Skip to main content

Deserialization

2660 CVEs technique

Monthly

CVE-2026-27410 MEDIUM PATCH This Month

Unauthenticated deserialization of untrusted data in the Slimstat Analytics WordPress plugin (versions prior to 5.4.0) allows remote attackers to exploit PHP object injection without authentication. The CVSS vector indicates high attack complexity (AC:H) and scope change (S:C), meaning successful exploitation can affect components beyond the plugin itself - potentially the broader WordPress environment or server. No public exploit identified at time of analysis, and the fix version is confirmed as 5.4.0 per Patchstack reporting.

Deserialization Slimstat Analytics
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2025-60205 CRITICAL Act Now

Unauthenticated PHP object injection in the ThemeREX Addons WordPress plugin (versions 2.36.1.1 and earlier) allows remote attackers to inject crafted serialized objects that are deserialized by the plugin, potentially leading to remote code execution, arbitrary file operations, or full site compromise when a suitable PHP gadget chain is present. The flaw is reachable without authentication and scores CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.

PHP Deserialization Themerex Addons
NVD VulDB
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-12115 MEDIUM This Month

PHP Object Injection in the Counter Box WordPress plugin (all versions through 2.0.13) allows authenticated administrators to deserialize attacker-controlled input via the plugin's import functionality, with deserialization triggered automatically on the post-import redirect and again when any imported item is opened for editing. The vulnerability carries no standalone impact - exploitation is entirely contingent on a Property-Oriented Programming (POP) chain being present in a separately installed plugin or theme, at which point an attacker could achieve arbitrary file deletion, sensitive data retrieval, or remote code execution. No public exploit is identified at time of analysis, and the CVSS AC:H and PR:H ratings reflect both the administrative access requirement and the environmental dependency on co-installed POP chain software.

PHP Deserialization WordPress Information Disclosure Counter Box Add Countdowns Timers Dynamic Counters To Wordpress
NVD
CVSS 3.1
6.6
EPSS
0.7%
CVE-2026-40761 HIGH This Week

Unauthenticated PHP object injection in Edge-Themes Valeska WordPress theme versions 1.2.2 and earlier allows remote attackers to trigger insecure deserialization, potentially leading to code execution, file manipulation, or full site compromise when suitable PHP magic-method gadgets are present in the WordPress stack. No public exploit identified at time of analysis, but Patchstack has catalogued the flaw and the high CVSS (8.1) reflects the serious confidentiality, integrity, and availability impact possible against affected installations.

PHP Deserialization Valeska
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-40760 HIGH This Week

Unauthenticated PHP Object Injection in the Behold WordPress theme (versions ≤1.5) by edge-themes allows remote attackers to deliver crafted serialized payloads that are deserialized by the theme without validation. Successful exploitation can lead to full compromise of the affected WordPress site through gadget-chain abuse, with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP Deserialization Behold
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-40759 HIGH This Week

Unauthenticated PHP object injection in the Mikado Themes 'Esmée' WordPress theme (versions through 1.4) allows remote attackers to inject crafted serialized objects that are processed by unsafe deserialization. Exploitation depends on the presence of usable PHP gadget chains (often from WordPress core or co-installed plugins/themes), and no public exploit identified at time of analysis, but successful attacks can lead to file write, SQL manipulation, or remote code execution on the underlying site. The CVSS 3.1 base score is 8.1 with high attack complexity, reflecting the gadget-chain dependency rather than the network-reachable, unauthenticated entry point itself.

PHP Deserialization Esm E
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-40758 HIGH This Week

Unauthenticated PHP Object Injection in the Léonie WordPress theme (versions ≤ 1.2.1) by Elated Themes allows remote attackers to deserialize attacker-controlled data, potentially leading to arbitrary code execution, file manipulation, or full site compromise when a suitable POP gadget chain exists in the WordPress stack. Reported by Patchstack and tracked as EUVD-2026-37490, with no public exploit identified at time of analysis but a high CVSS score of 8.1 reflecting the severity of unauthenticated deserialization. No KEV listing is present.

PHP Deserialization L Onie
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-40755 HIGH This Week

Unauthenticated PHP Object Injection in the Mikado-Themes TechLink WordPress theme (versions up to and including 1.3) allows remote attackers to trigger insecure deserialization of attacker-controlled data. Successful exploitation can lead to full compromise of the underlying WordPress site, including arbitrary code execution, data theft, and site defacement, though the CVSS vector flags high attack complexity (AC:H). No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

PHP Deserialization Techlink
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-40754 HIGH This Week

Unauthenticated PHP object injection in the Roisin WordPress theme (versions up to and including 1.4) by elated-themes allows remote attackers to deliver crafted serialized payloads to vulnerable deserialization sinks, potentially leading to high-impact compromise of confidentiality, integrity, and availability. The CVSS 8.1 score reflects high attack complexity offset by the lack of any authentication or user interaction. No public exploit was identified at time of analysis, and the issue is tracked by Patchstack and ENISA (EUVD-2026-37488).

PHP Deserialization Roisin
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-40751 HIGH This Week

Unauthenticated PHP Object Injection in the Mikado-Themes Ashtanga WordPress theme (versions ≤ 1.2) allows remote attackers to deliver malicious serialized PHP objects to the application. When combined with a suitable POP (property-oriented programming) gadget chain present in WordPress core, other plugins, or themes, exploitation can lead to remote code execution, arbitrary file operations, or full site compromise. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP Deserialization Ashtanga
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-40739 HIGH This Week

Unauthenticated PHP object injection in the Mikado-Themes LuxeDrive WordPress theme through version 1.4 allows remote attackers to deliver crafted serialized payloads that, when combined with a suitable POP gadget chain, can lead to remote code execution, data tampering, or service disruption on the underlying WordPress site. No public exploit identified at time of analysis, and the CVSS attack complexity is High because successful exploitation typically depends on the presence of a usable gadget chain in WordPress core, other plugins, or themes installed alongside LuxeDrive. The flaw is tracked by Patchstack and EUVD as EUVD-2026-37486.

PHP Deserialization Luxedrive
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-40736 HIGH This Week

Unauthenticated PHP object injection in the Laurits WordPress theme through version 1.5.1 allows remote attackers to deserialize attacker-controlled data, potentially leading to code execution, data tampering, or denial of service when a suitable gadget chain is present in the WordPress stack. The flaw was disclosed via Patchstack and tracked as EUVD-2026-37485; no public exploit identified at time of analysis, though the high CVSS of 8.1 and CWE-502 classification mark it as a serious supply-chain risk for sites running this commercial Edge-Themes product.

PHP Deserialization Laurits
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-39580 HIGH This Week

PHP Object Injection in the Micdrop WordPress theme versions 1.3.1 and earlier allows remote unauthenticated attackers to trigger insecure deserialization, potentially leading to high impact on confidentiality, integrity, and availability of the underlying site. No public exploit identified at time of analysis, and the CVSS vector reflects high attack complexity, meaning successful exploitation likely depends on the presence of a usable PHP gadget chain in the site's installed plugins or core. The flaw is tracked as CWE-502 (Deserialization of Untrusted Data) and was reported by Patchstack.

PHP Deserialization Micdrop
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-39578 HIGH This Week

PHP Object Injection in the Valiance WordPress theme (versions up to and including 1.2) by elated-themes allows attackers to pass attacker-controlled serialized data into a PHP unserialize() sink, enabling object injection that - when paired with a suitable gadget chain from WordPress core or another installed plugin - can lead to remote code execution, file manipulation, or data tampering. The Patchstack advisory labels the issue as unauthenticated, although the published CVSS vector lists PR:H, so the precise authentication boundary should be verified against the vendor advisory. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

PHP Deserialization Valiance
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-39577 HIGH This Week

PHP Object Injection in the Playroom WordPress theme (versions ≤ 1.4.1) by elated-themes allows remote attackers to inject crafted serialized objects that are deserialized by the application, potentially triggering POP-chain gadgets. The vulnerability is described as unauthenticated by Patchstack despite the CVSS vector listing PR:H, and no public exploit identified at time of analysis.

PHP Deserialization Playroom
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-39567 HIGH This Week

Unauthenticated PHP object injection in the Santé WordPress theme through version 1.5.1 allows remote attackers to deserialize attacker-controlled data and potentially achieve remote code execution, data tampering, or denial of service when a suitable POP gadget chain is present. The flaw is reported by Patchstack and tracked as EUVD-2026-37480; no public exploit identified at time of analysis, and the CVSS 8.1 score reflects high attack complexity offset by network reach and no authentication. The Santé theme is a commercial Select Themes product, so exposure is limited to sites that have installed and activated this specific theme.

PHP Deserialization Sant
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-39557 HIGH This Week

Unauthenticated PHP Object Injection in the NeoBeat WordPress theme (versions ≤1.7) allows remote attackers to inject crafted serialized objects that, when deserialized by the application, can be chained with available gadgets to compromise the site. No public exploit identified at time of analysis, but the CVSS 8.1 rating reflects high impact across confidentiality, integrity and availability if a usable gadget chain is present in the WordPress core or installed plugins.

PHP Deserialization Neobeat
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-39554 HIGH This Week

Unauthenticated PHP Object Injection in the Fidalgo WordPress theme (versions ≤1.2.2) allows remote attackers to inject crafted serialized PHP objects that are deserialized by the theme, potentially leading to arbitrary code execution, data tampering, or service disruption depending on available gadget chains. No public exploit identified at time of analysis, but the unauthenticated network vector and CWE-502 classification make this a meaningful risk for WordPress sites running this commercial theme.

PHP Deserialization Fidalgo
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-39539 HIGH This Week

Unauthenticated PHP Object Injection in the Alloggio - Hotel Booking WordPress theme through version 2.1.2 allows remote attackers to inject crafted serialized objects that, when combined with a suitable gadget chain, can lead to high-impact compromise of the hosting WordPress site. The flaw was reported by Patchstack and is tracked as EUVD-2026-37474; no public exploit identified at time of analysis, and there is no evidence of active exploitation. CVSS 3.1 base score is 8.1 with high attack complexity, reflecting the need for a usable gadget chain in the WordPress environment.

PHP Deserialization Alloggio Hotel Booking
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-39529 CRITICAL Act Now

Unauthenticated PHP object injection in the WordPress Elementra theme (versions ≤ 1.0.9) allows remote attackers to deliver crafted serialized payloads that trigger deserialization of untrusted data. With no public exploit identified at time of analysis, the CVSS 9.8 vector still indicates network-reachable, no-auth exploitation against any WordPress site running an affected Elementra build. Successful chaining with a POP gadget in WordPress core or other installed plugins typically yields remote code execution or full site compromise.

PHP Deserialization Elementra
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-39446 HIGH PATCH This Week

Unauthenticated PHP object injection in the Kapee WordPress theme versions prior to 1.7.0 allows remote attackers to inject crafted serialized objects that, when combined with suitable gadget chains, can lead to high-impact compromise of confidentiality, integrity, and availability. The flaw was reported by Patchstack and a vendor patch is available; no public exploit identified at time of analysis, but the unauthenticated network vector makes this a meaningful priority for sites running this commercial WooCommerce theme.

PHP Deserialization Kapee
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-39443 HIGH This Week

Unauthenticated PHP Object Injection in the EmallShop WordPress theme (versions <= 2.4.21) allows remote attackers to inject crafted serialized PHP objects that are deserialized by the application, potentially leading to remote code execution, data tampering, or denial of service when a suitable gadget chain is present. The flaw was disclosed by Patchstack (EUVD-2026-37470) and carries CVSS 8.1 (AV:N/AC:H/PR:N/UI:N) - no public exploit identified at time of analysis and not listed in CISA KEV.

PHP Deserialization Emallshop
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-27429 CRITICAL Act Now

Unauthenticated PHP Object Injection in BoldThemes Nifty WordPress theme versions 1.4.1 and earlier allows remote attackers to inject arbitrary PHP objects through unsafe deserialization, potentially leading to remote code execution when a suitable gadget chain exists in the WordPress installation. No public exploit identified at time of analysis, but the unauthenticated network-reachable nature combined with CVSS 9.8 makes this a high-priority issue for any site running the affected theme. Reported by Patchstack and tracked as EUVD-2026-37464.

PHP Deserialization Nifty
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-12256 HIGH This Week

PHP Object Injection in the ThemeFusion Avada WordPress theme versions 3.15.3 and earlier allows authenticated users with Contributor-level privileges to trigger unsafe deserialization, potentially leading to remote code execution, data tampering, or service disruption on the underlying WordPress installation. No public exploit identified at time of analysis, but the low attack complexity and widespread deployment of Avada as a commercial WordPress theme make this a meaningful risk for multi-author sites.

PHP Deserialization Avada
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2025-69122 CRITICAL Act Now

Unauthenticated PHP Object Injection in the ThemeREX SeaFood Company WordPress theme (versions ≤1.4) enables remote attackers to deliver crafted serialized payloads that trigger insecure deserialization within PHP, potentially leading to remote code execution, file manipulation, or full site compromise depending on available gadget chains in the host WordPress stack. Reported by Patchstack and tracked as EUVD-2025-210200, with no public exploit identified at time of analysis.

PHP Deserialization Seafood Company
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2025-69108 CRITICAL Act Now

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers to inject arbitrary serialized PHP objects, potentially triggering property-oriented programming (POP) chains that lead to remote code execution, arbitrary file operations, or full site compromise. The flaw was disclosed by Patchstack and carries a CVSS 9.8 due to network reachability with no authentication or user interaction, though no public exploit has been identified at time of analysis.

PHP Deserialization Hot Coffee
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-54194 CRITICAL Act Now

PHP Object Injection in the ThemeFusion Fusion Builder WordPress plugin (versions ≤ 3.15.4) allows authenticated users with Contributor-level access to inject crafted serialized PHP objects that are deserialized by the plugin. Successful exploitation can lead to property-oriented programming (POP) chain execution depending on classes loaded in the WordPress runtime, with potential outcomes ranging from arbitrary file operations to remote code execution. No public exploit identified at time of analysis and the issue is not on CISA KEV, but the Contributor prerequisite is low in many multi-author WordPress deployments.

PHP Deserialization Fusion Builder
NVD VulDB
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-35300 CRITICAL Act Now

Remote takeover of Oracle WebLogic Server (versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0) is possible by unauthenticated attackers with TCP network access to the Core component. Oracle rates this 9.8 with full confidentiality, integrity, and availability impact, and characterizes it as 'easily exploitable,' though no public exploit identified at time of analysis. The flaw is disclosed via the Oracle Critical Patch Update for June 2026 and currently shows no CISA KEV listing or EPSS data.

Oracle Weblogic Server Deserialization
NVD VulDB
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-48775 PyPI MEDIUM PATCH GHSA This Month

Unsafe deserialization in LangGraph SQLite Checkpoint's JsonPlusSerializer (versions 4.1.0 and prior) allows arbitrary Python object reconstruction from checkpoint payloads stored in a SQLite backing store, enabling code execution at checkpoint load time. Affected deployments are those where an unauthorized party can modify checkpoint bytes at rest - a high-privilege prerequisite (PR:H, AV:A per CVSS) that already implies a significant prior compromise. This is explicitly framed as a defense-in-depth concern: the issue escalates an existing 'checkpoint-store write access' incident into full application runtime code execution. No public exploit code or CISA KEV listing has been identified at time of analysis.

Checkpoint Deserialization Python RCE Langgraph +2
NVD GitHub
CVSS 3.1
6.8
EPSS
0.2%
CVE-2026-10748 HIGH PATCH This Week

Arbitrary OS command execution in Sonatype Nexus Repository 3 versions prior to 3.92.0 allows authenticated users holding the nx-licensing-create privilege to run commands as the Nexus process user by uploading a malicious license file. The flaw is rooted in unsafe deserialization (CWE-502) during license processing. No public exploit identified at time of analysis.

Deserialization Nexus Repository
NVD
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-24228 HIGH This Week

Local code execution in NVIDIA NeMo Framework on Linux allows an authenticated low-privileged attacker to abuse unsafe deserialization of untrusted data (CWE-502) to run arbitrary code, escalate privileges, tamper with data, or disclose information. The CVSS 7.8 (AV:L/PR:L) profile and the typical ML-training use case mean exploitation requires existing access to the host running NeMo. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Nvidia Deserialization Information Disclosure RCE Nemo Framework
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-48853 CRITICAL PATCH Act Now

Unsafe Erlang term deserialization in the elixir-grpc library (versions 0.4.0 through 1.0.0) allows unauthenticated remote attackers to crash the BEAM VM via atom-table exhaustion or achieve remote code execution by sending crafted gRPC payloads with Content-Type application/grpc+erlpack. The flaw lives in GRPC.Codec.Erlpack.decode/2, which calls :erlang.binary_to_term/1 without the :safe option, size bounds, or type guards. No public exploit is identified at time of analysis, but the upstream fix is published at commit 272a97a and a patched 1.0.0 release is available.

Deserialization RCE Grpc
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.6%
CVE-2026-49781 CRITICAL Act Now

Unauthenticated PHP Object Injection in the OttoKit WordPress plugin (formerly SureTriggers) versions 1.1.27 and earlier allows remote attackers to deserialize attacker-controlled PHP objects against any site running the plugin. With a CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and a CWE-502 deserialization root cause, successful exploitation can lead to full code execution, data theft, or site takeover when a suitable POP gadget chain is present in WordPress core or another installed plugin. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

PHP Deserialization Ottokit
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-49770 CRITICAL Act Now

Unauthenticated PHP Object Injection in the WP Travel Engine WordPress plugin versions 6.7.12 and earlier enables remote attackers to deserialize attacker-controlled data without authentication, leading to full compromise (CVSS 9.8). The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates trivial network exploitation against any WordPress site running a vulnerable installation. No public exploit identified at time of analysis, but the unauthenticated nature and WordPress plugin ecosystem make this a high-priority patching target for travel-booking sites.

PHP Deserialization Wp Travel Engine
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-49769 CRITICAL Act Now

Unauthenticated PHP Object Injection in the wpForo Forum WordPress plugin versions 3.1.0 and earlier allows remote attackers to deliver untrusted serialized payloads that are deserialized by the plugin, leading to potential remote code execution, data tampering, and full site compromise depending on available POP gadget chains. The flaw is reachable without authentication over the network and carries a vendor CVSS of 9.8; no public exploit identified at time of analysis and the issue is not currently on the CISA KEV list.

PHP Deserialization Wpforo Forum
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-49768 CRITICAL Act Now

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to deliver attacker-controlled serialized objects that get deserialized by the plugin, potentially leading to remote code execution, file manipulation, or data compromise on the underlying WordPress site. No public exploit identified at time of analysis, but the CVSS 9.8 rating and unauthenticated network attack vector make this a high-priority issue for any site running the plugin. Reported by Patchstack with a corresponding advisory in their WordPress vulnerability database.

PHP Deserialization Happyforms
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-49765 CRITICAL Act Now

Unauthenticated PHP Object Injection in the WordPress plugin 'Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms' (versions <= 1.1.8) allows remote attackers to deserialize attacker-controlled data, potentially leading to remote code execution when a suitable POP (property-oriented programming) gadget chain exists in the WordPress environment. The flaw is reachable without authentication and carries a CVSS 9.8 rating, though no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV. The plugin is distributed by CRM Perks and was disclosed via Patchstack.

PHP Deserialization Integration For Mailchimp And Contact Form 7 Wpforms Elementor Ninja Forms Elementor
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-49763 CRITICAL Act Now

Unauthenticated PHP Object Injection in the Integration for Contact Form 7 HubSpot WordPress plugin (versions <= 1.3.7) allows remote attackers to inject malicious serialized PHP objects, which can lead to full site compromise when a suitable POP gadget chain exists in WordPress core or co-installed plugins. The flaw is reachable without authentication or user interaction (CVSS 9.8) and was reported by Patchstack. No public exploit identified at time of analysis.

PHP Deserialization Integration For Contact Form 7 Hubspot
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-49109 CRITICAL Act Now

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms' (versions <= 1.4.3) allows remote attackers to pass attacker-controlled serialized data into PHP's unserialize() function. With a CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and no authentication required, successful exploitation can lead to arbitrary code execution, data theft, or full site takeover when a suitable POP gadget chain is present. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP Deserialization Integration For Salesforce And Contact Form 7 Wpforms Elementor Formidable Ninja Forms Elementor
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-49106 CRITICAL Act Now

Unauthenticated PHP Object Injection in the WordPress plugin Integration for Contact Form 7 and Constant Contact (versions <= 1.1.6) allows remote attackers to inject crafted serialized PHP objects that get deserialized server-side. When a suitable POP (property-oriented programming) gadget chain is present in WordPress core, another active plugin, or a theme, this can escalate to arbitrary file read/write, deletion, or remote code execution on the host. No public exploit identified at time of analysis, but the CVSS 9.8 rating reflects the unauthenticated network-reachable attack surface.

PHP Deserialization Integration For Contact Form 7 And Constant Contact
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-49105 CRITICAL Act Now

Unauthenticated PHP Object Injection in the CRM Perks 'WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms' WordPress plugin (versions 1.1.4 and earlier) allows remote attackers to inject crafted serialized PHP objects into the application, potentially leading to remote code execution, data theft, or site takeover when a suitable POP gadget chain is present. The flaw is reported by Patchstack and carries a 9.8 CVSS score with network-reachable, no-privilege, no-interaction characteristics. No public exploit identified at time of analysis.

PHP Deserialization Wp Zendesk For Contact Form 7 Wpforms Elementor Formidable And Ninja Forms Elementor
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-49104 CRITICAL Act Now

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms' (versions 1.2.1 and earlier) allows remote attackers to inject crafted serialized objects that can be deserialized by the plugin, potentially leading to full site compromise. No public exploit identified at time of analysis, but the CVSS 9.8 score and unauthenticated network attack vector make this a high priority for any WordPress site running the affected plugin. EPSS and CISA KEV data were not provided in the input, so real-world exploitation prevalence is undetermined.

PHP Deserialization Integration For Keap Infusionsoft And Contact Form 7 Wpforms Elementor Formidable Ninja Forms Elementor
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-49085 CRITICAL Act Now

Unauthenticated PHP object injection in the WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms WordPress plugin (versions <= 1.1.4) allows remote attackers to deliver crafted serialized payloads that the plugin deserializes without validation. Successful exploitation can lead to remote code execution, data tampering, or full site compromise when a suitable POP (property-oriented programming) gadget chain is available in WordPress core, the active theme, or any installed plugin. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP Deserialization Wp Insightly For Contact Form 7 Wpforms Elementor Formidable And Ninja Forms Elementor
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-42687 HIGH This Week

Unauthenticated PHP Object Injection in the EventPrime event calendar plugin for WordPress (versions <= 4.3.2.1) allows remote attackers to inject crafted serialized PHP objects that may trigger arbitrary deserialization-driven gadget chains, leading to potential remote code execution, file manipulation, or data tampering. The flaw is reachable without authentication but carries CVSS:3.1 AC:H, indicating non-trivial preconditions for successful exploitation. No public exploit identified at time of analysis, but Patchstack disclosure typically precedes broader exploit development against the WordPress plugin ecosystem.

PHP Deserialization Eventprime
NVD VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-39532 HIGH This Week

PHP Object Injection in the Events Calendar for GeoDirectory WordPress plugin (versions <= 2.3.25) allows authenticated users with Contributor-level privileges to trigger unsafe deserialization, potentially leading to remote code execution, data tampering, or denial of service on the host WordPress site. The flaw is tracked as CWE-502 and was disclosed via Patchstack with a CVSS 3.1 score of 8.8, but no public exploit identified at time of analysis. Patchstack reports the issue and no vendor-released patch identified at time of analysis based on the supplied data.

PHP Deserialization Events Calendar For Geodirectory
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-39499 HIGH This Week

PHP Object Injection in the Advanced Product Fields (Product Addons) for WooCommerce plugin versions 1.6.19 and below allows authenticated users with Shop Manager privileges to deserialize attacker-controlled data, potentially leading to remote code execution or full site compromise depending on available PHP gadget chains. The flaw was disclosed by Patchstack and tracked as EUVD-2026-36946; no public exploit identified at time of analysis and the issue is not in CISA KEV.

PHP Deserialization WordPress Advanced Product Fields Product Addons For Woocommerce
NVD
CVSS 3.1
7.2
EPSS
0.4%
CVE-2026-39498 HIGH This Week

PHP Object Injection in the YayMail WordPress plugin (versions ≤ 4.3.3) allows authenticated users with Shop Manager privileges to inject crafted serialized PHP objects and trigger deserialization on the server. Successful exploitation can lead to high-impact compromise of confidentiality, integrity, and availability of the WordPress site, though no public exploit identified at time of analysis. The flaw is reported by Patchstack and tracked as EUVD-2026-36945.

PHP Deserialization Yaymail
NVD
CVSS 3.1
7.2
EPSS
0.4%
CVE-2026-39481 HIGH This Week

PHP Object Injection in the Modula Image Gallery WordPress plugin (versions ≤ 2.14.18) allows authenticated authors to trigger unsafe deserialization of attacker-controlled input, potentially leading to remote code execution, data tampering, or denial of service depending on available POP gadget chains in the WordPress environment. The flaw was disclosed by Patchstack and tracked as ENISA EUVD-2026-36940; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP Deserialization Modula Image Gallery
NVD
CVSS 3.1
7.2
EPSS
0.4%
CVE-2026-39478 HIGH This Week

Authenticated PHP object injection in the WordPress 'Anti-Malware Security and Brute-Force Firewall' (GOTMLS) plugin through version 4.23.87 allows contributor-level users to inject crafted serialized PHP objects that are deserialized by the plugin. Successful exploitation can pivot through existing PHP gadget chains in WordPress or other installed plugins to achieve high-impact compromise of the site. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

PHP Deserialization Anti Malware Security And Brute Force Firewall
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-39474 HIGH This Week

PHP Object Injection in the Post Duplicator WordPress plugin versions <= 3.0.10 allows authenticated users with Contributor-level privileges to trigger insecure deserialization, potentially leading to remote code execution, data tampering, or full site compromise. The flaw is rated CVSS 8.8 (High) and was disclosed by Patchstack. No public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.

PHP Deserialization Post Duplicator
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-39472 HIGH PATCH This Week

PHP Object Injection in the WooCommerce PDF Invoices & Packing Slips WordPress plugin before version 5.9.0 allows authenticated users with Shop Manager privileges to trigger unsafe deserialization, potentially leading to full compromise of confidentiality, integrity, and availability. The flaw was reported by Patchstack and a vendor patch is available, though no public exploit has been identified at time of analysis. The CVSS 7.2 score reflects high privilege requirements offset by network reach and severe impact.

PHP Deserialization WordPress Woocommerce Pdf Invoices Packing Slips
NVD
CVSS 3.1
7.2
EPSS
0.4%
CVE-2026-39471 HIGH This Week

Authenticated PHP Object Injection in the ShortPixel Image Optimizer WordPress plugin (versions 6.4.3 and earlier) allows attackers with Author-level privileges to trigger unsafe deserialization of attacker-controlled data, enabling code execution or other impacts when a suitable PHP gadget chain is present. Reported by Patchstack with no public exploit identified at time of analysis, the flaw is tracked as CWE-502 and carries a CVSS 3.1 score of 7.2 due to the high-privilege prerequisite but full CIA impact.

PHP Deserialization Shortpixel Image Optimizer
NVD
CVSS 3.1
7.2
EPSS
0.4%
CVE-2026-39434 HIGH This Week

PHP Object Injection in the CTX Feed (WebAppick Product Feed for WooCommerce) WordPress plugin versions up to and including 6.6.26 allows authenticated users with Shop Manager privileges to trigger unsafe deserialization, leading to full compromise of confidentiality, integrity, and availability on the host site. The flaw was disclosed by Patchstack and tracked as EUVD-2026-36924; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

PHP Deserialization Ctx Feed
NVD
CVSS 3.1
7.2
EPSS
0.4%
CVE-2026-27333 HIGH This Week

Unauthenticated PHP object injection in the Paid Videochat Turnkey Site WordPress plugin (versions 7.3.23 and earlier, also marketed as 'ppv-live-webcams') allows remote attackers to deserialize untrusted data and potentially achieve full compromise of the underlying site. The flaw was reported by Patchstack and tracked as EUVD-2026-36915; no public exploit code or CISA KEV listing is identified at time of analysis, though the CVSS 8.1 score reflects confidentiality, integrity, and availability impact gated by high attack complexity.

Deserialization Paid Videochat Turnkey Site
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-27053 CRITICAL PATCH Act Now

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remote attackers to inject crafted serialized PHP objects that are deserialized by the application. With a CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and CWE-502 root cause, successful exploitation can lead to remote code execution, data theft, or full site takeover when suitable gadget chains are present in the WordPress stack. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

PHP Deserialization Broadcast Live Video
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-9691 CRITICAL Act Now

Unauthenticated PHP Object Injection in the WordPress plugin 'Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms' (versions 1.1.1 and earlier) allows remote attackers to inject crafted serialized objects that are deserialized by the plugin, enabling abuse of POP gadget chains for code execution, file operations, or data tampering. The flaw scores CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and impacts any WordPress site running the affected CRM Perks integration plugin. There is no public exploit identified at time of analysis, but the unauthenticated nature and prevalence of WordPress as a target make this a high-priority patching item.

PHP Deserialization Integration For Activecampaign And Contact Form 7 Wpforms Elementor Ninja Forms Elementor
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-11860 HIGH This Week

Unsafe PHP deserialization in Quick.CMS by OpenSolution lets an on-path attacker who can tamper with the plaintext HTTP channel inject malicious serialized objects that are deserialized when an administrator opens the admin panel, yielding arbitrary code execution on the server. The CVSS 4.0 vector (AV:A/AC:L/AT:P/PR:N/UI:P) reflects that exploitation requires adjacent-network MITM positioning plus an administrator session, and no public exploit identified at time of analysis. CERT-PL reported the issue and OpenSolution shipped a patch for version 6.8 on 14.05.2026 that mitigates the flaw by forcing HTTPS.

Deserialization RCE Quick Cms
NVD
CVSS 4.0
7.5
EPSS
0.4%
CVE-2026-12191 HIGH This Week

Insecure deserialization in Comma AI Openpilot 0.11 allows a local authenticated attacker to achieve code execution by supplying a malicious pickle payload to the pickle.load/pickle.loads calls in selfdrive/modeld/modeld.py. The flaw requires local access with low privileges and no public exploit identified at time of analysis, but the vendor reportedly did not respond to coordinated disclosure, leaving the issue unpatched. CVSS 4.0 scores it 7.1 (High) with full confidentiality, integrity, and availability impact on the vulnerable system.

Deserialization Openpilot
NVD VulDB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-48109 NuGet HIGH PATCH GHSA This Week

Denial-of-service in MessagePack-CSharp's optional LZ4 decompression path (Lz4Block and Lz4BlockArray modes) allows remote unauthenticated attackers to crash .NET applications that deserialize untrusted MessagePack payloads. A crafted payload with manipulated LZ4 token/length fields triggers an out-of-bounds read raising an AccessViolationException, and may also leak limited adjacent memory before the process dies. No public exploit identified at time of analysis, but the vendor has published an advisory (GHSA-hv8m-jj95-wg3x) with patched releases 2.5.301 and 3.1.7.

Deserialization Denial Of Service
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2025-27511 Maven HIGH PATCH GHSA This Week

Remote code execution in GeoServer (versions prior to 2.27.0) with the DB2 extension installed allows authenticated administrators to perform a JNDI injection attack via a crafted DB2 JDBC connection URL submitted through the Vector Data Sources page, ultimately triggering Java deserialization of untrusted data and arbitrary code execution. No public exploit identified at time of analysis, and the vulnerability is not on CISA KEV, but the attack pattern follows well-known JNDI/Log4Shell-style RCE techniques. Risk is meaningful only where the DB2 extension is deployed and an administrative account is reachable.

Atlassian Deserialization RCE
NVD GitHub
CVSS 3.1
7.2
EPSS
0.4%
CVE-2026-41699 CRITICAL PATCH Act Now

Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated attackers to trigger unsafe deserialization by sending crafted paginated GraphQL queries against Connection-type fields. Exploitation requires that the application expose a paginated (Connection) field and that the classpath contains gadget classes leveraged during deserialization. No public exploit identified at time of analysis; EPSS sits at 0.34% (57th percentile) and the issue is not in CISA KEV, but a vendor patch is available.

Deserialization Java RCE Spring For Graphql
NVD VulDB HeroDevs
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-20251 HIGH PATCH This Week

Remote code execution in Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app allows a low-privileged authenticated user (without 'admin' or 'power' roles) to execute arbitrary Python on the server by abusing unsafe jsonpickle deserialization of App Key Value Store (KV Store) data. CVSS is 8.8 (network, low complexity, low privileges) and the issue is currently rated as no public exploit identified at time of analysis. The flaw is reported by Cisco and disclosed via Splunk advisory SVD-2026-0601.

Python Deserialization Splunk RCE Splunk Enterprise +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-53435 HIGH This Week

Authenticated remote code execution in Jenkins 2.567 and earlier (LTS 2.555.2 and earlier) allows attackers with permission to submit config.xml to trigger deserialization of arbitrary core or plugin types that subsequently handle HTTP requests, enabling user impersonation, Script Console abuse, and arbitrary file reads from the controller. The flaw is tracked as a CWE-502 unsafe deserialization issue with a CVSS 3.1 score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). No public exploit identified at time of analysis, but the vendor (Jenkins project) has issued a coordinated advisory and patched releases.

RCE Deserialization Jenkins
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-52751 HIGH PATCH This Week

Remote code execution in NSA Ghidra before version 12.1 allows attackers to execute arbitrary commands when a user opens a malicious shared-project file containing a ghidra:// URL, triggering unsafe Java deserialization in the client-side Shared-Project RMI connection code. Exploitation leverages a Jython 2.7.4 gadget chain and requires only user interaction (opening the crafted project), with no authentication needed. No public exploit identified at time of analysis, though VulnCheck has published an advisory describing the flaw.

RCE Deserialization Ghidra
NVD GitHub
CVSS 4.0
8.6
EPSS
0.1%
CVE-2026-10721 HIGH This Week

PHP Object Injection in Concrete CMS versions below 9.5.2 allows arbitrary PHP object instantiation through unsafe unserialize() calls in the Permission, Cache, and Search components. The flaw is triggered when a malicious serialized payload has already been written to the database, meaning the unauthenticated trigger depends on a prior write primitive existing in the deployment. No public exploit identified at time of analysis, and CVSS 4.0 base scores it 8.4 with high confidentiality, integrity, and availability impact.

PHP Deserialization
NVD VulDB
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-11815 MEDIUM This Month

Insecure deserialization in Broadcom Layer 7 API Gateway 11.2.1 exposes organizations to remote code execution or broken security control enforcement when an adversary can intercept and tamper with traffic between a client application and the gateway. The CVSS 4.0 vector assigns High subsequent-system confidentiality impact (SC:H), reflecting the gateway's privileged position as a broker to downstream backend services - meaning a successful exploit can cascade beyond the gateway itself. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the RCE potential and architectural sensitivity of an API gateway make this a meaningful priority for affected deployments.

Deserialization RCE Layer 7 Api Gateway
NVD VulDB
CVSS 4.0
5.3
EPSS
0.4%
CVE-2026-41732 HIGH PATCH This Week

Insecure deserialization in Spring for Apache Pulsar's JsonPulsarHeaderMapper allows remote attackers to bypass trusted-package controls and potentially trigger arbitrary Java object instantiation through Pulsar message headers. The flaw stems from a prefix-based package match plus an unsafe empty-allow-list default, affecting versions 1.1.0-1.1.17, 1.2.0-1.2.17, and 2.0.0-2.0.5. No public exploit identified at time of analysis, but the CVSS 8.1 rating and CWE-502 classification place this firmly in the high-impact Java deserialization category that has historically yielded remote code execution.

Deserialization Apache Java Spring For Apache Pulsar
NVD HeroDevs VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-41731 Maven HIGH PATCH GHSA This Week

Unsafe deserialization in Spring for Apache Kafka (versions 2.8.0-4.0.5 across multiple branches) allows a malicious Kafka producer to send crafted message headers that cause downstream consumers to instantiate arbitrary JDK types via Jackson. The flaw stems from a prefix-based trusted-packages check in JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper, which silently extends trust to every subpackage. No public exploit identified at time of analysis, but the bug class (CWE-502 with Jackson default typing) has a long history of leading to remote code execution in Spring/Java ecosystems.

Deserialization Apache Java Spring For Apache Kafka
NVD HeroDevs VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-40993 HIGH PATCH This Week

Insecure deserialization in Spring Security 7.0.0 through 7.0.5 allows an attacker with write access to the saml2_asserting_party_metadata database table to store malicious serialized Java payloads in the verification_credentials or encryption_credentials columns, leading to code execution when the JdbcAssertingPartyMetadataRepository deserializes them. The flaw affects deployments using the JDBC-backed SAML 2.0 asserting-party metadata repository introduced in the Spring Security 7.x line. No public exploit identified at time of analysis and EPSS is very low (0.01%), but CVSS rates impact as High due to full confidentiality, integrity, and availability loss on the application.

Deserialization Java Spring Security
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-44963 CRITICAL PATCH Act Now

Remote code execution in Veeam Backup & Replication enables an authenticated domain user to execute arbitrary code on the Backup Server, with CVSS 4.0 score of 9.4 reflecting high impact across confidentiality, integrity, and availability of both the vulnerable component and downstream systems. The vulnerability is tagged as a deserialization flaw (CWE-502), and while no public exploit is identified at time of analysis, the low attack complexity and only-low-privilege requirement make this a high-priority patching event for any environment running Veeam in a domain-joined configuration.

Deserialization RCE Backup And Replication
NVD VulDB
CVSS 4.0
9.4
EPSS
0.6%
CVE-2026-48560 MEDIUM PATCH Exploit Unlikely This Month

Cross-site scripting in Microsoft SharePoint Server (2016, 2019, and Subscription Edition) enables low-privileged authenticated attackers to perform spoofing attacks over a network without requiring user interaction. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms network-reachable exploitation by any authenticated SharePoint user with no further interaction required from a victim. No public exploit identified at time of analysis and CISA SSVC classifies exploitation status as none, though vendor patches are available for all three affected product lines.

Microsoft XSS Deserialization Sharepoint Server
NVD VulDB
CVSS 3.1
5.4
EPSS
0.5%
CVE-2026-45484 HIGH PATCH Exploit Unlikely This Week

Privilege escalation in Microsoft Office SharePoint allows an authenticated network attacker to elevate privileges by submitting maliciously crafted serialized data that the server deserializes without proper validation. The CVSS 8.8 score reflects high impact across confidentiality, integrity, and availability combined with low attack complexity, though the PR:L requirement means the attacker must already hold at least a low-privileged SharePoint account. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Microsoft Deserialization Sharepoint Server
NVD VulDB
CVSS 3.1
8.8
EPSS
0.7%
CVE-2026-26142 CRITICAL PATCH NEWS Exploit Unlikely Act Now

Remote code execution in Nuance PowerScribe allows unauthenticated network attackers to run arbitrary code by submitting maliciously crafted serialized objects to the application. The flaw is a CWE-502 untrusted-data deserialization issue carrying a critical CVSS 9.8 score, reported through Microsoft Security Response Center; no public exploit identified at time of analysis. Because PowerScribe is a clinical radiology reporting platform widely deployed in hospital environments, successful exploitation could compromise systems handling protected health information.

Deserialization Nuance Powerscribe 360 Nuance Powerscribe One
NVD VulDB
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-49740 PHP MEDIUM PATCH GHSA This Month

PHP Object Injection in TYPO3 CMS's cache frontend (VariableFrontend) and persistent key-value store (Registry) exposes TYPO3 installations to potential Remote Code Execution when an attacker controls write access to the underlying storage layer. The root cause is bare PHP `unserialize()` calls on storage-retrieved data without HMAC integrity validation or class allowlists, meaning attacker-controlled data in the `sys_registry` table or cache backend can trigger deserialization of crafted PHP objects through a gadget chain. No public exploit has been identified at time of analysis and no CISA KEV listing exists; however, the CVSS 4.0 Subsequent impact scores (SC:H/SI:H/SA:H) confirm that successful exploitation yields full system-level impact despite the local access prerequisite.

PHP Deserialization RCE
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-8365 HIGH This Week

Authenticated PHP Object Injection in the Blocksy WordPress theme (versions ≤ 2.1.35) allows contributor-level users to escalate to remote code execution by storing a malicious serialized object in post meta that is later deserialized during the V200 database migration. Wordfence-reported flaw chains weak input sanitization in blocksy_sanitize_post_meta_options() with an unconditional @unserialize() call in SearchReplacer::run_recursively(), triggering RaiiPattern::__destruct() to invoke arbitrary callables via call_user_func(). No public exploit identified at time of analysis, but the low-privilege requirement and high impact make this a meaningful priority for sites running upgraded Blocksy installations.

PHP Deserialization WordPress RCE
NVD VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-41855 CRITICAL PATCH Act Now

Unsafe JSON deserialization in Spring Framework's JMS message converters (MappingJackson2MessageConverter and JacksonJsonMessageConverter) lets an attacker who controls JMS message content instantiate arbitrary classes, enabling gadget-chain attacks that can escalate to unauthorized actions or remote code execution. It affects Spring Framework 5.3.0-5.3.48, 6.1.0-6.1.27, 6.2.0-6.2.18, and 7.0.0-7.0.7 when applications consume messages from an untrusted JMS source. There is no public exploit identified at time of analysis, and despite a 9.8 CVSS the EPSS probability is only 0.04% and CISA SSVC rates exploitation as 'none'.

Deserialization Java Spring Framework
NVD HeroDevs VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-45034 PHP CRITICAL PATCH GHSA Act Now

Phar deserialization in PhpSpreadsheet (PHPOffice) is reachable on PHP 7.x because the `File::prohibitWrappers` helper added to patch CVE-2026-34084 can be bypassed with a three-slash phar URI such as `phar:///path/file.phar/inner`, where `parse_url` returns false and the wrapper check is skipped. Remote attackers who can supply a file path to `IOFactory::load()` achieve full RCE on PHP 7.x branches (1.x up to 1.30.4) and a phar file-read primitive on PHP 8.x branches up to 5.7.0; publicly available exploit code exists with a working Docker reproducer, though EPSS is only 0.04% (12th percentile).

PHP Docker Deserialization
NVD GitHub
CVSS 4.0
9.2
EPSS
0.0%
CVE-2026-7566 MEDIUM This Month

PHP Object Injection in the LearnPress - Backup & Migration Tool WordPress plugin (versions ≤ 4.1.4, by ThimPress) allows authenticated administrators to supply maliciously crafted serialized data through the plugin's import functionality, triggering unsafe PHP deserialization. The vulnerability itself carries no direct impact in isolation - exploitation is contingent on a separate plugin or theme installing a usable POP (Property-Oriented Programming) chain on the same site, at which point an attacker can escalate to arbitrary file deletion, sensitive data retrieval, or remote code execution. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the CVSS score of 6.6 (High complexity, High privileges required) reflects the constrained real-world conditions.

PHP Information Disclosure Deserialization WordPress
NVD VulDB
CVSS 3.1
6.6
EPSS
0.1%
CVE-2026-7654 HIGH This Week

Authenticated remote code execution in the Admin Columns WordPress plugin (versions through 7.0.18) allows Contributor-level users to inject serialized PHP objects via post meta and trigger a bundled POP gadget chain through the Laravel SerializableClosure component. Reported by Wordfence with CVSS 8.8, no public exploit identified at time of analysis, though the low privilege barrier and bundled gadget chain make weaponization straightforward for any researcher with plugin access.

PHP Deserialization WordPress RCE
NVD VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-25551 HIGH POC This Week

Local privilege escalation in Seagull Software BarTender 2021 R1 through 12.0.1 allows any low-privileged user on the host to gain SYSTEM execution by sending a crafted BinaryFormatter payload to a localhost-bound .NET Remoting endpoint. Publicly available exploit code exists (a YSoSerial.NET-based PoC is published as a GitHub gist), and the issue carries a CVSS 4.0 base score of 8.5 with high confidentiality, integrity, and availability impact. No CISA KEV listing is present, so exploitation is opportunistic rather than confirmed in-the-wild.

Deserialization RCE Bartender 2021
NVD GitHub
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-50076 Maven CRITICAL PATCH GHSA Act Now

Unsafe deserialization in Apache Fory fory-core Java SDK versions prior to 1.1.0 allows remote attackers to bypass the framework's class registration, TypeChecker, and DisallowedList security controls on Java/JVM platforms. By crafting malicious Fory-serialized payloads that exercise the replace-resolve path, an attacker can invoke arbitrary readResolve/readExternal hooks on any class present on the classpath, enabling gadget-chain abuse without authentication. No public exploit identified at time of analysis, but the CVSS 9.1 score and CWE-502 classification reflect the high impact typical of Java deserialization sinks.

Apache Deserialization Java
NVD VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-7888 PHP HIGH PATCH GHSA This Week

PHP object injection in Concrete CMS versions below 9.5.2 allows authenticated high-privileged attackers to trigger arbitrary PHP object instantiation through unsafe unserialize() calls in the Workflow, Form block, and File/Set components. The vulnerability requires a malicious serialized payload to be placed in the database beforehand, and no public exploit identified at time of analysis. The vendor scored this 8.4 (CVSS 4.0), and CISA SSVC indicates no observed exploitation but total technical impact if successfully chained.

PHP Deserialization
NVD
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-47065 Maven CRITICAL PATCH GHSA Act Now

Unsafe Java deserialization in Apache MINA's ObjectSerializationDecoder allows remote unauthenticated attackers to bypass the acceptMatchers class allow-list and achieve arbitrary code execution. Two distinct flaws are addressed: a TC_PROXYCLASSDESC handling gap where resolveProxyClass is not overridden (permitting java.lang.reflect.Proxy instantiation outside the allow-list), and a Class.forName invocation in readClassDescriptor that triggers static initializers of allow-listed classes before any instance check. No public exploit identified at time of analysis, but the CVSS 9.8 rating and well-known deserialization attack patterns make this a high-priority issue for any application exposing MINA's object serialization codec.

Deserialization Apache Mina
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-34993 PyPI HIGH PATCH GHSA This Week

Arbitrary code execution in the aiohttp Python framework (versions prior to 3.14.0) arises when CookieJar.load() deserializes an attacker-controlled file, classed as CWE-502 unsafe deserialization. An attacker who can plant or substitute the persisted cookie file and induce the application to load it gains code execution in the host process. There is no public exploit identified at time of analysis, EPSS is very low (0.06%), and CISA SSVC rates exploitation as none - consistent with the library's own note that the function is normally used on the user's own trusted data.

RCE Deserialization Python Aiohttp
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.1%
CVE-2026-42211 npm HIGH POC PATCH GHSA This Week

Remote code execution in React Router 7.0.0 through 7.14.1 affects applications running in Framework Mode by chaining an application-level prototype pollution flaw with router internals to achieve unauthenticated RCE on the server. Applications using Declarative Mode (BrowserRouter) or Data Mode (createBrowserRouter/RouterProvider) are unaffected. No public exploit identified at time of analysis; CVSS 8.1 reflects high impact tempered by high attack complexity due to the prerequisite prototype pollution gadget.

RCE Deserialization React Router
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-24237 HIGH This Week

Local code execution in NVIDIA NVTabular allows a low-privileged attacker to abuse insecure deserialization of untrusted data, potentially leading to arbitrary code execution, data tampering, and information disclosure on the host running the library. The flaw carries a CVSS 7.8 (High) rating with confidentiality, integrity, and availability all marked High, and currently no public exploit identified at time of analysis. NVTabular is a tabular feature-engineering library used in recommender-system pipelines, so the practical blast radius is data-science workstations and ML training nodes.

Nvidia RCE Deserialization Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-24221 HIGH This Week

Local code execution in NVIDIA NVTabular allows an authenticated low-privileged user to abuse improper deserialization of untrusted data to run arbitrary code, tamper with data, and disclose sensitive information. The CVSS 3.1 base score is 7.8 (AV:L/AC:L/PR:L/UI:N) reflecting a local attack vector with low complexity and low privileges; no public exploit identified at time of analysis and the issue is not on the CISA KEV list.

Nvidia RCE Deserialization Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-39555 HIGH This Week

PHP object injection in the Elated-Themes Askka WordPress theme through version 1.3.1 allows remote attackers to deserialize untrusted data, potentially leading to arbitrary code execution, file manipulation, or full site compromise depending on available gadget chains. The CVSS score of 8.1 reflects high impact across confidentiality, integrity, and availability, though high attack complexity (AC:H) tempers immediate exploitability. No public exploit identified at time of analysis.

Deserialization
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-39551 HIGH This Week

PHP object injection in the Elated-Themes Töbel WordPress theme (versions up to and including 1.8.1) allows remote attackers to trigger unsafe deserialization of attacker-controlled data, potentially leading to arbitrary code execution, file manipulation, or data tampering depending on available POP gadgets. Rated CVSS 8.1 (High) with no public exploit identified at time of analysis and no CISA KEV listing, though the network attack vector and lack of authentication requirement make it a meaningful risk to any WordPress site running the theme.

Deserialization T Bel
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-39550 HIGH This Week

Object injection in the Elated-Themes Aperitif WordPress theme through version 1.6 allows remote attackers to trigger PHP deserialization of attacker-controlled data, potentially leading to code execution, file manipulation, or full site compromise when a suitable gadget chain is present. CVSS 8.1 reflects high impact across confidentiality, integrity, and availability, though attack complexity is rated High. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Deserialization Aperitif
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Unauthenticated deserialization of untrusted data in the Slimstat Analytics WordPress plugin (versions prior to 5.4.0) allows remote attackers to exploit PHP object injection without authentication. The CVSS vector indicates high attack complexity (AC:H) and scope change (S:C), meaning successful exploitation can affect components beyond the plugin itself - potentially the broader WordPress environment or server. No public exploit identified at time of analysis, and the fix version is confirmed as 5.4.0 per Patchstack reporting.

Deserialization Slimstat Analytics
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Unauthenticated PHP object injection in the ThemeREX Addons WordPress plugin (versions 2.36.1.1 and earlier) allows remote attackers to inject crafted serialized objects that are deserialized by the plugin, potentially leading to remote code execution, arbitrary file operations, or full site compromise when a suitable PHP gadget chain is present. The flaw is reachable without authentication and scores CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.

PHP Deserialization Themerex Addons
NVD VulDB
EPSS 1% CVSS 6.6
MEDIUM This Month

PHP Object Injection in the Counter Box WordPress plugin (all versions through 2.0.13) allows authenticated administrators to deserialize attacker-controlled input via the plugin's import functionality, with deserialization triggered automatically on the post-import redirect and again when any imported item is opened for editing. The vulnerability carries no standalone impact - exploitation is entirely contingent on a Property-Oriented Programming (POP) chain being present in a separately installed plugin or theme, at which point an attacker could achieve arbitrary file deletion, sensitive data retrieval, or remote code execution. No public exploit is identified at time of analysis, and the CVSS AC:H and PR:H ratings reflect both the administrative access requirement and the environmental dependency on co-installed POP chain software.

PHP Deserialization WordPress +2
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated PHP object injection in Edge-Themes Valeska WordPress theme versions 1.2.2 and earlier allows remote attackers to trigger insecure deserialization, potentially leading to code execution, file manipulation, or full site compromise when suitable PHP magic-method gadgets are present in the WordPress stack. No public exploit identified at time of analysis, but Patchstack has catalogued the flaw and the high CVSS (8.1) reflects the serious confidentiality, integrity, and availability impact possible against affected installations.

PHP Deserialization Valeska
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated PHP Object Injection in the Behold WordPress theme (versions ≤1.5) by edge-themes allows remote attackers to deliver crafted serialized payloads that are deserialized by the theme without validation. Successful exploitation can lead to full compromise of the affected WordPress site through gadget-chain abuse, with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP Deserialization Behold
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated PHP object injection in the Mikado Themes 'Esmée' WordPress theme (versions through 1.4) allows remote attackers to inject crafted serialized objects that are processed by unsafe deserialization. Exploitation depends on the presence of usable PHP gadget chains (often from WordPress core or co-installed plugins/themes), and no public exploit identified at time of analysis, but successful attacks can lead to file write, SQL manipulation, or remote code execution on the underlying site. The CVSS 3.1 base score is 8.1 with high attack complexity, reflecting the gadget-chain dependency rather than the network-reachable, unauthenticated entry point itself.

PHP Deserialization Esm E
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated PHP Object Injection in the Léonie WordPress theme (versions ≤ 1.2.1) by Elated Themes allows remote attackers to deserialize attacker-controlled data, potentially leading to arbitrary code execution, file manipulation, or full site compromise when a suitable POP gadget chain exists in the WordPress stack. Reported by Patchstack and tracked as EUVD-2026-37490, with no public exploit identified at time of analysis but a high CVSS score of 8.1 reflecting the severity of unauthenticated deserialization. No KEV listing is present.

PHP Deserialization L Onie
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated PHP Object Injection in the Mikado-Themes TechLink WordPress theme (versions up to and including 1.3) allows remote attackers to trigger insecure deserialization of attacker-controlled data. Successful exploitation can lead to full compromise of the underlying WordPress site, including arbitrary code execution, data theft, and site defacement, though the CVSS vector flags high attack complexity (AC:H). No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

PHP Deserialization Techlink
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated PHP object injection in the Roisin WordPress theme (versions up to and including 1.4) by elated-themes allows remote attackers to deliver crafted serialized payloads to vulnerable deserialization sinks, potentially leading to high-impact compromise of confidentiality, integrity, and availability. The CVSS 8.1 score reflects high attack complexity offset by the lack of any authentication or user interaction. No public exploit was identified at time of analysis, and the issue is tracked by Patchstack and ENISA (EUVD-2026-37488).

PHP Deserialization Roisin
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated PHP Object Injection in the Mikado-Themes Ashtanga WordPress theme (versions ≤ 1.2) allows remote attackers to deliver malicious serialized PHP objects to the application. When combined with a suitable POP (property-oriented programming) gadget chain present in WordPress core, other plugins, or themes, exploitation can lead to remote code execution, arbitrary file operations, or full site compromise. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP Deserialization Ashtanga
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated PHP object injection in the Mikado-Themes LuxeDrive WordPress theme through version 1.4 allows remote attackers to deliver crafted serialized payloads that, when combined with a suitable POP gadget chain, can lead to remote code execution, data tampering, or service disruption on the underlying WordPress site. No public exploit identified at time of analysis, and the CVSS attack complexity is High because successful exploitation typically depends on the presence of a usable gadget chain in WordPress core, other plugins, or themes installed alongside LuxeDrive. The flaw is tracked by Patchstack and EUVD as EUVD-2026-37486.

PHP Deserialization Luxedrive
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated PHP object injection in the Laurits WordPress theme through version 1.5.1 allows remote attackers to deserialize attacker-controlled data, potentially leading to code execution, data tampering, or denial of service when a suitable gadget chain is present in the WordPress stack. The flaw was disclosed via Patchstack and tracked as EUVD-2026-37485; no public exploit identified at time of analysis, though the high CVSS of 8.1 and CWE-502 classification mark it as a serious supply-chain risk for sites running this commercial Edge-Themes product.

PHP Deserialization Laurits
NVD
EPSS 0% CVSS 8.1
HIGH This Week

PHP Object Injection in the Micdrop WordPress theme versions 1.3.1 and earlier allows remote unauthenticated attackers to trigger insecure deserialization, potentially leading to high impact on confidentiality, integrity, and availability of the underlying site. No public exploit identified at time of analysis, and the CVSS vector reflects high attack complexity, meaning successful exploitation likely depends on the presence of a usable PHP gadget chain in the site's installed plugins or core. The flaw is tracked as CWE-502 (Deserialization of Untrusted Data) and was reported by Patchstack.

PHP Deserialization Micdrop
NVD
EPSS 0% CVSS 8.1
HIGH This Week

PHP Object Injection in the Valiance WordPress theme (versions up to and including 1.2) by elated-themes allows attackers to pass attacker-controlled serialized data into a PHP unserialize() sink, enabling object injection that - when paired with a suitable gadget chain from WordPress core or another installed plugin - can lead to remote code execution, file manipulation, or data tampering. The Patchstack advisory labels the issue as unauthenticated, although the published CVSS vector lists PR:H, so the precise authentication boundary should be verified against the vendor advisory. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

PHP Deserialization Valiance
NVD
EPSS 0% CVSS 8.1
HIGH This Week

PHP Object Injection in the Playroom WordPress theme (versions ≤ 1.4.1) by elated-themes allows remote attackers to inject crafted serialized objects that are deserialized by the application, potentially triggering POP-chain gadgets. The vulnerability is described as unauthenticated by Patchstack despite the CVSS vector listing PR:H, and no public exploit identified at time of analysis.

PHP Deserialization Playroom
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated PHP object injection in the Santé WordPress theme through version 1.5.1 allows remote attackers to deserialize attacker-controlled data and potentially achieve remote code execution, data tampering, or denial of service when a suitable POP gadget chain is present. The flaw is reported by Patchstack and tracked as EUVD-2026-37480; no public exploit identified at time of analysis, and the CVSS 8.1 score reflects high attack complexity offset by network reach and no authentication. The Santé theme is a commercial Select Themes product, so exposure is limited to sites that have installed and activated this specific theme.

PHP Deserialization Sant
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated PHP Object Injection in the NeoBeat WordPress theme (versions ≤1.7) allows remote attackers to inject crafted serialized objects that, when deserialized by the application, can be chained with available gadgets to compromise the site. No public exploit identified at time of analysis, but the CVSS 8.1 rating reflects high impact across confidentiality, integrity and availability if a usable gadget chain is present in the WordPress core or installed plugins.

PHP Deserialization Neobeat
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated PHP Object Injection in the Fidalgo WordPress theme (versions ≤1.2.2) allows remote attackers to inject crafted serialized PHP objects that are deserialized by the theme, potentially leading to arbitrary code execution, data tampering, or service disruption depending on available gadget chains. No public exploit identified at time of analysis, but the unauthenticated network vector and CWE-502 classification make this a meaningful risk for WordPress sites running this commercial theme.

PHP Deserialization Fidalgo
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated PHP Object Injection in the Alloggio - Hotel Booking WordPress theme through version 2.1.2 allows remote attackers to inject crafted serialized objects that, when combined with a suitable gadget chain, can lead to high-impact compromise of the hosting WordPress site. The flaw was reported by Patchstack and is tracked as EUVD-2026-37474; no public exploit identified at time of analysis, and there is no evidence of active exploitation. CVSS 3.1 base score is 8.1 with high attack complexity, reflecting the need for a usable gadget chain in the WordPress environment.

PHP Deserialization Alloggio Hotel Booking
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Unauthenticated PHP object injection in the WordPress Elementra theme (versions ≤ 1.0.9) allows remote attackers to deliver crafted serialized payloads that trigger deserialization of untrusted data. With no public exploit identified at time of analysis, the CVSS 9.8 vector still indicates network-reachable, no-auth exploitation against any WordPress site running an affected Elementra build. Successful chaining with a POP gadget in WordPress core or other installed plugins typically yields remote code execution or full site compromise.

PHP Deserialization Elementra
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Unauthenticated PHP object injection in the Kapee WordPress theme versions prior to 1.7.0 allows remote attackers to inject crafted serialized objects that, when combined with suitable gadget chains, can lead to high-impact compromise of confidentiality, integrity, and availability. The flaw was reported by Patchstack and a vendor patch is available; no public exploit identified at time of analysis, but the unauthenticated network vector makes this a meaningful priority for sites running this commercial WooCommerce theme.

PHP Deserialization Kapee
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated PHP Object Injection in the EmallShop WordPress theme (versions <= 2.4.21) allows remote attackers to inject crafted serialized PHP objects that are deserialized by the application, potentially leading to remote code execution, data tampering, or denial of service when a suitable gadget chain is present. The flaw was disclosed by Patchstack (EUVD-2026-37470) and carries CVSS 8.1 (AV:N/AC:H/PR:N/UI:N) - no public exploit identified at time of analysis and not listed in CISA KEV.

PHP Deserialization Emallshop
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Unauthenticated PHP Object Injection in BoldThemes Nifty WordPress theme versions 1.4.1 and earlier allows remote attackers to inject arbitrary PHP objects through unsafe deserialization, potentially leading to remote code execution when a suitable gadget chain exists in the WordPress installation. No public exploit identified at time of analysis, but the unauthenticated network-reachable nature combined with CVSS 9.8 makes this a high-priority issue for any site running the affected theme. Reported by Patchstack and tracked as EUVD-2026-37464.

PHP Deserialization Nifty
NVD
EPSS 0% CVSS 8.8
HIGH This Week

PHP Object Injection in the ThemeFusion Avada WordPress theme versions 3.15.3 and earlier allows authenticated users with Contributor-level privileges to trigger unsafe deserialization, potentially leading to remote code execution, data tampering, or service disruption on the underlying WordPress installation. No public exploit identified at time of analysis, but the low attack complexity and widespread deployment of Avada as a commercial WordPress theme make this a meaningful risk for multi-author sites.

PHP Deserialization Avada
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Unauthenticated PHP Object Injection in the ThemeREX SeaFood Company WordPress theme (versions ≤1.4) enables remote attackers to deliver crafted serialized payloads that trigger insecure deserialization within PHP, potentially leading to remote code execution, file manipulation, or full site compromise depending on available gadget chains in the host WordPress stack. Reported by Patchstack and tracked as EUVD-2025-210200, with no public exploit identified at time of analysis.

PHP Deserialization Seafood Company
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers to inject arbitrary serialized PHP objects, potentially triggering property-oriented programming (POP) chains that lead to remote code execution, arbitrary file operations, or full site compromise. The flaw was disclosed by Patchstack and carries a CVSS 9.8 due to network reachability with no authentication or user interaction, though no public exploit has been identified at time of analysis.

PHP Deserialization Hot Coffee
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

PHP Object Injection in the ThemeFusion Fusion Builder WordPress plugin (versions ≤ 3.15.4) allows authenticated users with Contributor-level access to inject crafted serialized PHP objects that are deserialized by the plugin. Successful exploitation can lead to property-oriented programming (POP) chain execution depending on classes loaded in the WordPress runtime, with potential outcomes ranging from arbitrary file operations to remote code execution. No public exploit identified at time of analysis and the issue is not on CISA KEV, but the Contributor prerequisite is low in many multi-author WordPress deployments.

PHP Deserialization Fusion Builder
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote takeover of Oracle WebLogic Server (versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0) is possible by unauthenticated attackers with TCP network access to the Core component. Oracle rates this 9.8 with full confidentiality, integrity, and availability impact, and characterizes it as 'easily exploitable,' though no public exploit identified at time of analysis. The flaw is disclosed via the Oracle Critical Patch Update for June 2026 and currently shows no CISA KEV listing or EPSS data.

Oracle Weblogic Server Deserialization
NVD VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Unsafe deserialization in LangGraph SQLite Checkpoint's JsonPlusSerializer (versions 4.1.0 and prior) allows arbitrary Python object reconstruction from checkpoint payloads stored in a SQLite backing store, enabling code execution at checkpoint load time. Affected deployments are those where an unauthorized party can modify checkpoint bytes at rest - a high-privilege prerequisite (PR:H, AV:A per CVSS) that already implies a significant prior compromise. This is explicitly framed as a defense-in-depth concern: the issue escalates an existing 'checkpoint-store write access' incident into full application runtime code execution. No public exploit code or CISA KEV listing has been identified at time of analysis.

Checkpoint Deserialization Python +4
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Arbitrary OS command execution in Sonatype Nexus Repository 3 versions prior to 3.92.0 allows authenticated users holding the nx-licensing-create privilege to run commands as the Nexus process user by uploading a malicious license file. The flaw is rooted in unsafe deserialization (CWE-502) during license processing. No public exploit identified at time of analysis.

Deserialization Nexus Repository
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Local code execution in NVIDIA NeMo Framework on Linux allows an authenticated low-privileged attacker to abuse unsafe deserialization of untrusted data (CWE-502) to run arbitrary code, escalate privileges, tamper with data, or disclose information. The CVSS 7.8 (AV:L/PR:L) profile and the typical ML-training use case mean exploitation requires existing access to the host running NeMo. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Nvidia Deserialization Information Disclosure +2
NVD
EPSS 1% CVSS 9.2
CRITICAL PATCH Act Now

Unsafe Erlang term deserialization in the elixir-grpc library (versions 0.4.0 through 1.0.0) allows unauthenticated remote attackers to crash the BEAM VM via atom-table exhaustion or achieve remote code execution by sending crafted gRPC payloads with Content-Type application/grpc+erlpack. The flaw lives in GRPC.Codec.Erlpack.decode/2, which calls :erlang.binary_to_term/1 without the :safe option, size bounds, or type guards. No public exploit is identified at time of analysis, but the upstream fix is published at commit 272a97a and a patched 1.0.0 release is available.

Deserialization RCE Grpc
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated PHP Object Injection in the OttoKit WordPress plugin (formerly SureTriggers) versions 1.1.27 and earlier allows remote attackers to deserialize attacker-controlled PHP objects against any site running the plugin. With a CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and a CWE-502 deserialization root cause, successful exploitation can lead to full code execution, data theft, or site takeover when a suitable POP gadget chain is present in WordPress core or another installed plugin. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

PHP Deserialization Ottokit
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated PHP Object Injection in the WP Travel Engine WordPress plugin versions 6.7.12 and earlier enables remote attackers to deserialize attacker-controlled data without authentication, leading to full compromise (CVSS 9.8). The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates trivial network exploitation against any WordPress site running a vulnerable installation. No public exploit identified at time of analysis, but the unauthenticated nature and WordPress plugin ecosystem make this a high-priority patching target for travel-booking sites.

PHP Deserialization Wp Travel Engine
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated PHP Object Injection in the wpForo Forum WordPress plugin versions 3.1.0 and earlier allows remote attackers to deliver untrusted serialized payloads that are deserialized by the plugin, leading to potential remote code execution, data tampering, and full site compromise depending on available POP gadget chains. The flaw is reachable without authentication over the network and carries a vendor CVSS of 9.8; no public exploit identified at time of analysis and the issue is not currently on the CISA KEV list.

PHP Deserialization Wpforo Forum
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to deliver attacker-controlled serialized objects that get deserialized by the plugin, potentially leading to remote code execution, file manipulation, or data compromise on the underlying WordPress site. No public exploit identified at time of analysis, but the CVSS 9.8 rating and unauthenticated network attack vector make this a high-priority issue for any site running the plugin. Reported by Patchstack with a corresponding advisory in their WordPress vulnerability database.

PHP Deserialization Happyforms
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated PHP Object Injection in the WordPress plugin 'Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms' (versions <= 1.1.8) allows remote attackers to deserialize attacker-controlled data, potentially leading to remote code execution when a suitable POP (property-oriented programming) gadget chain exists in the WordPress environment. The flaw is reachable without authentication and carries a CVSS 9.8 rating, though no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV. The plugin is distributed by CRM Perks and was disclosed via Patchstack.

PHP Deserialization Integration For Mailchimp And Contact Form 7 Wpforms Elementor Ninja Forms +1
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated PHP Object Injection in the Integration for Contact Form 7 HubSpot WordPress plugin (versions <= 1.3.7) allows remote attackers to inject malicious serialized PHP objects, which can lead to full site compromise when a suitable POP gadget chain exists in WordPress core or co-installed plugins. The flaw is reachable without authentication or user interaction (CVSS 9.8) and was reported by Patchstack. No public exploit identified at time of analysis.

PHP Deserialization Integration For Contact Form 7 Hubspot
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms' (versions <= 1.4.3) allows remote attackers to pass attacker-controlled serialized data into PHP's unserialize() function. With a CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and no authentication required, successful exploitation can lead to arbitrary code execution, data theft, or full site takeover when a suitable POP gadget chain is present. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP Deserialization Integration For Salesforce And Contact Form 7 Wpforms Elementor Formidable Ninja Forms +1
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated PHP Object Injection in the WordPress plugin Integration for Contact Form 7 and Constant Contact (versions <= 1.1.6) allows remote attackers to inject crafted serialized PHP objects that get deserialized server-side. When a suitable POP (property-oriented programming) gadget chain is present in WordPress core, another active plugin, or a theme, this can escalate to arbitrary file read/write, deletion, or remote code execution on the host. No public exploit identified at time of analysis, but the CVSS 9.8 rating reflects the unauthenticated network-reachable attack surface.

PHP Deserialization Integration For Contact Form 7 And Constant Contact
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated PHP Object Injection in the CRM Perks 'WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms' WordPress plugin (versions 1.1.4 and earlier) allows remote attackers to inject crafted serialized PHP objects into the application, potentially leading to remote code execution, data theft, or site takeover when a suitable POP gadget chain is present. The flaw is reported by Patchstack and carries a 9.8 CVSS score with network-reachable, no-privilege, no-interaction characteristics. No public exploit identified at time of analysis.

PHP Deserialization Wp Zendesk For Contact Form 7 Wpforms Elementor Formidable And Ninja Forms +1
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms' (versions 1.2.1 and earlier) allows remote attackers to inject crafted serialized objects that can be deserialized by the plugin, potentially leading to full site compromise. No public exploit identified at time of analysis, but the CVSS 9.8 score and unauthenticated network attack vector make this a high priority for any WordPress site running the affected plugin. EPSS and CISA KEV data were not provided in the input, so real-world exploitation prevalence is undetermined.

PHP Deserialization Integration For Keap Infusionsoft And Contact Form 7 Wpforms Elementor Formidable Ninja Forms +1
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated PHP object injection in the WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms WordPress plugin (versions <= 1.1.4) allows remote attackers to deliver crafted serialized payloads that the plugin deserializes without validation. Successful exploitation can lead to remote code execution, data tampering, or full site compromise when a suitable POP (property-oriented programming) gadget chain is available in WordPress core, the active theme, or any installed plugin. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP Deserialization Wp Insightly For Contact Form 7 Wpforms Elementor Formidable And Ninja Forms +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated PHP Object Injection in the EventPrime event calendar plugin for WordPress (versions <= 4.3.2.1) allows remote attackers to inject crafted serialized PHP objects that may trigger arbitrary deserialization-driven gadget chains, leading to potential remote code execution, file manipulation, or data tampering. The flaw is reachable without authentication but carries CVSS:3.1 AC:H, indicating non-trivial preconditions for successful exploitation. No public exploit identified at time of analysis, but Patchstack disclosure typically precedes broader exploit development against the WordPress plugin ecosystem.

PHP Deserialization Eventprime
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

PHP Object Injection in the Events Calendar for GeoDirectory WordPress plugin (versions <= 2.3.25) allows authenticated users with Contributor-level privileges to trigger unsafe deserialization, potentially leading to remote code execution, data tampering, or denial of service on the host WordPress site. The flaw is tracked as CWE-502 and was disclosed via Patchstack with a CVSS 3.1 score of 8.8, but no public exploit identified at time of analysis. Patchstack reports the issue and no vendor-released patch identified at time of analysis based on the supplied data.

PHP Deserialization Events Calendar For Geodirectory
NVD
EPSS 0% CVSS 7.2
HIGH This Week

PHP Object Injection in the Advanced Product Fields (Product Addons) for WooCommerce plugin versions 1.6.19 and below allows authenticated users with Shop Manager privileges to deserialize attacker-controlled data, potentially leading to remote code execution or full site compromise depending on available PHP gadget chains. The flaw was disclosed by Patchstack and tracked as EUVD-2026-36946; no public exploit identified at time of analysis and the issue is not in CISA KEV.

PHP Deserialization WordPress +1
NVD
EPSS 0% CVSS 7.2
HIGH This Week

PHP Object Injection in the YayMail WordPress plugin (versions ≤ 4.3.3) allows authenticated users with Shop Manager privileges to inject crafted serialized PHP objects and trigger deserialization on the server. Successful exploitation can lead to high-impact compromise of confidentiality, integrity, and availability of the WordPress site, though no public exploit identified at time of analysis. The flaw is reported by Patchstack and tracked as EUVD-2026-36945.

PHP Deserialization Yaymail
NVD
EPSS 0% CVSS 7.2
HIGH This Week

PHP Object Injection in the Modula Image Gallery WordPress plugin (versions ≤ 2.14.18) allows authenticated authors to trigger unsafe deserialization of attacker-controlled input, potentially leading to remote code execution, data tampering, or denial of service depending on available POP gadget chains in the WordPress environment. The flaw was disclosed by Patchstack and tracked as ENISA EUVD-2026-36940; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP Deserialization Modula Image Gallery
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated PHP object injection in the WordPress 'Anti-Malware Security and Brute-Force Firewall' (GOTMLS) plugin through version 4.23.87 allows contributor-level users to inject crafted serialized PHP objects that are deserialized by the plugin. Successful exploitation can pivot through existing PHP gadget chains in WordPress or other installed plugins to achieve high-impact compromise of the site. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

PHP Deserialization Anti Malware Security And Brute Force Firewall
NVD
EPSS 0% CVSS 8.8
HIGH This Week

PHP Object Injection in the Post Duplicator WordPress plugin versions <= 3.0.10 allows authenticated users with Contributor-level privileges to trigger insecure deserialization, potentially leading to remote code execution, data tampering, or full site compromise. The flaw is rated CVSS 8.8 (High) and was disclosed by Patchstack. No public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.

PHP Deserialization Post Duplicator
NVD
EPSS 0% CVSS 7.2
HIGH PATCH This Week

PHP Object Injection in the WooCommerce PDF Invoices & Packing Slips WordPress plugin before version 5.9.0 allows authenticated users with Shop Manager privileges to trigger unsafe deserialization, potentially leading to full compromise of confidentiality, integrity, and availability. The flaw was reported by Patchstack and a vendor patch is available, though no public exploit has been identified at time of analysis. The CVSS 7.2 score reflects high privilege requirements offset by network reach and severe impact.

PHP Deserialization WordPress +1
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Authenticated PHP Object Injection in the ShortPixel Image Optimizer WordPress plugin (versions 6.4.3 and earlier) allows attackers with Author-level privileges to trigger unsafe deserialization of attacker-controlled data, enabling code execution or other impacts when a suitable PHP gadget chain is present. Reported by Patchstack with no public exploit identified at time of analysis, the flaw is tracked as CWE-502 and carries a CVSS 3.1 score of 7.2 due to the high-privilege prerequisite but full CIA impact.

PHP Deserialization Shortpixel Image Optimizer
NVD
EPSS 0% CVSS 7.2
HIGH This Week

PHP Object Injection in the CTX Feed (WebAppick Product Feed for WooCommerce) WordPress plugin versions up to and including 6.6.26 allows authenticated users with Shop Manager privileges to trigger unsafe deserialization, leading to full compromise of confidentiality, integrity, and availability on the host site. The flaw was disclosed by Patchstack and tracked as EUVD-2026-36924; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

PHP Deserialization Ctx Feed
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated PHP object injection in the Paid Videochat Turnkey Site WordPress plugin (versions 7.3.23 and earlier, also marketed as 'ppv-live-webcams') allows remote attackers to deserialize untrusted data and potentially achieve full compromise of the underlying site. The flaw was reported by Patchstack and tracked as EUVD-2026-36915; no public exploit code or CISA KEV listing is identified at time of analysis, though the CVSS 8.1 score reflects confidentiality, integrity, and availability impact gated by high attack complexity.

Deserialization Paid Videochat Turnkey Site
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remote attackers to inject crafted serialized PHP objects that are deserialized by the application. With a CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and CWE-502 root cause, successful exploitation can lead to remote code execution, data theft, or full site takeover when suitable gadget chains are present in the WordPress stack. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

PHP Deserialization Broadcast Live Video
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated PHP Object Injection in the WordPress plugin 'Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms' (versions 1.1.1 and earlier) allows remote attackers to inject crafted serialized objects that are deserialized by the plugin, enabling abuse of POP gadget chains for code execution, file operations, or data tampering. The flaw scores CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and impacts any WordPress site running the affected CRM Perks integration plugin. There is no public exploit identified at time of analysis, but the unauthenticated nature and prevalence of WordPress as a target make this a high-priority patching item.

PHP Deserialization Integration For Activecampaign And Contact Form 7 Wpforms Elementor Ninja Forms +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unsafe PHP deserialization in Quick.CMS by OpenSolution lets an on-path attacker who can tamper with the plaintext HTTP channel inject malicious serialized objects that are deserialized when an administrator opens the admin panel, yielding arbitrary code execution on the server. The CVSS 4.0 vector (AV:A/AC:L/AT:P/PR:N/UI:P) reflects that exploitation requires adjacent-network MITM positioning plus an administrator session, and no public exploit identified at time of analysis. CERT-PL reported the issue and OpenSolution shipped a patch for version 6.8 on 14.05.2026 that mitigates the flaw by forcing HTTPS.

Deserialization RCE Quick Cms
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Insecure deserialization in Comma AI Openpilot 0.11 allows a local authenticated attacker to achieve code execution by supplying a malicious pickle payload to the pickle.load/pickle.loads calls in selfdrive/modeld/modeld.py. The flaw requires local access with low privileges and no public exploit identified at time of analysis, but the vendor reportedly did not respond to coordinated disclosure, leaving the issue unpatched. CVSS 4.0 scores it 7.1 (High) with full confidentiality, integrity, and availability impact on the vulnerable system.

Deserialization Openpilot
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Denial-of-service in MessagePack-CSharp's optional LZ4 decompression path (Lz4Block and Lz4BlockArray modes) allows remote unauthenticated attackers to crash .NET applications that deserialize untrusted MessagePack payloads. A crafted payload with manipulated LZ4 token/length fields triggers an out-of-bounds read raising an AccessViolationException, and may also leak limited adjacent memory before the process dies. No public exploit identified at time of analysis, but the vendor has published an advisory (GHSA-hv8m-jj95-wg3x) with patched releases 2.5.301 and 3.1.7.

Deserialization Denial Of Service
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Remote code execution in GeoServer (versions prior to 2.27.0) with the DB2 extension installed allows authenticated administrators to perform a JNDI injection attack via a crafted DB2 JDBC connection URL submitted through the Vector Data Sources page, ultimately triggering Java deserialization of untrusted data and arbitrary code execution. No public exploit identified at time of analysis, and the vulnerability is not on CISA KEV, but the attack pattern follows well-known JNDI/Log4Shell-style RCE techniques. Risk is meaningful only where the DB2 extension is deployed and an administrative account is reachable.

Atlassian Deserialization RCE
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated attackers to trigger unsafe deserialization by sending crafted paginated GraphQL queries against Connection-type fields. Exploitation requires that the application expose a paginated (Connection) field and that the classpath contains gadget classes leveraged during deserialization. No public exploit identified at time of analysis; EPSS sits at 0.34% (57th percentile) and the issue is not in CISA KEV, but a vendor patch is available.

Deserialization Java RCE +1
NVD VulDB HeroDevs
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app allows a low-privileged authenticated user (without 'admin' or 'power' roles) to execute arbitrary Python on the server by abusing unsafe jsonpickle deserialization of App Key Value Store (KV Store) data. CVSS is 8.8 (network, low complexity, low privileges) and the issue is currently rated as no public exploit identified at time of analysis. The flaw is reported by Cisco and disclosed via Splunk advisory SVD-2026-0601.

Python Deserialization Splunk +4
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated remote code execution in Jenkins 2.567 and earlier (LTS 2.555.2 and earlier) allows attackers with permission to submit config.xml to trigger deserialization of arbitrary core or plugin types that subsequently handle HTTP requests, enabling user impersonation, Script Console abuse, and arbitrary file reads from the controller. The flaw is tracked as a CWE-502 unsafe deserialization issue with a CVSS 3.1 score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). No public exploit identified at time of analysis, but the vendor (Jenkins project) has issued a coordinated advisory and patched releases.

RCE Deserialization Jenkins
NVD VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Remote code execution in NSA Ghidra before version 12.1 allows attackers to execute arbitrary commands when a user opens a malicious shared-project file containing a ghidra:// URL, triggering unsafe Java deserialization in the client-side Shared-Project RMI connection code. Exploitation leverages a Jython 2.7.4 gadget chain and requires only user interaction (opening the crafted project), with no authentication needed. No public exploit identified at time of analysis, though VulnCheck has published an advisory describing the flaw.

RCE Deserialization Ghidra
NVD GitHub
EPSS 0% CVSS 8.4
HIGH This Week

PHP Object Injection in Concrete CMS versions below 9.5.2 allows arbitrary PHP object instantiation through unsafe unserialize() calls in the Permission, Cache, and Search components. The flaw is triggered when a malicious serialized payload has already been written to the database, meaning the unauthenticated trigger depends on a prior write primitive existing in the deployment. No public exploit identified at time of analysis, and CVSS 4.0 base scores it 8.4 with high confidentiality, integrity, and availability impact.

PHP Deserialization
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Insecure deserialization in Broadcom Layer 7 API Gateway 11.2.1 exposes organizations to remote code execution or broken security control enforcement when an adversary can intercept and tamper with traffic between a client application and the gateway. The CVSS 4.0 vector assigns High subsequent-system confidentiality impact (SC:H), reflecting the gateway's privileged position as a broker to downstream backend services - meaning a successful exploit can cascade beyond the gateway itself. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the RCE potential and architectural sensitivity of an API gateway make this a meaningful priority for affected deployments.

Deserialization RCE Layer 7 Api Gateway
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Insecure deserialization in Spring for Apache Pulsar's JsonPulsarHeaderMapper allows remote attackers to bypass trusted-package controls and potentially trigger arbitrary Java object instantiation through Pulsar message headers. The flaw stems from a prefix-based package match plus an unsafe empty-allow-list default, affecting versions 1.1.0-1.1.17, 1.2.0-1.2.17, and 2.0.0-2.0.5. No public exploit identified at time of analysis, but the CVSS 8.1 rating and CWE-502 classification place this firmly in the high-impact Java deserialization category that has historically yielded remote code execution.

Deserialization Apache Java +1
NVD HeroDevs VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Unsafe deserialization in Spring for Apache Kafka (versions 2.8.0-4.0.5 across multiple branches) allows a malicious Kafka producer to send crafted message headers that cause downstream consumers to instantiate arbitrary JDK types via Jackson. The flaw stems from a prefix-based trusted-packages check in JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper, which silently extends trust to every subpackage. No public exploit identified at time of analysis, but the bug class (CWE-502 with Jackson default typing) has a long history of leading to remote code execution in Spring/Java ecosystems.

Deserialization Apache Java +1
NVD HeroDevs VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Insecure deserialization in Spring Security 7.0.0 through 7.0.5 allows an attacker with write access to the saml2_asserting_party_metadata database table to store malicious serialized Java payloads in the verification_credentials or encryption_credentials columns, leading to code execution when the JdbcAssertingPartyMetadataRepository deserializes them. The flaw affects deployments using the JDBC-backed SAML 2.0 asserting-party metadata repository introduced in the Spring Security 7.x line. No public exploit identified at time of analysis and EPSS is very low (0.01%), but CVSS rates impact as High due to full confidentiality, integrity, and availability loss on the application.

Deserialization Java Spring Security
NVD VulDB
EPSS 1% CVSS 9.4
CRITICAL PATCH Act Now

Remote code execution in Veeam Backup & Replication enables an authenticated domain user to execute arbitrary code on the Backup Server, with CVSS 4.0 score of 9.4 reflecting high impact across confidentiality, integrity, and availability of both the vulnerable component and downstream systems. The vulnerability is tagged as a deserialization flaw (CWE-502), and while no public exploit is identified at time of analysis, the low attack complexity and only-low-privilege requirement make this a high-priority patching event for any environment running Veeam in a domain-joined configuration.

Deserialization RCE Backup And Replication
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH Exploit Unlikely This Month

Cross-site scripting in Microsoft SharePoint Server (2016, 2019, and Subscription Edition) enables low-privileged authenticated attackers to perform spoofing attacks over a network without requiring user interaction. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms network-reachable exploitation by any authenticated SharePoint user with no further interaction required from a victim. No public exploit identified at time of analysis and CISA SSVC classifies exploitation status as none, though vendor patches are available for all three affected product lines.

Microsoft XSS Deserialization +1
NVD VulDB
EPSS 1% CVSS 8.8
HIGH PATCH Exploit Unlikely This Week

Privilege escalation in Microsoft Office SharePoint allows an authenticated network attacker to elevate privileges by submitting maliciously crafted serialized data that the server deserializes without proper validation. The CVSS 8.8 score reflects high impact across confidentiality, integrity, and availability combined with low attack complexity, though the PR:L requirement means the attacker must already hold at least a low-privileged SharePoint account. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Microsoft Deserialization Sharepoint Server
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Exploit Unlikely Act Now

Remote code execution in Nuance PowerScribe allows unauthenticated network attackers to run arbitrary code by submitting maliciously crafted serialized objects to the application. The flaw is a CWE-502 untrusted-data deserialization issue carrying a critical CVSS 9.8 score, reported through Microsoft Security Response Center; no public exploit identified at time of analysis. Because PowerScribe is a clinical radiology reporting platform widely deployed in hospital environments, successful exploitation could compromise systems handling protected health information.

Deserialization Nuance Powerscribe 360 Nuance Powerscribe One
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

PHP Object Injection in TYPO3 CMS's cache frontend (VariableFrontend) and persistent key-value store (Registry) exposes TYPO3 installations to potential Remote Code Execution when an attacker controls write access to the underlying storage layer. The root cause is bare PHP `unserialize()` calls on storage-retrieved data without HMAC integrity validation or class allowlists, meaning attacker-controlled data in the `sys_registry` table or cache backend can trigger deserialization of crafted PHP objects through a gadget chain. No public exploit has been identified at time of analysis and no CISA KEV listing exists; however, the CVSS 4.0 Subsequent impact scores (SC:H/SI:H/SA:H) confirm that successful exploitation yields full system-level impact despite the local access prerequisite.

PHP Deserialization RCE
NVD GitHub VulDB
EPSS 1% CVSS 8.8
HIGH This Week

Authenticated PHP Object Injection in the Blocksy WordPress theme (versions ≤ 2.1.35) allows contributor-level users to escalate to remote code execution by storing a malicious serialized object in post meta that is later deserialized during the V200 database migration. Wordfence-reported flaw chains weak input sanitization in blocksy_sanitize_post_meta_options() with an unconditional @unserialize() call in SearchReplacer::run_recursively(), triggering RaiiPattern::__destruct() to invoke arbitrary callables via call_user_func(). No public exploit identified at time of analysis, but the low-privilege requirement and high impact make this a meaningful priority for sites running upgraded Blocksy installations.

PHP Deserialization WordPress +1
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Unsafe JSON deserialization in Spring Framework's JMS message converters (MappingJackson2MessageConverter and JacksonJsonMessageConverter) lets an attacker who controls JMS message content instantiate arbitrary classes, enabling gadget-chain attacks that can escalate to unauthorized actions or remote code execution. It affects Spring Framework 5.3.0-5.3.48, 6.1.0-6.1.27, 6.2.0-6.2.18, and 7.0.0-7.0.7 when applications consume messages from an untrusted JMS source. There is no public exploit identified at time of analysis, and despite a 9.8 CVSS the EPSS probability is only 0.04% and CISA SSVC rates exploitation as 'none'.

Deserialization Java Spring Framework
NVD HeroDevs VulDB
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Phar deserialization in PhpSpreadsheet (PHPOffice) is reachable on PHP 7.x because the `File::prohibitWrappers` helper added to patch CVE-2026-34084 can be bypassed with a three-slash phar URI such as `phar:///path/file.phar/inner`, where `parse_url` returns false and the wrapper check is skipped. Remote attackers who can supply a file path to `IOFactory::load()` achieve full RCE on PHP 7.x branches (1.x up to 1.30.4) and a phar file-read primitive on PHP 8.x branches up to 5.7.0; publicly available exploit code exists with a working Docker reproducer, though EPSS is only 0.04% (12th percentile).

PHP Docker Deserialization
NVD GitHub
EPSS 0% CVSS 6.6
MEDIUM This Month

PHP Object Injection in the LearnPress - Backup & Migration Tool WordPress plugin (versions ≤ 4.1.4, by ThimPress) allows authenticated administrators to supply maliciously crafted serialized data through the plugin's import functionality, triggering unsafe PHP deserialization. The vulnerability itself carries no direct impact in isolation - exploitation is contingent on a separate plugin or theme installing a usable POP (Property-Oriented Programming) chain on the same site, at which point an attacker can escalate to arbitrary file deletion, sensitive data retrieval, or remote code execution. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the CVSS score of 6.6 (High complexity, High privileges required) reflects the constrained real-world conditions.

PHP Information Disclosure Deserialization +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated remote code execution in the Admin Columns WordPress plugin (versions through 7.0.18) allows Contributor-level users to inject serialized PHP objects via post meta and trigger a bundled POP gadget chain through the Laravel SerializableClosure component. Reported by Wordfence with CVSS 8.8, no public exploit identified at time of analysis, though the low privilege barrier and bundled gadget chain make weaponization straightforward for any researcher with plugin access.

PHP Deserialization WordPress +1
NVD VulDB
EPSS 0% CVSS 8.5
HIGH POC This Week

Local privilege escalation in Seagull Software BarTender 2021 R1 through 12.0.1 allows any low-privileged user on the host to gain SYSTEM execution by sending a crafted BinaryFormatter payload to a localhost-bound .NET Remoting endpoint. Publicly available exploit code exists (a YSoSerial.NET-based PoC is published as a GitHub gist), and the issue carries a CVSS 4.0 base score of 8.5 with high confidentiality, integrity, and availability impact. No CISA KEV listing is present, so exploitation is opportunistic rather than confirmed in-the-wild.

Deserialization RCE Bartender 2021
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Unsafe deserialization in Apache Fory fory-core Java SDK versions prior to 1.1.0 allows remote attackers to bypass the framework's class registration, TypeChecker, and DisallowedList security controls on Java/JVM platforms. By crafting malicious Fory-serialized payloads that exercise the replace-resolve path, an attacker can invoke arbitrary readResolve/readExternal hooks on any class present on the classpath, enabling gadget-chain abuse without authentication. No public exploit identified at time of analysis, but the CVSS 9.1 score and CWE-502 classification reflect the high impact typical of Java deserialization sinks.

Apache Deserialization Java
NVD VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

PHP object injection in Concrete CMS versions below 9.5.2 allows authenticated high-privileged attackers to trigger arbitrary PHP object instantiation through unsafe unserialize() calls in the Workflow, Form block, and File/Set components. The vulnerability requires a malicious serialized payload to be placed in the database beforehand, and no public exploit identified at time of analysis. The vendor scored this 8.4 (CVSS 4.0), and CISA SSVC indicates no observed exploitation but total technical impact if successfully chained.

PHP Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Unsafe Java deserialization in Apache MINA's ObjectSerializationDecoder allows remote unauthenticated attackers to bypass the acceptMatchers class allow-list and achieve arbitrary code execution. Two distinct flaws are addressed: a TC_PROXYCLASSDESC handling gap where resolveProxyClass is not overridden (permitting java.lang.reflect.Proxy instantiation outside the allow-list), and a Class.forName invocation in readClassDescriptor that triggers static initializers of allow-listed classes before any instance check. No public exploit identified at time of analysis, but the CVSS 9.8 rating and well-known deserialization attack patterns make this a high-priority issue for any application exposing MINA's object serialization codec.

Deserialization Apache Mina
NVD VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Arbitrary code execution in the aiohttp Python framework (versions prior to 3.14.0) arises when CookieJar.load() deserializes an attacker-controlled file, classed as CWE-502 unsafe deserialization. An attacker who can plant or substitute the persisted cookie file and induce the application to load it gains code execution in the host process. There is no public exploit identified at time of analysis, EPSS is very low (0.06%), and CISA SSVC rates exploitation as none - consistent with the library's own note that the function is normally used on the user's own trusted data.

RCE Deserialization Python +1
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH POC PATCH This Week

Remote code execution in React Router 7.0.0 through 7.14.1 affects applications running in Framework Mode by chaining an application-level prototype pollution flaw with router internals to achieve unauthenticated RCE on the server. Applications using Declarative Mode (BrowserRouter) or Data Mode (createBrowserRouter/RouterProvider) are unaffected. No public exploit identified at time of analysis; CVSS 8.1 reflects high impact tempered by high attack complexity due to the prerequisite prototype pollution gadget.

RCE Deserialization React Router
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local code execution in NVIDIA NVTabular allows a low-privileged attacker to abuse insecure deserialization of untrusted data, potentially leading to arbitrary code execution, data tampering, and information disclosure on the host running the library. The flaw carries a CVSS 7.8 (High) rating with confidentiality, integrity, and availability all marked High, and currently no public exploit identified at time of analysis. NVTabular is a tabular feature-engineering library used in recommender-system pipelines, so the practical blast radius is data-science workstations and ML training nodes.

Nvidia RCE Deserialization +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local code execution in NVIDIA NVTabular allows an authenticated low-privileged user to abuse improper deserialization of untrusted data to run arbitrary code, tamper with data, and disclose sensitive information. The CVSS 3.1 base score is 7.8 (AV:L/AC:L/PR:L/UI:N) reflecting a local attack vector with low complexity and low privileges; no public exploit identified at time of analysis and the issue is not on the CISA KEV list.

Nvidia RCE Deserialization +1
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

PHP object injection in the Elated-Themes Askka WordPress theme through version 1.3.1 allows remote attackers to deserialize untrusted data, potentially leading to arbitrary code execution, file manipulation, or full site compromise depending on available gadget chains. The CVSS score of 8.1 reflects high impact across confidentiality, integrity, and availability, though high attack complexity (AC:H) tempers immediate exploitability. No public exploit identified at time of analysis.

Deserialization
NVD
EPSS 0% CVSS 8.1
HIGH This Week

PHP object injection in the Elated-Themes Töbel WordPress theme (versions up to and including 1.8.1) allows remote attackers to trigger unsafe deserialization of attacker-controlled data, potentially leading to arbitrary code execution, file manipulation, or data tampering depending on available POP gadgets. Rated CVSS 8.1 (High) with no public exploit identified at time of analysis and no CISA KEV listing, though the network attack vector and lack of authentication requirement make it a meaningful risk to any WordPress site running the theme.

Deserialization T Bel
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Object injection in the Elated-Themes Aperitif WordPress theme through version 1.6 allows remote attackers to trigger PHP deserialization of attacker-controlled data, potentially leading to code execution, file manipulation, or full site compromise when a suitable gadget chain is present. CVSS 8.1 reflects high impact across confidentiality, integrity, and availability, though attack complexity is rated High. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Deserialization Aperitif
NVD VulDB
Prev Page 3 of 30 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy