes Onedev
NVD GitHub
CVSS 3.1
9.8
EPSS
54.5%
CVE-2021-21604 Maven HIGH PATCH This Week

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Jenkins
NVD
CVSS 3.1
8.0
EPSS
1.7%
CVE-2020-36183 Maven HIGH POC PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Apache Deserialization Jackson Databind Cloud Backup Service Level Manager +42
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
2.2%
CVE-2021-3007 PHP CRITICAL POC PATCH THREAT Act Now

Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization RCE PHP Laminas Http Zend Framework
NVD GitHub
CVSS 3.1
9.8
EPSS
75.3%
CVE-2020-26165 HIGH POC This Week

qdPM through 9.1 allows PHP Object Injection via timeReportActions::executeExport in core/apps/qdPM/modules/timeReport/actions/actions.class.php because unserialize is used. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization PHP Qdpm
NVD
CVSS 3.1
8.8
EPSS
2.5%
CVE-2020-35728 Maven HIGH PATCH Act Now

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 41.1%.

Apache Oracle Deserialization Jackson Databind Debian Linux +38
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
41.1%
CVE-2020-35491 Maven HIGH POC PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Apache Deserialization Jackson Databind Service Level Manager Debian Linux +23
NVD GitHub
CVSS 3.1
8.1
EPSS
9.5%
CVE-2020-35490 Maven HIGH POC PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Apache Deserialization Jackson Databind Service Level Manager Debian Linux +22
NVD GitHub
CVSS 3.1
8.1
EPSS
7.7%
CVE-2020-22083 PyPI CRITICAL POC PATCH Act Now

jsonpickle through 1.4.1 allows remote code execution during deserialization of a malicious payload through the decode() function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Jsonpickle
NVD GitHub
CVSS 3.1
9.8
EPSS
6.1%
CVE-2020-20136 NuGet CRITICAL POC Act Now

QuantConnect Lean versions from 2.3.0.0 to 2.4.0.1 are affected by an insecure deserialization vulnerability due to insecure configuration of TypeNameHandling property in Json.NET library. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Lean
NVD GitHub
CVSS 3.1
9.8
EPSS
1.5%
CVE-2020-9301 HIGH PATCH This Week

Nolan Ray from Apple Information Security identified a security vulnerability in Spinnaker, all versions prior to version 1.23.4, 1.22.4 or 1.21.5. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Apple Spinnaker
NVD GitHub
CVSS 3.1
8.8
EPSS
1.5%
CVE-2020-17144 HIGH KEV PATCH THREAT This Week

Microsoft Exchange Remote Code Execution Vulnerability. Rated high severity (CVSS 8.4), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Microsoft RCE Deserialization Exchange Server
NVD
CVSS 3.1
8.4
EPSS
36.5%
CVE-2020-17531 Maven CRITICAL PATCH Act Now

A Java Serialization vulnerability was found in Apache Tapestry 4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Java Deserialization Tapestry
NVD
CVSS 3.1
9.8
EPSS
9.7%
CVE-2020-28948 PHP HIGH POC PATCH THREAT This Week

Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Archive Tar Debian Linux Fedora Drupal
NVD GitHub
CVSS 3.1
7.8
EPSS
47.5%
CVE-2020-27131 CRITICAL Act Now

Multiple vulnerabilities in the Java deserialization function that is used by Cisco Security Manager could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Cisco Microsoft Deserialization Security Manager
NVD
CVSS 3.1
9.8
EPSS
87.7%
CVE-2020-5664 CRITICAL Act Now

Deserialization of untrusted data vulnerability in XooNIps 3.49 and earlier allows remote attackers to execute arbitrary code via unspecified vectors. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Xoonips
NVD
CVSS 3.1
9.8
EPSS
2.6%
CVE-2020-28339 HIGH POC This Week

The usc-e-shop (aka Collne Welcart e-Commerce) plugin before 1.9.36 for WordPress allows Object Injection because of usces_unserialize. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Deserialization Welcart E Commerce
NVD
CVSS 3.1
8.8
EPSS
1.9%
CVE-2020-26207 HIGH PATCH This Week

DatabaseSchemaViewer before version 2.7.4.3 is vulnerable to arbitrary code execution if a user is tricked into opening a specially crafted `.dbschema` file. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization Dbschemareader
NVD GitHub
CVSS 3.1
8.0
EPSS
2.0%
CVE-2020-28032 CRITICAL PATCH Act Now

WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

WordPress Deserialization PHP Fedora Debian Linux
NVD GitHub WPScan
CVSS 3.1
9.8
EPSS
16.1%
CVE-2020-10721 Maven HIGH This Week

A flaw was found in the fabric8-maven-plugin 4.0.0 and later. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Deserialization Fabric8 Maven
NVD
CVSS 3.1
7.8
EPSS
0.6%
CVE-2020-24648 CRITICAL Act Now

A accessmgrservlet classname deserialization of untrusted data remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Intelligent Management Center
NVD
CVSS 3.1
9.8
EPSS
10.1%
CVE-2020-7811 HIGH This Week

Samsung Update 3.0.2.0 ~ 3.0.32.0 has a vulnerability that allows privilege escalation as commands crafted by attacker are executed while the engine deserializes the data received during. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Samsung Privilege Escalation Deserialization Update
NVD
CVSS 3.1
7.8
EPSS
0.7%
CVE-2020-26867 CRITICAL Act Now

ARC Informatique PcVue prior to version 12.0.17 is vulnerable due to the deserialization of untrusted data, which may allow an attacker to remotely execute arbitrary code on the web and mobile. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Pcvue
NVD VulDB
CVSS 3.1
9.8
EPSS
3.7%
CVE-2020-26945 Maven HIGH PATCH This Week

MyBatis before 3.5.6 mishandles deserialization of object streams. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Mybatis
NVD GitHub
CVSS 3.1
8.1
EPSS
1.8%
CVE-2020-4280 HIGH POC PATCH THREAT This Week

IBM QRadar SIEM 7.3 and 7.4 could allow a remote attacker to execute arbitrary commands on the system, caused by insecure deserialization of user-supplied content by the Java deserialization. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Java IBM Deserialization Qradar Security Information And Event Manager
NVD
CVSS 3.1
8.8
EPSS
73.5%
CVE-2020-14030 HIGH PATCH This Week

An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization Ozeki Ng Sms Gateway
NVD GitHub
CVSS 3.1
7.2
EPSS
1.8%
CVE-2020-15188 CRITICAL POC PATCH Act Now

SOY CMS 3.0.2.327 and earlier is affected by Unauthenticated Remote Code Execution (RCE). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Deserialization Soy Cms
NVD GitHub
CVSS 3.1
9.8
EPSS
5.1%
CVE-2020-24750 Maven HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Agile Plm Application Testing Suite Autovue For Agile Product Lifecycle Management +22
NVD GitHub
CVSS 3.1
8.1
EPSS
7.3%
CVE-2020-7532 HIGH This Week

A CWE-502 Deserialization of Untrusted Data vulnerability exists in SCADAPack x70 Security Administrator (V1.2.0 and prior) which could allow arbitrary code execution when an attacker builds a custom. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Scadapack X70 Security Administrator
NVD
CVSS 3.1
7.8
EPSS
1.4%
CVE-2020-7528 HIGH This Week

A CWE-502 Deserialization of Untrusted Data vulnerability exists in SCADAPack 7x Remote Connect (V3.6.3.574 and prior) which could allow arbitrary code execution when an attacker builds a custom .PRJ. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Scadapack 7X Remote Connect
NVD
CVSS 3.1
7.8
EPSS
1.4%
EPSS 2% CVSS 7.8
HIGH POC This Week

Manuskript through 0.12.0 allows remote attackers to execute arbitrary code via a crafted settings.pickle file in a project file, because there is insecure deserialization via the pickle.load(). Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE Manuskript
NVD GitHub
EPSS 1% CVSS 7.2
HIGH This Week

An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Hashicorp +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

VerneMQ MQTT Broker versions prior to 1.12.0 are vulnerable to a denial of service attack as a result of excessive memory consumption due to the handling of untrusted inputs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Denial Of Service Vernemq
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

EMQ X Broker versions prior to 4.2.8 are vulnerable to a denial of service attack as a result of excessive memory consumption due to the handling of untrusted inputs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Denial Of Service Emq X Broker
NVD
EPSS 2% CVSS 8.1
HIGH PATCH This Week

In Invoice Ninja before 4.4.0, there is an unsafe call to unserialize() in app/Ninja/Repositories/AccountRepository.php that may allow an attacker to deserialize arbitrary PHP classes. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE PHP +1
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

The BDew BdLib library before 1.16.1.7 for Minecraft allows remote code execution because it deserializes untrusted data in ObjectInputStream.readObject as part of its use of Java serialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Java +1
NVD GitHub
EPSS 2% CVSS 8.0
HIGH This Week

Deserialization of untrusted data vulnerability in McAfee Database Security (DBSec) prior to 4.8.2 allows a remote authenticated attacker to create a reverse shell with administrator privileges on. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

Deserialization Java Database Security
NVD
EPSS 2% CVSS 8.8
HIGH This Week

Deserialization of untrusted data vulnerability in McAfee Database Security (DBSec) prior to 4.8.2 allows a remote unauthenticated attacker to create a reverse shell with administrator privileges on. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization Java Database Security
NVD
EPSS 4% CVSS 9.8
CRITICAL PATCH Act Now

Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Apache Java +1
NVD
EPSS 18% CVSS 9.8
CRITICAL PATCH Act Now

Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Apache Dubbo
NVD
EPSS 3% CVSS 9.8
CRITICAL Act Now

The RebornCore library before 4.7.3 allows remote code execution because it deserializes untrusted data in ObjectInputStream.readObject as part of reborncore.common.network.ExtendedPacketBuffer. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Reborncore
NVD GitHub
EPSS 32% CVSS 9.8
CRITICAL KEV THREAT Act Now

Deserialization of Untrusted Data vulnerability in CheckboxWeb.dll of Checkbox Survey allows an unauthenticated remote attacker to execute arbitrary code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Survey
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

Re-Logic Terraria before 1.4.2.3 performs Insecure Deserialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Terraria
NVD
EPSS 53% CVSS 8.8
HIGH POC THREAT This Week

The All in One SEO - Best WordPress SEO Plugin - Easily Improve Your SEO Rankings before 4.1.0.2 enables authenticated users with "aioseo_tools_settings" privilege (most of the time admin) to execute. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization WordPress RCE +1
NVD WPScan
EPSS 1% CVSS 7.2
HIGH PATCH This Week

Emissary is a distributed, peer-to-peer, data-driven workflow framework. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Java +1
NVD GitHub
EPSS 94% CVSS 9.8
CRITICAL Act Now

This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Network Performance Monitor 2020.2.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Network Performance Monitor
NVD
EPSS 2% CVSS 8.8
HIGH POC This Week

In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the import_from_debug AJAX action to inject PHP objects. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization WordPress PHP +1
NVD WPScan
EPSS 7% CVSS 9.8
CRITICAL PATCH Act Now

The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Python RCE +3
NVD GitHub
EPSS 2% CVSS 9.1
CRITICAL POC Act Now

Due to how Wire handles type information in its serialization format, malicious payloads can be passed to a deserializer. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Microsoft Wire
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

Artica Pandora FMS 742 allows unauthenticated attackers to perform Phar deserialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Pandora Fms
NVD
EPSS 1% CVSS 7.2
HIGH This Week

A remote insecure deserialization vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Aruba Airwave
NVD
EPSS 13% CVSS 8.8
HIGH This Week

A remote insecure deserialization vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Aruba Airwave
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

Requests is a HTTP library written in PHP. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Requests
NVD GitHub
EPSS 81% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

Apache OFBiz has unsafe deserialization prior to 17.12.07 version. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Apache Ofbiz
NVD
EPSS 55% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Apache Ofbiz
NVD
EPSS 1% CVSS 7.8
HIGH This Week

This vulnerability allows local attackers to escalate privileges on affected installations of SolarWinds Orion Virtual Infrastructure Monitor 2020.2. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Deserialization RCE Orion Platform
NVD
EPSS 51% CVSS 9.8
CRITICAL POC THREAT Emergency

Zoho ManageEngine OpManager before 12.5.329 allows unauthenticated Remote Code Execution due to a general bypass in the deserialization class. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE Zoho +1
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Magento-lts is a long-term support alternative to Magento Community Edition (CE). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Adobe Magento
NVD GitHub
EPSS 1% CVSS 7.2
HIGH This Week

An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Hashicorp +1
NVD
EPSS 2% CVSS 7.2
HIGH POC This Week

AjaxSearchPro before 4.20.8 allows Deserialization of Untrusted Data (in the import database feature of the administration panel), leading to Remote Code execution. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE Ajaxsearchpro
NVD
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

Dell SRM versions prior to 4.5.0.1 and Dell SMR versions prior to 4.5.0.1 contain an Untrusted Deserialization Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Dell Deserialization RCE +2
NVD
EPSS 4% CVSS 8.1
HIGH POC This Week

The run_action function of the Facebook for WordPress plugin before 3.0.0 deserializes user supplied data making it possible for PHP objects to be supplied creating an Object Injection vulnerability. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Deserialization WordPress RCE +2
NVD WPScan
EPSS 2% CVSS 6.3
MEDIUM This Month

Multiple vulnerabilities in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to execute. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco Deserialization RCE +4
NVD
EPSS 2% CVSS 6.3
MEDIUM This Month

Multiple vulnerabilities in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to execute. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco Deserialization RCE +4
NVD
EPSS 2% CVSS 6.3
MEDIUM This Month

Multiple vulnerabilities in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to execute. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco Deserialization RCE +4
NVD
EPSS 0% CVSS 7.8
HIGH This Week

This vulnerability allows local attackers to escalate privileges on affected installations of SolarWinds Patch Manager 2020.2.1. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Deserialization RCE Patch Manager
NVD
EPSS 47% CVSS 8.6
HIGH POC PATCH THREAT This Week

XStream is a Java library to serialize objects to XML and back again. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Java Oncommand Insight +16
NVD GitHub
EPSS 50% CVSS 9.1
CRITICAL POC PATCH THREAT Act Now

XStream is a Java library to serialize objects to XML and back again. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Java Oncommand Insight +14
NVD GitHub
EPSS 98% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

Apache OFBiz has unsafe deserialization prior to 17.12.06. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Apache Ofbiz
NVD
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Tenable for Jira Cloud is an open source project designed to pull Tenable.io vulnerability data, then generate Jira Tasks and sub-tasks based on the vulnerabilities' current state. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Atlassian +1
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM This Month

Knowledge Management versions 7.01, 7.02, 7.30, 7.31, 7.40, 7.50 allows a remote attacker with basic privileges to deserialize user-controlled data without verification, leading to insecure. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Netweaver Knowledge Management
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

An issue was discovered in the byte_struct crate before 0.6.1 for Rust. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use of Uninitialized Resource vulnerability could allow attackers to access uninitialized memory causing crashes or information disclosure.

Deserialization Byte Struct
NVD
EPSS 6% CVSS 9.8
CRITICAL POC PATCH Act Now

A PHP object injection bug in profile.php in qcubed (all versions including 3.1.1) unserializes the untrusted data of the POST-variable "strProfileData" and allows an unauthenticated attacker to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization PHP Qcubed
NVD VulDB
EPSS 3% CVSS 8.8
HIGH POC This Week

PHP object injection in the Ajax endpoint of the backend in ForkCMS below version 5.8.3 allows an authenticated remote user to execute malicious code. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization PHP Fork Cms
NVD VulDB
EPSS 2% CVSS 8.8
HIGH This Week

Tenable.sc and Tenable.sc Core versions 5.13.0 through 5.17.0 were found to contain a vulnerability that could allow an authenticated, unprivileged user to perform Remote Code Execution (RCE) on the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Tenable Sc
NVD
EPSS 6% CVSS 8.8
HIGH PATCH This Week

Microsoft SharePoint Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Microsoft RCE +3
NVD
EPSS 3% CVSS 9.8
CRITICAL POC Act Now

KollectApps before 4.8.16c is affected by insecure Java deserialization, leading to Remote Code Execution via a ysoserial.payloads.CommonsCollections parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE Java +1
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

The specific function of HR Portal of Soar Cloud System accepts any type of object to be deserialized. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Hr Portal
NVD
EPSS 4% CVSS 7.2
HIGH POC PATCH This Week

This affects all versions of package qlib. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Qlib
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL POC PATCH Act Now

config.py in pystemon before 2021-02-13 allows code execution via YAML deserialization because SafeLoader and safe_load are not used. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization RCE Pystemon
NVD GitHub
EPSS 42% CVSS 8.1
HIGH POC THREAT This Week

NetMotion Mobility before 11.73 and 12.x before 12.02 allows unauthenticated remote attackers to execute arbitrary code as SYSTEM because of Java deserialization in webrepdb StatusServlet. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Deserialization RCE Java +1
NVD
EPSS 78% CVSS 8.1
HIGH POC THREAT Act Now

NetMotion Mobility before 11.73 and 12.x before 12.02 allows unauthenticated remote attackers to execute arbitrary code as SYSTEM because of Java deserialization in MvcUtil valueStringToObject. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Deserialization RCE Java +1
NVD
EPSS 13% CVSS 8.1
HIGH POC THREAT This Week

NetMotion Mobility before 11.73 and 12.x before 12.02 allows unauthenticated remote attackers to execute arbitrary code as SYSTEM because of Java deserialization in RpcServlet. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Deserialization RCE Java +1
NVD
EPSS 41% CVSS 8.1
HIGH POC THREAT This Week

NetMotion Mobility before 11.73 and 12.x before 12.02 allows unauthenticated remote attackers to execute arbitrary code as SYSTEM because of Java deserialization in SupportRpcServlet. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Deserialization RCE Java +1
NVD
EPSS 36% CVSS 9.8
CRITICAL POC THREAT Act Now

The Collector Service in SolarWinds Orion Platform before 2020.2.4 uses MSMQ (Microsoft Message Queue) and doesn't set permissions on its private queues. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Microsoft RCE +1
NVD
EPSS 1% CVSS 7.8
HIGH This Week

In JetBrains IntelliJ IDEA before 2020.3, potentially insecure deserialization of the workspace model could lead to local code execution. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Deserialization RCE Intellij Idea
NVD
EPSS 5% CVSS 9.8
CRITICAL Act Now

Deserialization of untrusted data in the login page of ASSUWEB 359.3 build 1 subcomponent of ACA ASSUREX RENTES product allows a remote attacker to inject unsecure serialized Java object using a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Java +1
NVD
EPSS 7% CVSS 8.1
HIGH PATCH This Week

A flaw was found in jackson-databind before 2.9.10.7. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Active Iq Unified Manager +6
NVD GitHub
EPSS 11% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

OpenCATS through 0.9.5-3 unsafely deserializes index.php?m=activity requests, leading to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization RCE PHP +1
NVD GitHub
EPSS 74% CVSS 9.8
CRITICAL PATCH Act Now

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Deserialization RCE Onedev
NVD GitHub
EPSS 54% CVSS 9.8
CRITICAL PATCH Act Now

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Deserialization Kubernetes Onedev
NVD GitHub
EPSS 2% CVSS 8.0
HIGH PATCH This Week

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Jenkins
NVD
EPSS 2% CVSS 8.1
HIGH POC PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Apache Deserialization Jackson Databind +44
NVD GitHub VulDB
EPSS 75% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization RCE PHP +2
NVD GitHub
EPSS 3% CVSS 8.8
HIGH POC This Week

qdPM through 9.1 allows PHP Object Injection via timeReportActions::executeExport in core/apps/qdPM/modules/timeReport/actions/actions.class.php because unserialize is used. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization PHP Qdpm
NVD
EPSS 41% CVSS 8.1
HIGH PATCH Act Now

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 41.1%.

Apache Oracle Deserialization +40
NVD GitHub VulDB
EPSS 9% CVSS 8.1
HIGH POC PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Apache Deserialization Jackson Databind +25
NVD GitHub
EPSS 8% CVSS 8.1
HIGH POC PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Apache Deserialization Jackson Databind +24
NVD GitHub
EPSS 6% CVSS 9.8
CRITICAL POC PATCH Act Now

jsonpickle through 1.4.1 allows remote code execution during deserialization of a malicious payload through the decode() function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Jsonpickle
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

QuantConnect Lean versions from 2.3.0.0 to 2.4.0.1 are affected by an insecure deserialization vulnerability due to insecure configuration of TypeNameHandling property in Json.NET library. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Lean
NVD GitHub
EPSS 2% CVSS 8.8
HIGH PATCH This Week

Nolan Ray from Apple Information Security identified a security vulnerability in Spinnaker, all versions prior to version 1.23.4, 1.22.4 or 1.21.5. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Apple Spinnaker
NVD GitHub
EPSS 37% CVSS 8.4
HIGH KEV PATCH THREAT This Week

Microsoft Exchange Remote Code Execution Vulnerability. Rated high severity (CVSS 8.4), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Microsoft RCE Deserialization +1
NVD
EPSS 10% CVSS 9.8
CRITICAL PATCH Act Now

A Java Serialization vulnerability was found in Apache Tapestry 4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Java Deserialization +1
NVD
EPSS 47% CVSS 7.8
HIGH POC PATCH THREAT This Week

Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Archive Tar Debian Linux +2
NVD GitHub
EPSS 88% CVSS 9.8
CRITICAL Act Now

Multiple vulnerabilities in the Java deserialization function that is used by Cisco Security Manager could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Cisco Microsoft +2
NVD
EPSS 3% CVSS 9.8
CRITICAL Act Now

Deserialization of untrusted data vulnerability in XooNIps 3.49 and earlier allows remote attackers to execute arbitrary code via unspecified vectors. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Xoonips
NVD
EPSS 2% CVSS 8.8
HIGH POC This Week

The usc-e-shop (aka Collne Welcart e-Commerce) plugin before 1.9.36 for WordPress allows Object Injection because of usces_unserialize. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Deserialization Welcart E Commerce
NVD
EPSS 2% CVSS 8.0
HIGH PATCH This Week

DatabaseSchemaViewer before version 2.7.4.3 is vulnerable to arbitrary code execution if a user is tricked into opening a specially crafted `.dbschema` file. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization Dbschemareader
NVD GitHub
EPSS 16% CVSS 9.8
CRITICAL PATCH Act Now

WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

WordPress Deserialization PHP +2
NVD GitHub WPScan
EPSS 1% CVSS 7.8
HIGH This Week

A flaw was found in the fabric8-maven-plugin 4.0.0 and later. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Deserialization Fabric8 Maven
NVD
EPSS 10% CVSS 9.8
CRITICAL Act Now

A accessmgrservlet classname deserialization of untrusted data remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Intelligent Management Center
NVD
EPSS 1% CVSS 7.8
HIGH This Week

Samsung Update 3.0.2.0 ~ 3.0.32.0 has a vulnerability that allows privilege escalation as commands crafted by attacker are executed while the engine deserializes the data received during. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Samsung Privilege Escalation Deserialization +1
NVD
EPSS 4% CVSS 9.8
CRITICAL Act Now

ARC Informatique PcVue prior to version 12.0.17 is vulnerable due to the deserialization of untrusted data, which may allow an attacker to remotely execute arbitrary code on the web and mobile. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Pcvue
NVD VulDB
EPSS 2% CVSS 8.1
HIGH PATCH This Week

MyBatis before 3.5.6 mishandles deserialization of object streams. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Mybatis
NVD GitHub
EPSS 73% CVSS 8.8
HIGH POC PATCH THREAT This Week

IBM QRadar SIEM 7.3 and 7.4 could allow a remote attacker to execute arbitrary commands on the system, caused by insecure deserialization of user-supplied content by the Java deserialization. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Java IBM Deserialization +1
NVD
EPSS 2% CVSS 7.2
HIGH PATCH This Week

An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization Ozeki Ng Sms Gateway
NVD GitHub
EPSS 5% CVSS 9.8
CRITICAL POC PATCH Act Now

SOY CMS 3.0.2.327 and earlier is affected by Unauthenticated Remote Code Execution (RCE). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Deserialization Soy Cms
NVD GitHub
EPSS 7% CVSS 8.1
HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Agile Plm +24
NVD GitHub
EPSS 1% CVSS 7.8
HIGH This Week

A CWE-502 Deserialization of Untrusted Data vulnerability exists in SCADAPack x70 Security Administrator (V1.2.0 and prior) which could allow arbitrary code execution when an attacker builds a custom. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Scadapack X70 Security Administrator
NVD
EPSS 1% CVSS 7.8
HIGH This Week

A CWE-502 Deserialization of Untrusted Data vulnerability exists in SCADAPack 7x Remote Connect (V3.6.3.574 and prior) which could allow arbitrary code execution when an attacker builds a custom .PRJ. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Scadapack 7X Remote Connect
NVD
Prev Page 25 of 30 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy