Skip to main content

Deserialization

2663 CVEs technique

Monthly

CVE-2020-15172 HIGH PATCH This Week

The Act module for Red Discord Bot before commit 6b9f3b86 is vulnerable to Remote Code Execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization Fluffycogs
NVD GitHub
CVSS 3.1
8.8
EPSS
1.8%
CVE-2020-15148 PHP CRITICAL POC PATCH THREAT Act Now

Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization Yii
NVD GitHub
CVSS 3.1
10.0
EPSS
78.8%
CVE-2020-4521 HIGH PATCH This Week

IBM Maximo Asset Management 7.6.0 and 7.6.1 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization in Java. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE IBM Deserialization Maximo Asset Management
NVD
CVSS 3.1
8.8
EPSS
6.5%
CVE-2020-1595 CRITICAL PATCH Act Now

<p>A remote code execution vulnerability exists in Microsoft SharePoint where APIs aren't properly protected from unsafe data input. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity.

RCE Microsoft Deserialization Sharepoint Enterprise Server Sharepoint Foundation +1
NVD
CVSS 3.1
9.9
EPSS
2.0%
CVE-2020-24164 Maven HIGH PATCH This Week

A deserialization flaw is present in Taoensso Nippy before 2.14.2. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Java RCE Deserialization Nippy
NVD GitHub
CVSS 3.1
7.8
EPSS
1.1%
CVE-2020-25260 CRITICAL Act Now

An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Onbase
NVD
CVSS 3.1
9.8
EPSS
2.7%
CVE-2020-25259 CRITICAL Act Now

An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Onbase
NVD
CVSS 3.1
9.8
EPSS
1.4%
CVE-2020-25258 CRITICAL Act Now

An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Onbase
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2020-24034 HIGH POC This Week

Sagemcom F@ST 5280 routers using firmware version 1.150.61 have insecure deserialization that allows any authenticated user to perform a privilege escalation to any other user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Deserialization F St 5280 Router Firmware
NVD
CVSS 3.1
8.8
EPSS
3.7%
CVE-2020-17405 HIGH This Week

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Senstar Symphony 7.3.2.2. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Symphony
NVD
CVSS 3.1
8.8
EPSS
2.0%
CVE-2020-15777 Maven HIGH PATCH This Week

An issue was discovered in the Maven Extension plugin before 1.6 for Gradle Enterprise. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Java RCE Privilege Escalation Deserialization Maven
NVD
CVSS 3.1
7.8
EPSS
1.0%
CVE-2020-24616 Maven HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Active Iq Unified Manager Agile Plm Application Testing Suite +21
NVD GitHub
CVSS 3.1
8.1
EPSS
9.3%
CVE-2020-4589 CRITICAL Act Now

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE IBM Deserialization Websphere Application Server
NVD
CVSS 3.1
9.8
EPSS
8.5%
CVE-2020-5413 Maven CRITICAL PATCH Act Now

Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Java Deserialization Spring Integration Banking Corporate Lending Process Management Banking Credit Facilities Process Management +5
NVD
CVSS 3.1
9.8
EPSS
4.4%
CVE-2020-15098 PHP HIGH PATCH This Week

In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, it has been discovered that an internal verification mechanism can be used. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Privilege Escalation Deserialization Typo3
NVD GitHub
CVSS 3.1
8.8
EPSS
2.2%
CVE-2020-10917 CRITICAL Act Now

This vulnerability allows remote attackers to execute arbitrary code on affected installations of NEC ESMPRO Manager 6.42. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Esmpro Manager
NVD
CVSS 3.1
9.8
EPSS
5.6%
CVE-2020-9664 PHP CRITICAL Act Now

Magento versions 1.14.4.5 and earlier, and 1.9.4.5 and earlier have a php object injection vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Adobe RCE Deserialization PHP Magento
NVD
CVSS 3.1
9.8
EPSS
8.4%
CVE-2020-15842 Maven HIGH PATCH This Week

Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Deserialization Digital Experience Platform Liferay Portal
NVD
CVSS 3.1
8.1
EPSS
1.8%
CVE-2020-4464 HIGH PATCH This Week

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional could allow a remote attacker to execute arbitrary code on a system with a specially-crafted sequence of serialized objects over. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE IBM Deserialization Websphere Application Server
NVD
CVSS 3.1
8.8
EPSS
13.2%
CVE-2020-11982 PyPI CRITICAL PATCH Act Now

An issue was found in Apache Airflow versions 1.10.10 and below. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Redis Deserialization RCE Airflow
NVD
CVSS 3.1
9.8
EPSS
7.2%
CVE-2020-12015 HIGH This Week

A specially crafted communication packet sent to the affected systems could cause a denial-of-service condition due to improper deserialization. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Mc Works Mc Works32 Energy Analytix Facility Analytix +7
NVD
CVSS 3.1
7.5
EPSS
2.0%
CVE-2020-12007 CRITICAL Act Now

A specially crafted communication packet sent to the affected devices could allow remote code execution and a denial-of-service condition due to a deserialization vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Mc Works Mc Works32 Energy Analytix +8
NVD
CVSS 3.1
9.8
EPSS
3.9%
CVE-2020-12009 HIGH This Week

A specially crafted communication packet sent to the affected device could cause a denial-of-service condition due to a deserialization vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Mc Works Mc Works32 Energy Analytix Facility Analytix +7
NVD
CVSS 3.1
7.5
EPSS
3.6%
CVE-2020-14000 npm CRITICAL PATCH Act Now

MIT Lifelong Kindergarten Scratch scratch-vm before 0.2.0-prerelease.20200714185213 loads extension URLs from untrusted project.json files with certain _ characters, resulting in remote code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Scratch Vm
NVD GitHub
CVSS 3.1
9.8
EPSS
2.8%
CVE-2020-9496 MEDIUM POC THREAT This Month

XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Apache Deserialization Ofbiz
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
98.9%
CVE-2020-1439 HIGH PATCH This Week

A remote code execution vulnerability exists in PerformancePoint Services for SharePoint Server when the software fails to check the source markup of XML file input, aka 'PerformancePoint Services. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Microsoft RCE Deserialization Sharepoint Enterprise Server Sharepoint Foundation +1
NVD
CVSS 3.1
8.8
EPSS
20.3%
CVE-2020-1948 Maven CRITICAL PATCH Act Now

This vulnerability can affect all Dubbo users stay on version 2.7.6 or lower. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Dubbo
NVD
CVSS 3.1
9.8
EPSS
13.9%
CVE-2020-4305 HIGH This Week

IBM InfoSphere Information Server 11.3, 11.5, and 11.7 could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE IBM Deserialization Infosphere Information Server Infosphere Information Server On Cloud
NVD
CVSS 3.1
8.8
EPSS
4.5%
CVE-2020-14172 CRITICAL Act Now

This issue exists to document that a security improvement in the way that Jira Server and Data Center use velocity templates has been implemented. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Atlassian RCE Deserialization Jira Jira Software Data Center
NVD
CVSS 3.1
9.8
EPSS
2.5%
CVE-2020-2211 Maven HIGH This Week

Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin 1.3 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Kubernetes RCE Deserialization Jenkins Kubernetes Ci
NVD
CVSS 3.1
8.8
EPSS
2.3%
CVE-2020-10740 Maven HIGH PATCH This Week

A vulnerability was found in Wildfly in versions before 20.0.0.Final, where a remote deserialization attack is possible in the Enterprise Application Beans(EJB) due to lack of validation/filtering. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization Wildfly
NVD
CVSS 3.1
7.5
EPSS
1.7%
CVE-2020-14942 PyPI CRITICAL PATCH Act Now

Tendenci 12.0.10 allows unrestricted deserialization in apps\helpdesk\views\staff.py. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Tendenci
NVD GitHub
CVSS 3.1
9.8
EPSS
1.3%
CVE-2020-14933 HIGH This Week

compose.php in SquirrelMail 1.4.22 calls unserialize for the $attachments value, which originates from an HTTP POST request. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization PHP Squirrelmail
NVD
CVSS 3.1
8.8
EPSS
1.4%
CVE-2020-14932 CRITICAL Act Now

compose.php in SquirrelMail 1.4.22 calls unserialize for the $mailtodata value, which originates from an HTTP GET request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization PHP Squirrelmail
NVD
CVSS 3.1
9.8
EPSS
1.4%
CVE-2020-8165 Ruby CRITICAL POC PATCH THREAT Act Now

A deserialization of untrusted data vulnernerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Rails Debian Linux Leap
NVD
CVSS 3.1
9.8
EPSS
45.7%
CVE-2020-8164 Ruby HIGH POC PATCH This Week

A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Rails Debian Linux Backports Sle Leap
NVD
CVSS 3.1
7.5
EPSS
4.2%
CVE-2020-14195 Maven HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization Jackson Databind Active Iq Unified Manager Steelstore Cloud Integrated Storage Debian Linux +10
NVD GitHub
CVSS 3.1
8.1
EPSS
4.5%
CVE-2020-14060 Maven HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Deserialization Jackson Databind Active Iq Unified Manager Steelstore Cloud Integrated Storage +9
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
8.7%
CVE-2020-14062 Maven HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Deserialization Jackson Databind Active Iq Unified Manager Steelstore Cloud Integrated Storage +10
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
7.3%
CVE-2020-14061 Maven HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory,. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Oracle Deserialization Jackson Databind Active Iq Unified Manager Steelstore Cloud Integrated Storage +12
NVD GitHub
CVSS 3.1
8.1
EPSS
4.4%
CVE-2020-5411 Maven HIGH PATCH This Week

When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Java RCE Deserialization Spring Batch
NVD
CVSS 3.1
8.1
EPSS
1.9%
CVE-2020-0132 MEDIUM PATCH This Month

In BnAAudioService::onTransact of IAAudioService.cpp, there is a possible out of bounds read due to unsafe deserialization. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Buffer Overflow Google Deserialization Information Disclosure Android
NVD
CVSS 3.1
5.5
EPSS
0.3%
CVE-2020-4043 PHP CRITICAL PATCH Act Now

phpMussel from versions 1.0.0 and less than 1.6.0 has an unserialization vulnerability in PHP's phar wrapper. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization Phpmussel
NVD GitHub
CVSS 3.1
9.8
EPSS
2.6%
CVE-2020-12000 HIGH This Week

The affected product is vulnerable to the handling of serialized data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Ignition Gateway
NVD
CVSS 3.1
7.5
EPSS
1.5%
CVE-2020-10644 HIGH POC THREAT Act Now

The affected product lacks proper validation of user-supplied data, which can result in deserialization of untrusted data on the Ignition 8 Gateway (versions prior to 8.0.10) and Ignition 7 Gateway. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Ignition Gateway
NVD GitHub
CVSS 3.1
7.5
EPSS
20.2%
CVE-2020-4450 CRITICAL PATCH Act Now

IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE IBM Deserialization Websphere Application Server
NVD
CVSS 3.1
9.8
EPSS
33.9%
CVE-2020-4449 HIGH PATCH This Week

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional could allow a remote attacker to obtain sensitive information with a specially-crafted sequence of serialized objects. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

IBM Deserialization Websphere Application Server
NVD
CVSS 3.1
7.5
EPSS
3.9%
CVE-2020-4448 CRITICAL PATCH Act Now

IBM WebSphere Application Server Network Deployment 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE IBM Deserialization Websphere Application Server Websphere Virtual Enterprise
NVD
CVSS 3.1
9.8
EPSS
12.2%
CVE-2020-7660 npm HIGH PATCH This Week

serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js". Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization Serialize Javascript
NVD GitHub
CVSS 3.1
8.1
EPSS
3.0%
CVE-2020-12390 CRITICAL Act Now

Incorrect origin serialization of URLs with IPv6 addresses could lead to incorrect security checks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Deserialization Firefox
NVD
CVSS 3.1
9.8
EPSS
1.6%
CVE-2020-3280 CRITICAL Act Now

A vulnerability in the Java Remote Management Interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to execute arbitrary code on an affected. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Cisco Deserialization RCE Unified Contact Center Express
NVD
CVSS 3.1
9.8
EPSS
6.9%
CVE-2020-9484 Maven HIGH POC PATCH THREAT This Week

When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server;. Rated high severity (CVSS 7.0). This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache RCE Deserialization Tomcat Debian Linux +24
NVD
CVSS 3.1
7.0
EPSS
56.6%
CVE-2020-12835 CRITICAL POC THREAT Act Now

An issue was discovered in SmartBear ReadyAPI SoapUI Pro 3.2.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Java RCE Deserialization Readyapi
NVD
CVSS 3.1
9.8
EPSS
11.7%
CVE-2020-13092 PyPI CRITICAL POC PATCH Act Now

scikit-learn (aka sklearn) through 0.23.0 can unserialize and execute commands from an untrusted file that is passed to the joblib.load() function, if __reduce__ makes an os.system call. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Scikit Learn
NVD GitHub
CVSS 3.1
9.8
EPSS
2.6%
CVE-2020-13091 PyPI CRITICAL POC PATCH Act Now

pandas through 1.0.3 can unserialize and execute commands from an untrusted file that is passed to the read_pickle() function, if __reduce__ makes an os.system call. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization pandas
NVD GitHub
CVSS 3.1
9.8
EPSS
3.4%
CVE-2020-11973 Maven CRITICAL PATCH Act Now

Apache Camel Netty enables Java deserialization by default. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Java Deserialization Camel Communications Diameter Signaling Router +2
NVD
CVSS 3.1
9.8
EPSS
6.6%
CVE-2020-11972 Maven CRITICAL PATCH Act Now

Apache Camel RabbitMQ enables Java deserialization by default. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Java Deserialization Camel Communications Diameter Signaling Router +2
NVD
CVSS 3.1
9.8
EPSS
5.5%
CVE-2020-11067 PHP HIGH PATCH This Week

In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that backend user settings (in $BE_USER->uc) are vulnerable to insecure deserialization. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Deserialization Typo3
NVD GitHub
CVSS 3.1
8.8
EPSS
2.0%
CVE-2020-11066 PHP CRITICAL PATCH Act Now

In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, calling unserialize() on malicious user-submitted content can lead to. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Typo3
NVD GitHub
CVSS 3.1
10.0
EPSS
1.5%
CVE-2020-12760 Maven HIGH PATCH This Week

An issue was discovered in OpenNMS Horizon before 26.0.1, and Meridian before 2018.1.19 and 2019 before 2019.1.7. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java RCE Deserialization Opennms Horizon Opennms Meridian
NVD GitHub
CVSS 3.1
8.8
EPSS
3.4%
CVE-2020-5741 HIGH POC KEV THREAT Act Now

Deserialization of Untrusted Data in Plex Media Server on Windows allows a remote, authenticated attacker to execute arbitrary Python code. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Python Microsoft Deserialization Media Server
NVD
CVSS 3.1
7.2
EPSS
72.8%
CVE-2020-2189 Maven HIGH PATCH This Week

Jenkins SCM Filter Jervis Plugin 0.2.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Deserialization Jenkins Source Code Management Filter Jervis
NVD
CVSS 3.1
8.8
EPSS
2.3%
CVE-2020-12471 CRITICAL POC Act Now

MonoX through 5.1.40.5152 allows remote code execution via HTML5Upload.ashx or Pages/SocialNetworking/lng/en-US/PhotoGallery.aspx because of deserialization in ModuleGallery.HTML5Upload,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Monox
NVD GitHub
CVSS 3.1
9.8
EPSS
2.8%
CVE-2020-12469 PHP MEDIUM POC This Month

admin/blocks.php in Subrion CMS through 4.2.1 allows PHP Object Injection (with resultant file deletion) via serialized data in the subpages value within a block to blocks/edit. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization PHP Subrion
NVD GitHub
CVSS 3.1
6.5
EPSS
0.9%
CVE-2020-12133 CRITICAL POC Act Now

The Apros Evolution, ConsciusMap, and Furukawa provisioning systems through 2.8.1 allow remote code execution because of javax.faces.ViewState Java deserialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Java RCE Deserialization Electric Consciousmap
NVD
CVSS 3.1
9.8
EPSS
9.9%
CVE-2020-10915 CRITICAL POC THREAT Emergency

This vulnerability allows remote attackers to execute arbitrary code on affected installations of VEEAM One Agent 9.5.4.4587. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization One
NVD GitHub
CVSS 3.1
9.8
EPSS
86.6%
CVE-2020-10914 CRITICAL POC THREAT Emergency

This vulnerability allows remote attackers to execute arbitrary code on affected installations of VEEAM One Agent 9.5.4.4587. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization One
NVD GitHub
CVSS 3.1
9.8
EPSS
47.0%
CVE-2020-0082 HIGH This Week

In ExternalVibration of ExternalVibration.java, there is a possible activation of an arbitrary intent due to unsafe deserialization. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Google Privilege Escalation Deserialization Android
NVD
CVSS 3.1
7.8
EPSS
0.4%
CVE-2020-2180 Maven HIGH PATCH This Week

Jenkins AWS SAM Plugin 1.2.2 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Deserialization Jenkins Amazon Web Services Serverless Application Model
NVD
CVSS 3.1
8.8
EPSS
2.3%
CVE-2020-2179 Maven HIGH PATCH This Week

Jenkins Yaml Axis Plugin 0.2.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Deserialization Jenkins Yaml Axis
NVD
CVSS 3.1
8.8
EPSS
2.9%
CVE-2020-1964 Maven CRITICAL PATCH Act Now

It was noticed that Apache Heron 0.20.2-incubating, Release 0.20.1-incubating, and Release v-0.20.0-incubating does not configure its YAML parser to prevent the instantiation of arbitrary types,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache RCE Deserialization Heron
NVD
CVSS 3.1
9.8
EPSS
4.8%
CVE-2020-4271 MEDIUM POC This Month

IBM QRadar 7.3.0 to 7.3.3 Patch 2 could allow an authenticated user to send a specially crafted command which would be executed as a lower privileged user. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

IBM Deserialization Qradar Security Information And Event Manager
NVD
CVSS 3.1
6.3
EPSS
1.7%
CVE-2020-2757 LOW Monitor

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Oracle Java Denial Of Service Deserialization Jdk +20
NVD
CVSS 3.1
3.7
EPSS
4.2%
CVE-2020-2756 LOW Monitor

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Oracle Java Denial Of Service Deserialization Jdk +19
NVD
CVSS 3.1
3.7
EPSS
4.2%
CVE-2020-6219 HIGH This Week

SAP Business Objects Business Intelligence Platform (CrystalReports WebForm Viewer), versions 4.1, 4.2, and Crystal Reports for VS version 2010, allows an attacker with basic authorization to perform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Denial Of Service Deserialization Businessobjects Business Intelligence Platform Crystal Reports For Visual Studio
NVD
CVSS 3.1
8.8
EPSS
1.3%
CVE-2020-11630 CRITICAL Act Now

An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Ejbca
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2020-11620 Maven HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Apache Deserialization Jackson Databind Debian Linux Active Iq Unified Manager +15
NVD GitHub
CVSS 3.1
8.1
EPSS
5.6%
CVE-2020-11619 Maven HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Java Deserialization Jackson Databind Debian Linux Active Iq Unified Manager +18
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
1.3%
CVE-2020-11467 HIGH POC This Week

An issue was discovered in Deskpro before 2019.8.0. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Deskpro
NVD
CVSS 3.1
7.2
EPSS
4.0%
CVE-2020-11113 Maven HIGH PATCH Act Now

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 60.7%.

Apache Deserialization Jackson Databind Debian Linux Steelstore Cloud Integrated Storage +29
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
60.7%
CVE-2020-11112 Maven HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Deserialization Jackson Databind Debian Linux Steelstore Cloud Integrated Storage +28
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
6.8%
CVE-2020-11111 Maven HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool,. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Deserialization Jackson Databind Debian Linux Steelstore Cloud Integrated Storage +22
NVD GitHub
CVSS 3.1
8.8
EPSS
3.5%
CVE-2020-7610 npm CRITICAL PATCH Act Now

All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Deserialization Bson
NVD
CVSS 3.1
9.8
EPSS
2.2%
CVE-2020-10969 Maven HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Debian Linux Steelstore Cloud Integrated Storage Agile Plm +27
NVD GitHub
CVSS 3.1
8.8
EPSS
3.5%
CVE-2020-10968 Maven HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Debian Linux Steelstore Cloud Integrated Storage Agile Plm +27
NVD GitHub
CVSS 3.1
8.8
EPSS
3.5%
CVE-2020-6967 CRITICAL Act Now

In Rockwell Automation all versions of FactoryTalk Diagnostics software, a subsystem of the FactoryTalk Services Platform, FactoryTalk Diagnostics exposes a .NET Remoting endpoint via. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Rockwell Deserialization Factorytalk Services Platform
NVD
CVSS 3.1
9.8
EPSS
5.4%
CVE-2020-7961 Maven CRITICAL POC KEV PATCH THREAT Act Now

Remote code execution in Liferay Portal Community Edition (CE) versions prior to 7.2.1 CE GA2 allows unauthenticated remote attackers to run arbitrary Java code by abusing the JSON web services (JSONWS) interface. This flaw is confirmed actively exploited (CISA KEV) - it was leveraged by the 'FreakOut' botnet - with publicly available exploit code and an EPSS score of 99.78% (100th percentile), placing it among the most likely to be exploited vulnerabilities. It carries a CVSS 9.8, reflecting network-reachable, no-authentication, no-interaction exploitation with full confidentiality, integrity, and availability impact.

Deserialization RCE Liferay Portal
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
99.8%
Threat
8.0
CVE-2020-10673 Maven HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Debian Linux Steelstore Cloud Integrated Storage Agile Plm +27
NVD GitHub
CVSS 3.1
8.8
EPSS
8.0%
CVE-2020-10672 Maven HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Deserialization Jackson Databind Debian Linux Steelstore Cloud Integrated Storage +28
NVD GitHub
CVSS 3.1
8.8
EPSS
3.0%
CVE-2020-1947 Maven CRITICAL PATCH Act Now

In Apache ShardingSphere(incubator) 4.0.0-RC3 and 4.0.0, the ShardingSphere's web console uses the SnakeYAML library for parsing YAML inputs to load datasource configuration. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Java Deserialization Shardingsphere
NVD
CVSS 3.1
9.8
EPSS
33.9%
EPSS 2% CVSS 8.8
HIGH PATCH This Week

The Act module for Red Discord Bot before commit 6b9f3b86 is vulnerable to Remote Code Execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization Fluffycogs
NVD GitHub
EPSS 79% CVSS 10.0
CRITICAL POC PATCH THREAT Act Now

Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization Yii
NVD GitHub
EPSS 6% CVSS 8.8
HIGH PATCH This Week

IBM Maximo Asset Management 7.6.0 and 7.6.1 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization in Java. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE IBM Deserialization +1
NVD
EPSS 2% CVSS 9.9
CRITICAL PATCH Act Now

<p>A remote code execution vulnerability exists in Microsoft SharePoint where APIs aren't properly protected from unsafe data input. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity.

RCE Microsoft Deserialization +3
NVD
EPSS 1% CVSS 7.8
HIGH PATCH This Week

A deserialization flaw is present in Taoensso Nippy before 2.14.2. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Java RCE Deserialization +1
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL Act Now

An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Onbase
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Onbase
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Onbase
NVD
EPSS 4% CVSS 8.8
HIGH POC This Week

Sagemcom F@ST 5280 routers using firmware version 1.150.61 have insecure deserialization that allows any authenticated user to perform a privilege escalation to any other user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Deserialization F St 5280 Router Firmware
NVD
EPSS 2% CVSS 8.8
HIGH This Week

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Senstar Symphony 7.3.2.2. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Symphony
NVD
EPSS 1% CVSS 7.8
HIGH PATCH This Week

An issue was discovered in the Maven Extension plugin before 1.6 for Gradle Enterprise. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Java RCE Privilege Escalation +2
NVD
EPSS 9% CVSS 8.1
HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Active Iq Unified Manager +23
NVD GitHub
EPSS 8% CVSS 9.8
CRITICAL Act Now

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE IBM Deserialization +1
NVD
EPSS 4% CVSS 9.8
CRITICAL PATCH Act Now

Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Java Deserialization Spring Integration +7
NVD
EPSS 2% CVSS 8.8
HIGH PATCH This Week

In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, it has been discovered that an internal verification mechanism can be used. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Privilege Escalation Deserialization +1
NVD GitHub
EPSS 6% CVSS 9.8
CRITICAL Act Now

This vulnerability allows remote attackers to execute arbitrary code on affected installations of NEC ESMPRO Manager 6.42. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Esmpro Manager
NVD
EPSS 8% CVSS 9.8
CRITICAL Act Now

Magento versions 1.14.4.5 and earlier, and 1.9.4.5 and earlier have a php object injection vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Adobe RCE Deserialization +2
NVD
EPSS 2% CVSS 8.1
HIGH PATCH This Week

Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Deserialization Digital Experience Platform +1
NVD
EPSS 13% CVSS 8.8
HIGH PATCH This Week

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional could allow a remote attacker to execute arbitrary code on a system with a specially-crafted sequence of serialized objects over. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE IBM Deserialization +1
NVD
EPSS 7% CVSS 9.8
CRITICAL PATCH Act Now

An issue was found in Apache Airflow versions 1.10.10 and below. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Redis Deserialization +2
NVD
EPSS 2% CVSS 7.5
HIGH This Week

A specially crafted communication packet sent to the affected systems could cause a denial-of-service condition due to improper deserialization. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Mc Works Mc Works32 +9
NVD
EPSS 4% CVSS 9.8
CRITICAL Act Now

A specially crafted communication packet sent to the affected devices could allow remote code execution and a denial-of-service condition due to a deserialization vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Mc Works +10
NVD
EPSS 4% CVSS 7.5
HIGH This Week

A specially crafted communication packet sent to the affected device could cause a denial-of-service condition due to a deserialization vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Mc Works Mc Works32 +9
NVD
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

MIT Lifelong Kindergarten Scratch scratch-vm before 0.2.0-prerelease.20200714185213 loads extension URLs from untrusted project.json files with certain _ characters, resulting in remote code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Scratch Vm
NVD GitHub
EPSS 99% CVSS 6.1
MEDIUM POC THREAT This Month

XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Apache Deserialization +1
NVD Exploit-DB
EPSS 20% CVSS 8.8
HIGH PATCH This Week

A remote code execution vulnerability exists in PerformancePoint Services for SharePoint Server when the software fails to check the source markup of XML file input, aka 'PerformancePoint Services. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Microsoft RCE Deserialization +3
NVD
EPSS 14% CVSS 9.8
CRITICAL PATCH Act Now

This vulnerability can affect all Dubbo users stay on version 2.7.6 or lower. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Dubbo
NVD
EPSS 5% CVSS 8.8
HIGH This Week

IBM InfoSphere Information Server 11.3, 11.5, and 11.7 could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE IBM Deserialization +2
NVD
EPSS 3% CVSS 9.8
CRITICAL Act Now

This issue exists to document that a security improvement in the way that Jira Server and Data Center use velocity templates has been implemented. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Atlassian RCE Deserialization +2
NVD
EPSS 2% CVSS 8.8
HIGH This Week

Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin 1.3 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Kubernetes RCE Deserialization +2
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

A vulnerability was found in Wildfly in versions before 20.0.0.Final, where a remote deserialization attack is possible in the Enterprise Application Beans(EJB) due to lack of validation/filtering. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization Wildfly
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Tendenci 12.0.10 allows unrestricted deserialization in apps\helpdesk\views\staff.py. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Tendenci
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

compose.php in SquirrelMail 1.4.22 calls unserialize for the $attachments value, which originates from an HTTP POST request. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization PHP Squirrelmail
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

compose.php in SquirrelMail 1.4.22 calls unserialize for the $mailtodata value, which originates from an HTTP GET request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization PHP Squirrelmail
NVD
EPSS 46% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

A deserialization of untrusted data vulnernerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Rails Debian Linux +1
NVD
EPSS 4% CVSS 7.5
HIGH POC PATCH This Week

A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Rails Debian Linux +2
NVD
EPSS 5% CVSS 8.1
HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization Jackson Databind Active Iq Unified Manager +12
NVD GitHub
EPSS 9% CVSS 8.1
HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Deserialization Jackson Databind +11
NVD GitHub VulDB
EPSS 7% CVSS 8.1
HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Deserialization Jackson Databind +12
NVD GitHub VulDB
EPSS 4% CVSS 8.1
HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory,. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Oracle Deserialization Jackson Databind +14
NVD GitHub
EPSS 2% CVSS 8.1
HIGH PATCH This Week

When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Java RCE Deserialization +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In BnAAudioService::onTransact of IAAudioService.cpp, there is a possible out of bounds read due to unsafe deserialization. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Buffer Overflow Google Deserialization +2
NVD
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

phpMussel from versions 1.0.0 and less than 1.6.0 has an unserialization vulnerability in PHP's phar wrapper. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization Phpmussel
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

The affected product is vulnerable to the handling of serialized data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Ignition Gateway
NVD
EPSS 20% CVSS 7.5
HIGH POC THREAT Act Now

The affected product lacks proper validation of user-supplied data, which can result in deserialization of untrusted data on the Ignition 8 Gateway (versions prior to 8.0.10) and Ignition 7 Gateway. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Ignition Gateway
NVD GitHub
EPSS 34% CVSS 9.8
CRITICAL PATCH Act Now

IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE IBM Deserialization +1
NVD
EPSS 4% CVSS 7.5
HIGH PATCH This Week

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional could allow a remote attacker to obtain sensitive information with a specially-crafted sequence of serialized objects. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

IBM Deserialization Websphere Application Server
NVD
EPSS 12% CVSS 9.8
CRITICAL PATCH Act Now

IBM WebSphere Application Server Network Deployment 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE IBM Deserialization +2
NVD
EPSS 3% CVSS 8.1
HIGH PATCH This Week

serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js". Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization Serialize Javascript
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL Act Now

Incorrect origin serialization of URLs with IPv6 addresses could lead to incorrect security checks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Deserialization Firefox
NVD
EPSS 7% CVSS 9.8
CRITICAL Act Now

A vulnerability in the Java Remote Management Interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to execute arbitrary code on an affected. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Cisco Deserialization +2
NVD
EPSS 57% CVSS 7.0
HIGH POC PATCH THREAT This Week

When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server;. Rated high severity (CVSS 7.0). This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache RCE Deserialization +26
NVD
EPSS 12% CVSS 9.8
CRITICAL POC THREAT Act Now

An issue was discovered in SmartBear ReadyAPI SoapUI Pro 3.2.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Java RCE Deserialization +1
NVD
EPSS 3% CVSS 9.8
CRITICAL POC PATCH Act Now

scikit-learn (aka sklearn) through 0.23.0 can unserialize and execute commands from an untrusted file that is passed to the joblib.load() function, if __reduce__ makes an os.system call. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Scikit Learn
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL POC PATCH Act Now

pandas through 1.0.3 can unserialize and execute commands from an untrusted file that is passed to the read_pickle() function, if __reduce__ makes an os.system call. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization pandas
NVD GitHub
EPSS 7% CVSS 9.8
CRITICAL PATCH Act Now

Apache Camel Netty enables Java deserialization by default. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Java Deserialization +4
NVD
EPSS 6% CVSS 9.8
CRITICAL PATCH Act Now

Apache Camel RabbitMQ enables Java deserialization by default. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Java Deserialization +4
NVD
EPSS 2% CVSS 8.8
HIGH PATCH This Week

In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that backend user settings (in $BE_USER->uc) are vulnerable to insecure deserialization. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Deserialization Typo3
NVD GitHub
EPSS 1% CVSS 10.0
CRITICAL PATCH Act Now

In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, calling unserialize() on malicious user-submitted content can lead to. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Typo3
NVD GitHub
EPSS 3% CVSS 8.8
HIGH PATCH This Week

An issue was discovered in OpenNMS Horizon before 26.0.1, and Meridian before 2018.1.19 and 2019 before 2019.1.7. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java RCE Deserialization +2
NVD GitHub
EPSS 73% CVSS 7.2
HIGH POC KEV THREAT Act Now

Deserialization of Untrusted Data in Plex Media Server on Windows allows a remote, authenticated attacker to execute arbitrary Python code. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Python Microsoft Deserialization +1
NVD
EPSS 2% CVSS 8.8
HIGH PATCH This Week

Jenkins SCM Filter Jervis Plugin 0.2.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Deserialization Jenkins +1
NVD
EPSS 3% CVSS 9.8
CRITICAL POC Act Now

MonoX through 5.1.40.5152 allows remote code execution via HTML5Upload.ashx or Pages/SocialNetworking/lng/en-US/PhotoGallery.aspx because of deserialization in ModuleGallery.HTML5Upload,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Monox
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC This Month

admin/blocks.php in Subrion CMS through 4.2.1 allows PHP Object Injection (with resultant file deletion) via serialized data in the subpages value within a block to blocks/edit. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization PHP Subrion
NVD GitHub
EPSS 10% CVSS 9.8
CRITICAL POC Act Now

The Apros Evolution, ConsciusMap, and Furukawa provisioning systems through 2.8.1 allow remote code execution because of javax.faces.ViewState Java deserialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Java RCE Deserialization +1
NVD
EPSS 87% CVSS 9.8
CRITICAL POC THREAT Emergency

This vulnerability allows remote attackers to execute arbitrary code on affected installations of VEEAM One Agent 9.5.4.4587. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization One
NVD GitHub
EPSS 47% CVSS 9.8
CRITICAL POC THREAT Emergency

This vulnerability allows remote attackers to execute arbitrary code on affected installations of VEEAM One Agent 9.5.4.4587. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization One
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

In ExternalVibration of ExternalVibration.java, there is a possible activation of an arbitrary intent due to unsafe deserialization. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Google Privilege Escalation Deserialization +1
NVD
EPSS 2% CVSS 8.8
HIGH PATCH This Week

Jenkins AWS SAM Plugin 1.2.2 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Deserialization Jenkins +1
NVD
EPSS 3% CVSS 8.8
HIGH PATCH This Week

Jenkins Yaml Axis Plugin 0.2.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Deserialization Jenkins +1
NVD
EPSS 5% CVSS 9.8
CRITICAL PATCH Act Now

It was noticed that Apache Heron 0.20.2-incubating, Release 0.20.1-incubating, and Release v-0.20.0-incubating does not configure its YAML parser to prevent the instantiation of arbitrary types,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache RCE Deserialization +1
NVD
EPSS 2% CVSS 6.3
MEDIUM POC This Month

IBM QRadar 7.3.0 to 7.3.3 Patch 2 could allow an authenticated user to send a specially crafted command which would be executed as a lower privileged user. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

IBM Deserialization Qradar Security Information And Event Manager
NVD
EPSS 4% CVSS 3.7
LOW Monitor

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Oracle Java Denial Of Service +22
NVD
EPSS 4% CVSS 3.7
LOW Monitor

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Oracle Java Denial Of Service +21
NVD
EPSS 1% CVSS 8.8
HIGH This Week

SAP Business Objects Business Intelligence Platform (CrystalReports WebForm Viewer), versions 4.1, 4.2, and Crystal Reports for VS version 2010, allows an attacker with basic authorization to perform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Denial Of Service Deserialization +2
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Ejbca
NVD
EPSS 6% CVSS 8.1
HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Apache Deserialization Jackson Databind +17
NVD GitHub
EPSS 1% CVSS 8.1
HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Java Deserialization Jackson Databind +20
NVD GitHub VulDB
EPSS 4% CVSS 7.2
HIGH POC This Week

An issue was discovered in Deskpro before 2019.8.0. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Deskpro
NVD
EPSS 61% CVSS 8.8
HIGH PATCH Act Now

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 60.7%.

Apache Deserialization Jackson Databind +31
NVD GitHub VulDB
EPSS 7% CVSS 8.8
HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Deserialization Jackson Databind +30
NVD GitHub VulDB
EPSS 3% CVSS 8.8
HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool,. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Deserialization Jackson Databind +24
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Deserialization Bson
NVD
EPSS 3% CVSS 8.8
HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Debian Linux +29
NVD GitHub
EPSS 4% CVSS 8.8
HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Debian Linux +29
NVD GitHub
EPSS 5% CVSS 9.8
CRITICAL Act Now

In Rockwell Automation all versions of FactoryTalk Diagnostics software, a subsystem of the FactoryTalk Services Platform, FactoryTalk Diagnostics exposes a .NET Remoting endpoint via. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Rockwell Deserialization Factorytalk Services Platform
NVD
EPSS 100% 8.0 CVSS 9.8
CRITICAL POC KEV PATCH THREAT Act Now

Remote code execution in Liferay Portal Community Edition (CE) versions prior to 7.2.1 CE GA2 allows unauthenticated remote attackers to run arbitrary Java code by abusing the JSON web services (JSONWS) interface. This flaw is confirmed actively exploited (CISA KEV) - it was leveraged by the 'FreakOut' botnet - with publicly available exploit code and an EPSS score of 99.78% (100th percentile), placing it among the most likely to be exploited vulnerabilities. It carries a CVSS 9.8, reflecting network-reachable, no-authentication, no-interaction exploitation with full confidentiality, integrity, and availability impact.

Deserialization RCE Liferay Portal
NVD Exploit-DB
EPSS 8% CVSS 8.8
HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Debian Linux +29
NVD GitHub
EPSS 3% CVSS 8.8
HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Deserialization Jackson Databind +30
NVD GitHub
EPSS 34% CVSS 9.8
CRITICAL PATCH Act Now

In Apache ShardingSphere(incubator) 4.0.0-RC3 and 4.0.0, the ShardingSphere's web console uses the SnakeYAML library for parsing YAML inputs to load datasource configuration. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Java Deserialization +1
NVD
Prev Page 26 of 30 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy