Skip to main content

Deserialization

2663 CVEs technique

Monthly

CVE-2017-5954 npm CRITICAL POC PATCH Act Now

An issue was discovered in the serialize-to-js package 0.5.0 for Node.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Node.js RCE Serialize To Js
NVD GitHub
CVSS 3.0
9.8
EPSS
1.7%
CVE-2017-5941 npm CRITICAL POC THREAT Emergency

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 77.9%.

Deserialization Node.js RCE Node Serialize
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
77.9%
Threat
5.8
CVE-2016-6199 CRITICAL POC Act Now

ObjectSocketWrapper.java in Gradle 2.12 allows remote attackers to execute arbitrary code via a crafted serialized object. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Java RCE Gradle
NVD
CVSS 3.0
9.8
EPSS
2.3%
CVE-2016-3415 CRITICAL Act Now

Zimbra Collaboration before 8.7.0 allows remote attackers to conduct deserialization attacks via unspecified vectors, aka bug 102276. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Zimbra Collaboration Suite
NVD VulDB
CVSS 3.0
9.1
EPSS
0.5%
CVE-2016-7480 CRITICAL POC PATCH Act Now

The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Denial Of Service PHP Buffer Overflow RCE +1
NVD GitHub
CVSS 3.1
9.8
EPSS
3.6%
CVE-2016-9936 CRITICAL POC PATCH Act Now

The unserialize implementation in ext/standard/var.c in PHP 7.x before 7.0.14 allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Memory Corruption Deserialization Denial Of Service Use After Free PHP
NVD GitHub
CVSS 3.0
9.8
EPSS
0.7%
CVE-2016-7462 HIGH This Week

The Suite REST API in VMware vRealize Operations (aka vROps) 6.x before 6.4.0 allows remote authenticated users to write arbitrary content to files or rename files via a crafted DiskFileItem in a. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Privilege Escalation VMware Vrealize Operations
NVD
CVSS 3.0
8.5
EPSS
1.7%
CVE-2016-6620 CRITICAL PATCH Act Now

An issue was discovered in phpMyAdmin. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE PHP Phpmyadmin
NVD
CVSS 3.0
9.8
EPSS
1.4%
CVE-2016-7065 HIGH POC THREAT Act Now

The JMX servlet in Red Hat JBoss Enterprise Application Platform (EAP) 4 and 5 allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via a crafted. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 12.1%.

RCE Deserialization Denial Of Service Java Red Hat +1
NVD Exploit-DB
CVSS 3.0
8.8
EPSS
12.1%
CVE-2016-5019 Maven CRITICAL PATCH Act Now

CoreResponseStateManager in Apache MyFaces Trinidad 1.0.0 through 1.0.13, 1.2.x before 1.2.15, 2.0.x before 2.0.2, and 2.1.x before 2.1.2 might allow attackers to conduct deserialization attacks via. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Apache Myfaces Trinidad
NVD
CVSS 3.0
9.8
EPSS
6.0%
CVE-2016-4385 HIGH This Week

The RMI service in HP Network Automation Software 9.1x, 9.2x, 10.0x before 10.00.02.01, and 10.1x before 10.11.00.01 allows remote attackers to execute arbitrary commands via a crafted serialized. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization HP Java Apache Network Automation
NVD
CVSS 3.0
7.3
EPSS
3.7%
CVE-2016-6330 CRITICAL Act Now

The server in Red Hat JBoss Operations Network (JON), when SSL authentication is not configured for JON server / agent communication, allows remote attackers to execute arbitrary code via a crafted. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 13.0% and no vendor patch available.

Deserialization Red Hat RCE Jboss Operations Network
NVD
CVSS 3.0
9.8
EPSS
13.0%
CVE-2016-4978 Maven HIGH PATCH This Week

The getObject method of the javax.jms.ObjectMessage class in the (1) JMS Core client, (2) Artemis broker, and (3) Artemis REST component in Apache ActiveMQ Artemis before 1.4.0 might allow remote. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Apache Activemq Artemis Jboss Enterprise Application Platform
NVD VulDB
CVSS 3.1
7.2
EPSS
1.4%
CVE-2016-7411 CRITICAL POC PATCH Act Now

ext/standard/var_unserializer.re in PHP before 5.6.26 mishandles object-deserialization failures, which allows remote attackers to cause a denial of service (memory corruption) or possibly have. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Denial Of Service PHP Buffer Overflow
NVD GitHub
CVSS 3.0
9.8
EPSS
0.5%
CVE-2016-7124 CRITICAL POC PATCH THREAT Act Now

ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 74.7%.

Deserialization Denial Of Service PHP
NVD GitHub
CVSS 3.0
9.8
EPSS
74.7%
Threat
5.7
CVE-2016-5773 CRITICAL POC PATCH THREAT Act Now

php_zip.c in the zip extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 improperly interacts with the unserialize implementation and garbage collection, which allows remote. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 16.1%.

Memory Corruption Deserialization Denial Of Service Use After Free PHP +1
NVD GitHub
CVSS 3.0
9.8
EPSS
16.1%
CVE-2016-5771 CRITICAL POC PATCH Act Now

spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Memory Corruption Deserialization Denial Of Service Use After Free PHP +4
NVD GitHub
CVSS 3.1
9.8
EPSS
9.6%
CVE-2016-3737 CRITICAL Act Now

The server in Red Hat JBoss Operations Network (JON) before 3.3.6 allows remote attackers to execute arbitrary code via a crafted HTTP request, related to message deserialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Red Hat RCE Jboss Operations Network
NVD
CVSS 3.0
9.8
EPSS
0.6%
CVE-2016-6295 CRITICAL POC PATCH Act Now

ext/snmp/snmp.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to cause. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Memory Corruption Deserialization Denial Of Service Use After Free PHP
NVD
CVSS 3.0
9.8
EPSS
5.1%
CVE-2016-6290 CRITICAL Act Now

ext/session/session.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 does not properly maintain a certain hash data structure, which allows remote attackers to cause a denial of. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Deserialization Denial Of Service Use After Free PHP
NVD
CVSS 3.0
9.8
EPSS
8.4%
CVE-2016-1114 CRITICAL Act Now

Adobe ColdFusion 10 before Update 19, 11 before Update 8, and 2016 before Update 1 allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Adobe Java Apache Coldfusion
NVD
CVSS 3.1
9.8
EPSS
2.3%
CVE-2015-6832 HIGH This Week

Use-after-free vulnerability in the SPL unserialize implementation in ext/spl/spl_array.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to execute. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE PHP
NVD
CVSS 3.0
7.3
EPSS
1.5%
CVE-2015-7450 CRITICAL POC KEV THREAT Emergency

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenticated network attackers to execute arbitrary commands by sending malicious serialized Java objects exploiting the Apache Commons Collections InvokerTransformer class. This vulnerability is confirmed actively exploited in the wild per CISA KEV, with public exploit code available (Exploit-DB 41613) and an exceptionally high EPSS score of 93.49%, indicating near-certain exploitation probability. Affected products include Sterling B2B Integrator 5.2, Sterling Integrator 5.1, and Tivoli Common Reporting versions 2.1 through 3.1.2.1.

Java Apache Deserialization IBM
NVD Exploit-DB VulDB
CVSS 3.1
9.8
EPSS
93.5%
Threat
9.8
CVE-2015-6420 Maven CRITICAL POC PATCH THREAT Act Now

Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Cisco Java Apache Deserialization Commons Collections
NVD
CVSS 3.1
9.8
EPSS
18.8%
CVE-2015-8103 Maven CRITICAL POC PATCH THREAT Act Now

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 90.4%.

Deserialization RCE Jenkins Java Openshift Container Platform
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
90.4%
Threat
6.2
CVE-2015-4852 CRITICAL POC KEV PATCH THREAT Act Now

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Java Apache Oracle Deserialization
NVD GitHub Exploit-DB VulDB
CVSS 3.1
9.8
EPSS
92.9%
Threat
7.7
CVE-2015-3837 CRITICAL Act Now

The OpenSSLX509Certificate class in org/conscrypt/OpenSSLX509Certificate.java in Android before 5.1.1 LMY48I improperly includes certain context data during serialization and deserialization, which. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization RCE Google Java Android
NVD
CVSS 2.0
9.3
EPSS
1.1%
CVE-2015-2787 HIGH POC THREAT Act Now

Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 allows remote attackers to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 36.4%.

Deserialization RCE PHP Mac Os X Enterprise Linux Desktop +6
NVD GitHub
CVSS 2.0
7.5
EPSS
36.4%
Threat
4.1
CVE-2014-9421 CRITICAL Act Now

The auth_gssapi_unwrap_data function in lib/rpc/auth_gssapi_misc.c in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 does not properly handle partial XDR. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Denial Of Service Kerberos 5
NVD GitHub
CVSS 2.0
9.0
EPSS
5.4%
CVE-2014-8833 LOW Monitor

SpotlightIndex in Apple OS X before 10.10.2 does not properly perform deserialization during access to a permission cache, which allows local users to read search results associated with other users'. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity. No vendor patch available.

Deserialization Apple Authentication Bypass Mac Os X
NVD
CVSS 2.0
2.1
EPSS
0.1%
CVE-2015-0231 HIGH POC PATCH THREAT Act Now

Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 87.3%.

Deserialization RCE PHP
NVD GitHub
CVSS 2.0
7.5
EPSS
87.3%
Threat
5.6
CVE-2014-8142 HIGH POC THREAT Act Now

Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 88.3%.

Deserialization RCE PHP
NVD
CVSS 2.0
7.5
EPSS
88.3%
Threat
5.6
CVE-2014-7911 HIGH Act Now

luni/src/main/java/java/io/ObjectInputStream.java in the java.io.ObjectInputStream implementation in Android before 5.0.0 does not verify that deserialization will result in an object that met the. Rated high severity (CVSS 7.2), this vulnerability is low attack complexity. Epss exploitation probability 82.2% and no vendor patch available.

Deserialization Google Java RCE Privilege Escalation +1
NVD
CVSS 2.0
7.2
EPSS
82.2%
CVE-2014-3669 HIGH POC THREAT Act Now

Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 56.0%.

Deserialization RCE PHP Denial Of Service
NVD
CVSS 2.0
7.5
EPSS
56.0%
Threat
4.7
CVE-2014-7235 CRITICAL POC THREAT Emergency

htdocs_ari/includes/login.php in the ARI Framework module/Asterisk Recording Interface (ARI) in FreePBX before 2.9.0.9, 2.10.x, and 2.11 before 2.11.1.5 allows remote attackers to execute arbitrary. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 52.0%.

Deserialization RCE PHP Code Injection Freepbx
NVD GitHub Exploit-DB
CVSS 2.0
10.0
EPSS
52.0%
Threat
5.1
CVE-2014-6290 HIGH PATCH This Week

The News (tt_news) extension before 3.5.2 for TYPO3 allows remote attackers to have unspecified impact via vectors related to an "insecure unserialize" issue. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

Deserialization News
NVD
CVSS 2.0
7.5
EPSS
0.6%
CVE-2013-2225 MEDIUM POC THREAT This Month

inc/ticket.class.php in GLPI 0.83.9 and earlier allows remote attackers to unserialize arbitrary PHP objects via the _predefined_fields parameter to front/ticket.form.php. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 12.3%.

Deserialization PHP Glpi
NVD Exploit-DB
CVSS 2.0
6.4
EPSS
12.3%
CVE-2014-0416 MEDIUM This Month

Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect integrity via vectors related to JAAS. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Java Oracle Jdk Jre
NVD
CVSS 2.0
5.0
EPSS
2.1%
CVE-2013-7075 PHP MEDIUM PATCH This Month

The Content Editing Wizards component in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 allows remote authenticated backend users to unserialize. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

PHP Deserialization Typo3
NVD
CVSS 2.0
6.5
EPSS
0.4%
CVE-2013-5456 CRITICAL Act Now

The com.ibm.rmi.io.SunSerializableFactory class in IBM Java SDK 7.0.0 before SR6 allows remote attackers to bypass a sandbox protection mechanism and execute arbitrary code via vectors related to. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization RCE Java IBM
NVD
CVSS 2.0
9.3
EPSS
1.8%
CVE-2013-6288 PHP CRITICAL PATCH Act Now

Unspecified vulnerability in the Apache Solr for TYPO3 (solr) extension before 2.8.3 for TYPO3 has unknown impact and remote attack vectors, related to "Insecure Unserialize.". Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity.

Deserialization Apache Apache Solr
NVD
CVSS 2.0
10.0
EPSS
0.6%
CVE-2013-4271 Maven HIGH PATCH This Week

The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources, which allows remote attackers to execute arbitrary Java code via a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Java Restlet
NVD GitHub VulDB
CVSS 2.0
7.5
EPSS
0.5%
CVE-2013-4338 HIGH POC PATCH This Week

wp-includes/functions.php in WordPress before 3.6.1 does not properly determine whether data has been serialized, which allows remote attackers to execute arbitrary code by triggering erroneous PHP. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

WordPress PHP Deserialization Code Injection RCE
NVD
CVSS 2.0
7.5
EPSS
9.6%
CVE-2013-5303 CRITICAL PATCH Act Now

Unspecified vulnerability in the Store Locator (locator) extension before 3.1.5 for TYPO3 has unknown impact and remote attack vectors, related to "Insecure Unserialize.". Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity.

Deserialization Locator
NVD
CVSS 2.0
10.0
EPSS
1.1%
CVE-2013-2165 Maven HIGH PATCH Act Now

ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 24.1%.

Red Hat Privilege Escalation Java Deserialization RCE +8
NVD
CVSS 2.0
7.5
EPSS
24.1%
CVE-2013-1768 Maven HIGH PATCH Act Now

The BrokerFactory functionality in Apache OpenJPA 1.x before 1.2.3 and 2.x before 2.2.2 creates local executable JSP files containing logging trace data produced during deserialization of certain. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 14.6%.

Deserialization Privilege Escalation Apache RCE Openjpa
NVD
CVSS 2.0
7.5
EPSS
14.6%
CVE-2013-1453 HIGH POC This Week

plugins/system/highlight/highlight.php in Joomla!. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Deserialization SQLi Joomla
NVD Exploit-DB
CVSS 2.0
7.5
EPSS
0.1%
CVE-2013-1465 CRITICAL POC PATCH THREAT Act Now

The Cubecart::_basket method in classes/cubecart.class.php in CubeCart 5.0.0 through 5.2.0 allows remote attackers to unserialize arbitrary PHP objects via a crafted shipping parameter, as. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 31.0%.

PHP Deserialization Cubecart
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
31.0%
Threat
4.4
CVE-2013-0433 MEDIUM This Month

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, and 5.0 through Update 38, and OpenJDK 6 and 7, allows remote. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Java Oracle Jre Jdk
NVD
CVSS 2.0
5.0
EPSS
0.8%
CVE-2012-4406 PyPI CRITICAL PATCH Act Now

OpenStack Object Storage (swift) before 1.7.0 uses the loads function in the pickle Python module unsafely when storing and loading metadata in memcached, which allows remote attackers to execute. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Python Deserialization RCE Swift Fedora +5
NVD GitHub
CVSS 3.1
9.8
EPSS
4.7%
CVE-2012-3527 PHP MEDIUM PATCH This Month

view_help.php in the backend help system in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote authenticated backend users to unserialize arbitrary objects and. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

PHP Deserialization Typo3 Debian Linux
NVD
CVSS 2.0
4.6
EPSS
2.1%
CVE-2012-1605 PHP MEDIUM PATCH This Month

The Extbase Framework in TYPO3 4.6.x through 4.6.6, 4.7, and 6.0 unserializes untrusted data, which allows remote attackers to unserialize arbitrary objects and possibly execute arbitrary code via. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Deserialization RCE Typo3
NVD
CVSS 2.0
5.0
EPSS
0.9%
CVE-2012-0911 CRITICAL POC THREAT Emergency

TikiWiki CMS/Groupware before 6.7 LTS and before 8.4 allows remote attackers to execute arbitrary PHP code via a crafted serialized object in the (1) cookieName to lib/banners/bannerlib.php; (2). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 77.9%.

PHP Deserialization Tikiwiki Cms Groupware
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
77.9%
Threat
5.8
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

An issue was discovered in the serialize-to-js package 0.5.0 for Node.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Node.js RCE +1
NVD GitHub
EPSS 78% 5.8 CVSS 9.8
CRITICAL POC THREAT Emergency

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 77.9%.

Deserialization Node.js RCE +1
NVD Exploit-DB
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

ObjectSocketWrapper.java in Gradle 2.12 allows remote attackers to execute arbitrary code via a crafted serialized object. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Java RCE +1
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Zimbra Collaboration before 8.7.0 allows remote attackers to conduct deserialization attacks via unspecified vectors, aka bug 102276. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Zimbra Collaboration Suite
NVD VulDB
EPSS 4% CVSS 9.8
CRITICAL POC PATCH Act Now

The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Denial Of Service PHP +3
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

The unserialize implementation in ext/standard/var.c in PHP 7.x before 7.0.14 allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Memory Corruption Deserialization Denial Of Service +2
NVD GitHub
EPSS 2% CVSS 8.5
HIGH This Week

The Suite REST API in VMware vRealize Operations (aka vROps) 6.x before 6.4.0 allows remote authenticated users to write arbitrary content to files or rename files via a crafted DiskFileItem in a. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Privilege Escalation VMware +1
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

An issue was discovered in phpMyAdmin. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE PHP +1
NVD
EPSS 12% CVSS 8.8
HIGH POC THREAT Act Now

The JMX servlet in Red Hat JBoss Enterprise Application Platform (EAP) 4 and 5 allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via a crafted. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 12.1%.

RCE Deserialization Denial Of Service +3
NVD Exploit-DB
EPSS 6% CVSS 9.8
CRITICAL PATCH Act Now

CoreResponseStateManager in Apache MyFaces Trinidad 1.0.0 through 1.0.13, 1.2.x before 1.2.15, 2.0.x before 2.0.2, and 2.1.x before 2.1.2 might allow attackers to conduct deserialization attacks via. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Apache Myfaces Trinidad
NVD
EPSS 4% CVSS 7.3
HIGH This Week

The RMI service in HP Network Automation Software 9.1x, 9.2x, 10.0x before 10.00.02.01, and 10.1x before 10.11.00.01 allows remote attackers to execute arbitrary commands via a crafted serialized. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization HP Java +2
NVD
EPSS 13% CVSS 9.8
CRITICAL Act Now

The server in Red Hat JBoss Operations Network (JON), when SSL authentication is not configured for JON server / agent communication, allows remote attackers to execute arbitrary code via a crafted. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 13.0% and no vendor patch available.

Deserialization Red Hat RCE +1
NVD
EPSS 1% CVSS 7.2
HIGH PATCH This Week

The getObject method of the javax.jms.ObjectMessage class in the (1) JMS Core client, (2) Artemis broker, and (3) Artemis REST component in Apache ActiveMQ Artemis before 1.4.0 might allow remote. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Apache +2
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

ext/standard/var_unserializer.re in PHP before 5.6.26 mishandles object-deserialization failures, which allows remote attackers to cause a denial of service (memory corruption) or possibly have. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Denial Of Service PHP +1
NVD GitHub
EPSS 75% 5.7 CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 74.7%.

Deserialization Denial Of Service PHP
NVD GitHub
EPSS 16% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

php_zip.c in the zip extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 improperly interacts with the unserialize implementation and garbage collection, which allows remote. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 16.1%.

Memory Corruption Deserialization Denial Of Service +3
NVD GitHub
EPSS 10% CVSS 9.8
CRITICAL POC PATCH Act Now

spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Memory Corruption Deserialization Denial Of Service +6
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

The server in Red Hat JBoss Operations Network (JON) before 3.3.6 allows remote attackers to execute arbitrary code via a crafted HTTP request, related to message deserialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Red Hat RCE +1
NVD
EPSS 5% CVSS 9.8
CRITICAL POC PATCH Act Now

ext/snmp/snmp.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to cause. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Memory Corruption Deserialization Denial Of Service +2
NVD
EPSS 8% CVSS 9.8
CRITICAL Act Now

ext/session/session.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 does not properly maintain a certain hash data structure, which allows remote attackers to cause a denial of. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Deserialization Denial Of Service +2
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

Adobe ColdFusion 10 before Update 19, 11 before Update 8, and 2016 before Update 1 allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Adobe Java +2
NVD
EPSS 2% CVSS 7.3
HIGH This Week

Use-after-free vulnerability in the SPL unserialize implementation in ext/spl/spl_array.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to execute. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE PHP
NVD
EPSS 93% 9.8 CVSS 9.8
CRITICAL POC KEV THREAT Emergency

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenticated network attackers to execute arbitrary commands by sending malicious serialized Java objects exploiting the Apache Commons Collections InvokerTransformer class. This vulnerability is confirmed actively exploited in the wild per CISA KEV, with public exploit code available (Exploit-DB 41613) and an exceptionally high EPSS score of 93.49%, indicating near-certain exploitation probability. Affected products include Sterling B2B Integrator 5.2, Sterling Integrator 5.1, and Tivoli Common Reporting versions 2.1 through 3.1.2.1.

Java Apache Deserialization +1
NVD Exploit-DB VulDB
EPSS 19% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Cisco Java Apache +2
NVD
EPSS 90% 6.2 CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 90.4%.

Deserialization RCE Jenkins +2
NVD Exploit-DB
EPSS 93% 7.7 CVSS 9.8
CRITICAL POC KEV PATCH THREAT Act Now

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Java Apache Oracle +1
NVD GitHub Exploit-DB VulDB
EPSS 1% CVSS 9.3
CRITICAL Act Now

The OpenSSLX509Certificate class in org/conscrypt/OpenSSLX509Certificate.java in Android before 5.1.1 LMY48I improperly includes certain context data during serialization and deserialization, which. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization RCE Google +2
NVD
EPSS 36% 4.1 CVSS 7.5
HIGH POC THREAT Act Now

Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 allows remote attackers to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 36.4%.

Deserialization RCE PHP +8
NVD GitHub
EPSS 5% CVSS 9.0
CRITICAL Act Now

The auth_gssapi_unwrap_data function in lib/rpc/auth_gssapi_misc.c in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 does not properly handle partial XDR. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Denial Of Service +1
NVD GitHub
EPSS 0% CVSS 2.1
LOW Monitor

SpotlightIndex in Apple OS X before 10.10.2 does not properly perform deserialization during access to a permission cache, which allows local users to read search results associated with other users'. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity. No vendor patch available.

Deserialization Apple Authentication Bypass +1
NVD
EPSS 87% 5.6 CVSS 7.5
HIGH POC PATCH THREAT Act Now

Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 87.3%.

Deserialization RCE PHP
NVD GitHub
EPSS 88% 5.6 CVSS 7.5
HIGH POC THREAT Act Now

Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 88.3%.

Deserialization RCE PHP
NVD
EPSS 82% CVSS 7.2
HIGH Act Now

luni/src/main/java/java/io/ObjectInputStream.java in the java.io.ObjectInputStream implementation in Android before 5.0.0 does not verify that deserialization will result in an object that met the. Rated high severity (CVSS 7.2), this vulnerability is low attack complexity. Epss exploitation probability 82.2% and no vendor patch available.

Deserialization Google Java +3
NVD
EPSS 56% 4.7 CVSS 7.5
HIGH POC THREAT Act Now

Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 56.0%.

Deserialization RCE PHP +1
NVD
EPSS 52% 5.1 CVSS 10.0
CRITICAL POC THREAT Emergency

htdocs_ari/includes/login.php in the ARI Framework module/Asterisk Recording Interface (ARI) in FreePBX before 2.9.0.9, 2.10.x, and 2.11 before 2.11.1.5 allows remote attackers to execute arbitrary. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 52.0%.

Deserialization RCE PHP +2
NVD GitHub Exploit-DB
EPSS 1% CVSS 7.5
HIGH PATCH This Week

The News (tt_news) extension before 3.5.2 for TYPO3 allows remote attackers to have unspecified impact via vectors related to an "insecure unserialize" issue. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

Deserialization News
NVD
EPSS 12% CVSS 6.4
MEDIUM POC THREAT This Month

inc/ticket.class.php in GLPI 0.83.9 and earlier allows remote attackers to unserialize arbitrary PHP objects via the _predefined_fields parameter to front/ticket.form.php. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 12.3%.

Deserialization PHP Glpi
NVD Exploit-DB
EPSS 2% CVSS 5.0
MEDIUM This Month

Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect integrity via vectors related to JAAS. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Java Oracle +2
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

The Content Editing Wizards component in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 allows remote authenticated backend users to unserialize. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

PHP Deserialization Typo3
NVD
EPSS 2% CVSS 9.3
CRITICAL Act Now

The com.ibm.rmi.io.SunSerializableFactory class in IBM Java SDK 7.0.0 before SR6 allows remote attackers to bypass a sandbox protection mechanism and execute arbitrary code via vectors related to. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization RCE Java +1
NVD
EPSS 1% CVSS 10.0
CRITICAL PATCH Act Now

Unspecified vulnerability in the Apache Solr for TYPO3 (solr) extension before 2.8.3 for TYPO3 has unknown impact and remote attack vectors, related to "Insecure Unserialize.". Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity.

Deserialization Apache Apache Solr
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources, which allows remote attackers to execute arbitrary Java code via a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Java Restlet
NVD GitHub VulDB
EPSS 10% CVSS 7.5
HIGH POC PATCH This Week

wp-includes/functions.php in WordPress before 3.6.1 does not properly determine whether data has been serialized, which allows remote attackers to execute arbitrary code by triggering erroneous PHP. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

WordPress PHP Deserialization +2
NVD
EPSS 1% CVSS 10.0
CRITICAL PATCH Act Now

Unspecified vulnerability in the Store Locator (locator) extension before 3.1.5 for TYPO3 has unknown impact and remote attack vectors, related to "Insecure Unserialize.". Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity.

Deserialization Locator
NVD
EPSS 24% CVSS 7.5
HIGH PATCH Act Now

ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 24.1%.

Red Hat Privilege Escalation Java +10
NVD
EPSS 15% CVSS 7.5
HIGH PATCH Act Now

The BrokerFactory functionality in Apache OpenJPA 1.x before 1.2.3 and 2.x before 2.2.2 creates local executable JSP files containing logging trace data produced during deserialization of certain. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 14.6%.

Deserialization Privilege Escalation Apache +2
NVD
EPSS 0% CVSS 7.5
HIGH POC This Week

plugins/system/highlight/highlight.php in Joomla!. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Deserialization SQLi +1
NVD Exploit-DB
EPSS 31% 4.4 CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

The Cubecart::_basket method in classes/cubecart.class.php in CubeCart 5.0.0 through 5.2.0 allows remote attackers to unserialize arbitrary PHP objects via a crafted shipping parameter, as. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 31.0%.

PHP Deserialization Cubecart
NVD Exploit-DB
EPSS 1% CVSS 5.0
MEDIUM This Month

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, and 5.0 through Update 38, and OpenJDK 6 and 7, allows remote. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Java Oracle +2
NVD
EPSS 5% CVSS 9.8
CRITICAL PATCH Act Now

OpenStack Object Storage (swift) before 1.7.0 uses the loads function in the pickle Python module unsafely when storing and loading metadata in memcached, which allows remote attackers to execute. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Python Deserialization RCE +7
NVD GitHub
EPSS 2% CVSS 4.6
MEDIUM PATCH This Month

view_help.php in the backend help system in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote authenticated backend users to unserialize arbitrary objects and. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

PHP Deserialization Typo3 +1
NVD
EPSS 1% CVSS 5.0
MEDIUM PATCH This Month

The Extbase Framework in TYPO3 4.6.x through 4.6.6, 4.7, and 6.0 unserializes untrusted data, which allows remote attackers to unserialize arbitrary objects and possibly execute arbitrary code via. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Deserialization RCE Typo3
NVD
EPSS 78% 5.8 CVSS 9.8
CRITICAL POC THREAT Emergency

TikiWiki CMS/Groupware before 6.7 LTS and before 8.4 allows remote attackers to execute arbitrary PHP code via a crafted serialized object in the (1) cookieName to lib/banners/bannerlib.php; (2). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 77.9%.

PHP Deserialization Tikiwiki Cms Groupware
NVD Exploit-DB
Prev Page 30 of 30

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy