Deserialization
Monthly
Unsafe deserialization in Bio-Formats up to version 8.3.0 allows local attackers to execute arbitrary code or cause denial of service by crafting malicious .bfmemo cache files that are automatically loaded during image processing without validation. The Memoizer class deserializes untrusted data from these files, enabling potential remote code execution if suitable Java gadget chains are available on the classpath. No patch is currently available for this vulnerability (CVSS 7.8).
RustFS is a distributed object storage system built in Rust. [CVSS 4.0 MEDIUM]
DZS Video Gallery WordPress plugin (through 12.37) is vulnerable to PHP object injection through insecure deserialization. An unauthenticated attacker can inject arbitrary PHP objects, potentially achieving code execution through POP chains.
Deserialization of Untrusted Data vulnerability in Digital zoom studio DZS Video Gallery allows Object Injection.This issue affects DZS Video Gallery: from n/a through 12.25. [CVSS 8.8 HIGH]
Deserialization of Untrusted Data vulnerability in Themify Themify Edmin allows Object Injection.This issue affects Themify Edmin: from n/a through 2.0.0. [CVSS 8.8 HIGH]
A security vulnerability has been detected in milvu versions up to 2.6.7. is affected by improper input validation (CVSS 6.3).
MessagePack for Java versions prior to 0.9.11 are vulnerable to denial-of-service attacks through malicious .msgpack files that exploit unbounded heap allocation when deserializing EXT32 objects. An unauthenticated attacker can craft a small payload with attacker-controlled extension lengths that causes the library to attempt allocating excessive memory, leading to JVM heap exhaustion and service unavailability. Public exploit code exists for this vulnerability; organizations using affected versions should update immediately.
A vulnerability was determined in PluXml up to 5.8.22. Affected is the function FileCookieJar::__destruct of the file core/admin/medias.php of the component Media Management Module. [CVSS 4.7 MEDIUM]
A high-severity remote code execution vulnerability exists in feast-dev/feast version 0.53.0, specifically in the Kubernetes materializer job located at `feast/sdk/python/feast/infra/compute_engines/kubernetes/main.py`. [CVSS 7.8 HIGH]
PHP object injection in Icegram Express Pro (WordPress email marketing plugin) through version 5.9.13 enables unauthenticated remote attackers to execute arbitrary code via unsafe deserialization of user-controlled data. With CVSS 9.8 (critical severity) and network-accessible attack vector requiring no authentication or user interaction, this represents a severe pre-authentication RCE risk. EPSS score of 0.06% (19th percentile) suggests low immediate exploitation probability, and no public exploit or CISA KEV listing identified at time of analysis, though Patchstack disclosure increases attacker awareness.
PHP object injection in PDF for Elementor Forms WordPress plugin (versions ≤6.5.0) enables unauthenticated remote attackers to execute arbitrary code or manipulate application state through unsafe deserialization of user-controlled data. EPSS probability is low (0.06%, 19th percentile), and no public exploit identified at time of analysis. However, the unauthenticated remote attack vector (CVSS AV:N/PR:N) and high confidentiality impact warrant immediate patching for sites using this plugin.
Object injection via unsafe deserialization in PDF Invoice Builder for WooCommerce plugin allows authenticated attackers with low privileges to execute arbitrary PHP code, manipulate application objects, or trigger other malicious actions. Affects all versions through 6.5.0. No public exploit identified at time of analysis, with EPSS probability of 0.07% suggesting minimal real-world exploitation activity despite high CVSS score.
Object injection via unsafe deserialization in PDF for WPForms plugin (versions ≤6.5.0) enables authenticated attackers to execute arbitrary PHP code or manipulate application state. The CVSS score of 8.8 reflects network-based exploitation with low complexity requiring only low-privileged authentication. EPSS probability of 0.07% (22nd percentile) suggests limited exploitation likelihood. No public exploit code or CISA KEV listing identified at time of analysis, indicating this remains a theoretical risk requiring proactive patching.
Object injection via unsafe deserialization in PDF for Contact Form 7 WordPress plugin (versions ≤6.5.0) allows authenticated attackers to execute arbitrary PHP code or manipulate application state. Attack requires low-privileged user credentials but no user interaction, with network-accessible attack vector. EPSS probability remains low (0.07%, 22nd percentile) and no active exploitation confirmed at time of analysis. Publicly available exploit code exists per Patchstack disclosure.
PHP object injection in PDF for Gravity Forms + Drag And Drop Template Builder (WordPress plugin) versions up to 6.5.0 allows authenticated attackers with low privileges to execute arbitrary code or manipulate application logic via unsafe deserialization. CVSS 7.5 (High) but EPSS probability of 0.07% (22nd percentile) indicates low observed exploitation likelihood. No public exploit identified at time of analysis, and attack requires high complexity (AC:H) with authenticated access (PR:L).
PHP object injection in Doubly Cross Domain Copy Paste plugin (≤1.0.46) allows authenticated attackers with Subscriber-level privileges to execute arbitrary code via deserialized untrusted input from uploaded ZIP archives. Exploitation requires administrators to explicitly enable Subscriber access. Available POP chains enable code execution, file deletion, and sensitive data retrieval. Attack vector requires low privilege (PR:L) authentication with network accessibility and no user interaction. No public exploit identified at time of analysis.
Deserialization of untrusted data in WP Maps WordPress plugin versions up to 4.8.6 allows high-privileged authenticated users to inject and instantiate arbitrary PHP objects, potentially leading to code execution or privilege escalation. While the CVSS score of 6.5 reflects high confidentiality and integrity impact, the requirement for administrator-level privileges (PR:H) and user interaction (UI:R) significantly constrains real-world exploitability. EPSS score of 0.04% indicates minimal observed exploitation likelihood despite the vulnerability's technical severity.
A critical remote code execution vulnerability exists in CSLA .NET framework versions 5.5.4 and below due to insecure deserialization when using WcfProxy with the obsolete NetDataContractSerializer. This vulnerability allows unauthenticated remote attackers to execute arbitrary code on affected systems without user interaction, potentially leading to complete system compromise. While no active exploitation has been reported in CISA KEV and no public POC is mentioned, the vulnerability's network-exposed nature and low attack complexity make it a high-priority security concern.
A serialization bug in matrix-sdk-base allows remote attackers to cause denial-of-service by sending rooms with custom m.room.join_rules values, which stalls the sync process and prevents all room processing. The vulnerability affects matrix-sdk-base versions 0.14.1 and prior and has a high availability impact (CVSS 7.5) with a patch available in version 0.16.0. With a low EPSS score of 0.06% and no KEV listing, this represents a moderate real-world risk primarily concerning service availability rather than active exploitation.
HummerRisk thru v1.5.0 is using a vulnerable Snakeyaml component, allowing attackers with normal user privileges to hit the /rule/add API and thereby achieve RCE and take over the server.
UNA CMS versions 9.0.0-RC1 - 14.0.0-RC4 contain a PHP object injection vulnerability in BxBaseMenuSetAclLevel.php where the profile_id POST parameter is passed to PHP unserialize() without proper handling, allowing remote, unauthenticated attackers to inject arbitrary PHP objects and potentially write and execute arbitrary PHP code.
React Server Components in React 19.x contain a critical pre-authentication remote code execution vulnerability (CVE-2025-55182, CVSS 10.0) through unsafe deserialization of HTTP request payloads. With EPSS 71.1% and KEV listing, this vulnerability affects any application using React Server Components with react-server-dom-webpack, react-server-dom-turbopack, or react-server-dom-parcel — enabling complete server compromise through a single HTTP request.
An unauthenticated attacker can trick a local user into executing arbitrary code by opening a deliberately manipulated CODESYS project file with a CODESYS development system. This arbitrary code is executed in the user context.
A weakness has been identified in nutzam NutzBoot up to 2.6.0-SNAPSHOT. This affects the function getInputStream of the file nutzcloud/nutzcloud-literpc/src/main/java/org/nutz/boot/starter/literpc/impl/endpoint/http/HttpServletRpcEndpoint.java of the component LiteRpc-Serializer. Executing a manipulation can lead to deserialization. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit has been made available to the public and could be used for attacks.
The Houzez theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.1.6 via deserialization of untrusted input in saved-search-item.php. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Fugue is a unified interface for distributed computing that lets users execute Python, Pandas, and SQL code on Spark, Dask, and Ray with minimal rewrites. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.
An issue was discovered in jishenghua JSH_ERP 2.3.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue was discovered in jishenghua JSH_ERP 2.3.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue was discovered in jishenghua JSH_ERP 2.3.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue was discovered in jishenghua JSH_ERP 2.3.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue was discovered in jishenghua JSH_ERP 2.3.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue in the cms_rest.php component of SIGB PMB v8.0.1.14 allows attackers to execute arbitrary code via unserializing an arbitrary file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A flaw was found in the Keycloak LDAP User Federation provider. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Cozmoslabs WP Webhooks wp-webhooks allows Object Injection.3.8. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Icegram Email Subscribers & Newsletters email-subscribers allows Object Injection.9.10. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Microsoft SharePoint Online Elevation of Privilege Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
IBM webMethods Integration 10.11 through 10.11_Core_Fix22, 10.15 through 10.15_Core_Fix22, and 11.1 through 11.1_Core_Fix6 IBM webMethods Integration allow an authenticated user to execute arbitrary. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through user-controllable URL parameters. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The WP Import - Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.33.1. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Unsafe Deserialization vulnerability in Modular Max Serve before 25.6, specifically when the "--experimental-enable-kvcache-agent" feature is used allowing attackers to execute arbitrary code. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available.
The AI Engine plugin for WordPress is vulnerable to PHP Object Injection via PHAR Deserialization in all versions up to, and including, 3.1.8 via deserialization of untrusted input in the. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.
The N-central Software Probe < 2025.4 is vulnerable to Remote Code Execution via deserialization. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Pdfminer.six is a community maintained fork of the original PDFMiner, a tool for extracting information from PDF documents. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available.
ktg-mes before commit a484f96 (2025-07-03) has a fastjson deserialization vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Academy LMS - WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.3.8 via deserialization of. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An issue was discovered in AnyDesk for Windows before 9.0.5, AnyDesk for macOS before 9.0.1, AnyDesk for Linux before 7.0.0, AnyDesk for iOS before 7.1.2, and AnyDesk for Android before 8.0.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Deserialization of Untrusted Data vulnerability in uxper Togo togo.0.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in WP User Manager WP User Manager wp-user-manager allows Object Injection.9.12. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Cristián Lávaque s2Member s2member allows Object Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Keap/Infusionsoft gf-infusionsoft allows Object Injection.2.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in sbouey Falang multilanguage falang allows Object Injection.3.65. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Cozmoslabs TranslatePress translatepress-multilingual allows Object Injection.10.2. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Deserialization of Untrusted Data vulnerability in NooTheme Yogi - Health Beauty & Yoga noo-yogi allows Object Injection.9.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in NooTheme WeMusic noo-wemusic allows Object Injection.9.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in VictorThemes Seil seil allows Object Injection.7.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Fetch Designs Sign-up Sheets sign-up-sheets allows Object Injection.3.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Scott Reilly Preserve Code Formatting preserve-code-formatting allows Object Injection.0.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in wpdreams Ajax Search Lite ajax-search-lite allows Object Injection.13.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Dataease is an open source data visualization analysis tool. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
The Everest Forms (Pro) plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.7 via deserialization of untrusted input in the mime_content_type(). Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
PHP object injection in UNIVERSAM WordPress plugin through deserialization of untrusted data allows remote unauthenticated attackers to achieve critical impact including remote code execution, complete data compromise, and denial of service. Affects all versions up to and including 9.03. EPSS exploitation probability is relatively low at 0.10% (28th percentile), with no public exploit identified at time of analysis, suggesting a lower immediate real-world risk despite the critical CVSS 9.8 score.
PHP object injection in BoldThemes Addison WordPress theme versions prior to 1.4.8 enables unauthenticated remote attackers to execute arbitrary code through unsafe deserialization. The vulnerability carries a critical CVSS 9.8 score with network-accessible attack vector requiring no privileges or user interaction. No public exploit identified at time of analysis, with EPSS indicating 10th percentile exploitation probability (0.10%), suggesting low observed exploitation likelihood despite high theoretical severity.
PHP object injection in BoldThemes Goldenblatt WordPress theme versions prior to 1.3.0 enables unauthenticated remote attackers to execute arbitrary code through deserialization of untrusted data. The vulnerability scores 9.8 (Critical) with network-exploitable attack vector requiring no privileges or user interaction. EPSS indicates low probability (0.10%, 28th percentile) of active exploitation, and no public exploit or KEV listing identified at time of analysis, suggesting theoretical high severity but currently limited real-world exploitation activity.
A vulnerability was found in LaChatterie Verger up to 1.2.10. This impacts the function redirectToAuthorization of the file /src/main/services/mcp/oauth/provider.ts. The manipulation of the argument URL results in deserialization. The attack can be executed remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
DataChain is a Python-based AI-data warehouse for transforming and analyzing unstructured data. Versions 0.34.1 and below allow for deseriaization of untrusted data because of the way the DataChain library reads serialized objects from environment variables (such as DATACHAIN__METASTORE and DATACHAIN__WAREHOUSE) in the loader.py module. An attacker with the ability to set these environment variables can trigger code execution when the application loads. This issue is fixed in version 0.34.2.
The Schema Plugin For Divi, Gutenberg & Shortcodes plugin for WordPress is vulnerable to Object Instantiation in all versions up to, and including, 4.3.2 via deserialization of untrusted input via the wpt_schema_breadcrumbs shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Pickle deserialization RCE in pyfory 0.12.0-0.12.2 and pyfury 0.1.0-0.10.3.
A vulnerability was detected in pmTicket Project-Management-Software up to 2ef379da2075f4761a2c9029cf91d073474e7486. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In DOXENSE WATCHDOC before 6.1.1.5332, Deserialization of Untrusted Data can lead to remote code execution through the .NET Remoting library in the Watchdoc administration interface. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability was found in GuanxingLu vlarl up to 31abc0baf53ef8f5db666a1c882e1ea64def2997. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability has been found in giantspatula SewKinect up to 7fd963ceb3385af3706af02b8a128a13399dffb1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A security vulnerability has been detected in LazyAGI LazyLLM up to 0.6.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability was determined in geyang ml-logger up to acf255bade5be6ad88d90735c8367b28cbe3a743. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Datart 1.0.0-rc.3 is vulnerable to Directory Traversal. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Deserialization of Untrusted Data vulnerability in Apache IoTDB.0.0 before 2.0.5. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SolarWinds Web Help Desk contains an unauthenticated deserialization RCE via AjaxProxy, a patch bypass of both CVE-2024-28988 and CVE-2024-28986, the third iteration of this vulnerability.
Deserialization of Untrusted Data vulnerability in awesomesupport Awesome Support allows Object Injection.3.4. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in ConveyThis Language Translate Widget for WordPress - ConveyThis allows Object Injection. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in raoinfotech GSheets Connector allows Object Injection.1.1. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability was determined in jeecgboot JimuReport up to 2.1.2. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was found in jeecgboot JimuReport up to 2.1.2. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability has been found in h2oai h2o-3 up to 3.46.08. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A flaw has been found in h2oai h2o-3 up to 3.46.08. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.8, allowing attackers to read arbitrary system files and execute arbitrary code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.843 and Application prior to 20.0.1923 (VA and SaaS deployments) contains dangerous PHP dead code present in. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Keras Model.load_model method can be exploited to achieve arbitrary code execution, even with safe_mode=True. Rated high severity (CVSS 8.6), this vulnerability is low attack complexity. No vendor patch available.
Snipe-IT before 8.1.18 allows unsafe deserialization. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.
Fortra GoAnywhere MFT contains a deserialization vulnerability in the License Servlet allowing command injection through crafted license response signatures.
Unsafe deserialization in Bio-Formats up to version 8.3.0 allows local attackers to execute arbitrary code or cause denial of service by crafting malicious .bfmemo cache files that are automatically loaded during image processing without validation. The Memoizer class deserializes untrusted data from these files, enabling potential remote code execution if suitable Java gadget chains are available on the classpath. No patch is currently available for this vulnerability (CVSS 7.8).
RustFS is a distributed object storage system built in Rust. [CVSS 4.0 MEDIUM]
DZS Video Gallery WordPress plugin (through 12.37) is vulnerable to PHP object injection through insecure deserialization. An unauthenticated attacker can inject arbitrary PHP objects, potentially achieving code execution through POP chains.
Deserialization of Untrusted Data vulnerability in Digital zoom studio DZS Video Gallery allows Object Injection.This issue affects DZS Video Gallery: from n/a through 12.25. [CVSS 8.8 HIGH]
Deserialization of Untrusted Data vulnerability in Themify Themify Edmin allows Object Injection.This issue affects Themify Edmin: from n/a through 2.0.0. [CVSS 8.8 HIGH]
A security vulnerability has been detected in milvu versions up to 2.6.7. is affected by improper input validation (CVSS 6.3).
MessagePack for Java versions prior to 0.9.11 are vulnerable to denial-of-service attacks through malicious .msgpack files that exploit unbounded heap allocation when deserializing EXT32 objects. An unauthenticated attacker can craft a small payload with attacker-controlled extension lengths that causes the library to attempt allocating excessive memory, leading to JVM heap exhaustion and service unavailability. Public exploit code exists for this vulnerability; organizations using affected versions should update immediately.
A vulnerability was determined in PluXml up to 5.8.22. Affected is the function FileCookieJar::__destruct of the file core/admin/medias.php of the component Media Management Module. [CVSS 4.7 MEDIUM]
A high-severity remote code execution vulnerability exists in feast-dev/feast version 0.53.0, specifically in the Kubernetes materializer job located at `feast/sdk/python/feast/infra/compute_engines/kubernetes/main.py`. [CVSS 7.8 HIGH]
PHP object injection in Icegram Express Pro (WordPress email marketing plugin) through version 5.9.13 enables unauthenticated remote attackers to execute arbitrary code via unsafe deserialization of user-controlled data. With CVSS 9.8 (critical severity) and network-accessible attack vector requiring no authentication or user interaction, this represents a severe pre-authentication RCE risk. EPSS score of 0.06% (19th percentile) suggests low immediate exploitation probability, and no public exploit or CISA KEV listing identified at time of analysis, though Patchstack disclosure increases attacker awareness.
PHP object injection in PDF for Elementor Forms WordPress plugin (versions ≤6.5.0) enables unauthenticated remote attackers to execute arbitrary code or manipulate application state through unsafe deserialization of user-controlled data. EPSS probability is low (0.06%, 19th percentile), and no public exploit identified at time of analysis. However, the unauthenticated remote attack vector (CVSS AV:N/PR:N) and high confidentiality impact warrant immediate patching for sites using this plugin.
Object injection via unsafe deserialization in PDF Invoice Builder for WooCommerce plugin allows authenticated attackers with low privileges to execute arbitrary PHP code, manipulate application objects, or trigger other malicious actions. Affects all versions through 6.5.0. No public exploit identified at time of analysis, with EPSS probability of 0.07% suggesting minimal real-world exploitation activity despite high CVSS score.
Object injection via unsafe deserialization in PDF for WPForms plugin (versions ≤6.5.0) enables authenticated attackers to execute arbitrary PHP code or manipulate application state. The CVSS score of 8.8 reflects network-based exploitation with low complexity requiring only low-privileged authentication. EPSS probability of 0.07% (22nd percentile) suggests limited exploitation likelihood. No public exploit code or CISA KEV listing identified at time of analysis, indicating this remains a theoretical risk requiring proactive patching.
Object injection via unsafe deserialization in PDF for Contact Form 7 WordPress plugin (versions ≤6.5.0) allows authenticated attackers to execute arbitrary PHP code or manipulate application state. Attack requires low-privileged user credentials but no user interaction, with network-accessible attack vector. EPSS probability remains low (0.07%, 22nd percentile) and no active exploitation confirmed at time of analysis. Publicly available exploit code exists per Patchstack disclosure.
PHP object injection in PDF for Gravity Forms + Drag And Drop Template Builder (WordPress plugin) versions up to 6.5.0 allows authenticated attackers with low privileges to execute arbitrary code or manipulate application logic via unsafe deserialization. CVSS 7.5 (High) but EPSS probability of 0.07% (22nd percentile) indicates low observed exploitation likelihood. No public exploit identified at time of analysis, and attack requires high complexity (AC:H) with authenticated access (PR:L).
PHP object injection in Doubly Cross Domain Copy Paste plugin (≤1.0.46) allows authenticated attackers with Subscriber-level privileges to execute arbitrary code via deserialized untrusted input from uploaded ZIP archives. Exploitation requires administrators to explicitly enable Subscriber access. Available POP chains enable code execution, file deletion, and sensitive data retrieval. Attack vector requires low privilege (PR:L) authentication with network accessibility and no user interaction. No public exploit identified at time of analysis.
Deserialization of untrusted data in WP Maps WordPress plugin versions up to 4.8.6 allows high-privileged authenticated users to inject and instantiate arbitrary PHP objects, potentially leading to code execution or privilege escalation. While the CVSS score of 6.5 reflects high confidentiality and integrity impact, the requirement for administrator-level privileges (PR:H) and user interaction (UI:R) significantly constrains real-world exploitability. EPSS score of 0.04% indicates minimal observed exploitation likelihood despite the vulnerability's technical severity.
A critical remote code execution vulnerability exists in CSLA .NET framework versions 5.5.4 and below due to insecure deserialization when using WcfProxy with the obsolete NetDataContractSerializer. This vulnerability allows unauthenticated remote attackers to execute arbitrary code on affected systems without user interaction, potentially leading to complete system compromise. While no active exploitation has been reported in CISA KEV and no public POC is mentioned, the vulnerability's network-exposed nature and low attack complexity make it a high-priority security concern.
A serialization bug in matrix-sdk-base allows remote attackers to cause denial-of-service by sending rooms with custom m.room.join_rules values, which stalls the sync process and prevents all room processing. The vulnerability affects matrix-sdk-base versions 0.14.1 and prior and has a high availability impact (CVSS 7.5) with a patch available in version 0.16.0. With a low EPSS score of 0.06% and no KEV listing, this represents a moderate real-world risk primarily concerning service availability rather than active exploitation.
HummerRisk thru v1.5.0 is using a vulnerable Snakeyaml component, allowing attackers with normal user privileges to hit the /rule/add API and thereby achieve RCE and take over the server.
UNA CMS versions 9.0.0-RC1 - 14.0.0-RC4 contain a PHP object injection vulnerability in BxBaseMenuSetAclLevel.php where the profile_id POST parameter is passed to PHP unserialize() without proper handling, allowing remote, unauthenticated attackers to inject arbitrary PHP objects and potentially write and execute arbitrary PHP code.
React Server Components in React 19.x contain a critical pre-authentication remote code execution vulnerability (CVE-2025-55182, CVSS 10.0) through unsafe deserialization of HTTP request payloads. With EPSS 71.1% and KEV listing, this vulnerability affects any application using React Server Components with react-server-dom-webpack, react-server-dom-turbopack, or react-server-dom-parcel — enabling complete server compromise through a single HTTP request.
An unauthenticated attacker can trick a local user into executing arbitrary code by opening a deliberately manipulated CODESYS project file with a CODESYS development system. This arbitrary code is executed in the user context.
A weakness has been identified in nutzam NutzBoot up to 2.6.0-SNAPSHOT. This affects the function getInputStream of the file nutzcloud/nutzcloud-literpc/src/main/java/org/nutz/boot/starter/literpc/impl/endpoint/http/HttpServletRpcEndpoint.java of the component LiteRpc-Serializer. Executing a manipulation can lead to deserialization. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit has been made available to the public and could be used for attacks.
The Houzez theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.1.6 via deserialization of untrusted input in saved-search-item.php. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Fugue is a unified interface for distributed computing that lets users execute Python, Pandas, and SQL code on Spark, Dask, and Ray with minimal rewrites. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.
An issue was discovered in jishenghua JSH_ERP 2.3.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue was discovered in jishenghua JSH_ERP 2.3.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue was discovered in jishenghua JSH_ERP 2.3.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue was discovered in jishenghua JSH_ERP 2.3.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue was discovered in jishenghua JSH_ERP 2.3.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue in the cms_rest.php component of SIGB PMB v8.0.1.14 allows attackers to execute arbitrary code via unserializing an arbitrary file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A flaw was found in the Keycloak LDAP User Federation provider. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Cozmoslabs WP Webhooks wp-webhooks allows Object Injection.3.8. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Icegram Email Subscribers & Newsletters email-subscribers allows Object Injection.9.10. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Microsoft SharePoint Online Elevation of Privilege Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
IBM webMethods Integration 10.11 through 10.11_Core_Fix22, 10.15 through 10.15_Core_Fix22, and 11.1 through 11.1_Core_Fix6 IBM webMethods Integration allow an authenticated user to execute arbitrary. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through user-controllable URL parameters. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The WP Import - Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.33.1. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Unsafe Deserialization vulnerability in Modular Max Serve before 25.6, specifically when the "--experimental-enable-kvcache-agent" feature is used allowing attackers to execute arbitrary code. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available.
The AI Engine plugin for WordPress is vulnerable to PHP Object Injection via PHAR Deserialization in all versions up to, and including, 3.1.8 via deserialization of untrusted input in the. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.
The N-central Software Probe < 2025.4 is vulnerable to Remote Code Execution via deserialization. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Pdfminer.six is a community maintained fork of the original PDFMiner, a tool for extracting information from PDF documents. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available.
ktg-mes before commit a484f96 (2025-07-03) has a fastjson deserialization vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Academy LMS - WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.3.8 via deserialization of. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An issue was discovered in AnyDesk for Windows before 9.0.5, AnyDesk for macOS before 9.0.1, AnyDesk for Linux before 7.0.0, AnyDesk for iOS before 7.1.2, and AnyDesk for Android before 8.0.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Deserialization of Untrusted Data vulnerability in uxper Togo togo.0.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in WP User Manager WP User Manager wp-user-manager allows Object Injection.9.12. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Cristián Lávaque s2Member s2member allows Object Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Keap/Infusionsoft gf-infusionsoft allows Object Injection.2.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in sbouey Falang multilanguage falang allows Object Injection.3.65. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Cozmoslabs TranslatePress translatepress-multilingual allows Object Injection.10.2. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Deserialization of Untrusted Data vulnerability in NooTheme Yogi - Health Beauty & Yoga noo-yogi allows Object Injection.9.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in NooTheme WeMusic noo-wemusic allows Object Injection.9.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in VictorThemes Seil seil allows Object Injection.7.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Fetch Designs Sign-up Sheets sign-up-sheets allows Object Injection.3.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Scott Reilly Preserve Code Formatting preserve-code-formatting allows Object Injection.0.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in wpdreams Ajax Search Lite ajax-search-lite allows Object Injection.13.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Dataease is an open source data visualization analysis tool. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
The Everest Forms (Pro) plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.7 via deserialization of untrusted input in the mime_content_type(). Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
PHP object injection in UNIVERSAM WordPress plugin through deserialization of untrusted data allows remote unauthenticated attackers to achieve critical impact including remote code execution, complete data compromise, and denial of service. Affects all versions up to and including 9.03. EPSS exploitation probability is relatively low at 0.10% (28th percentile), with no public exploit identified at time of analysis, suggesting a lower immediate real-world risk despite the critical CVSS 9.8 score.
PHP object injection in BoldThemes Addison WordPress theme versions prior to 1.4.8 enables unauthenticated remote attackers to execute arbitrary code through unsafe deserialization. The vulnerability carries a critical CVSS 9.8 score with network-accessible attack vector requiring no privileges or user interaction. No public exploit identified at time of analysis, with EPSS indicating 10th percentile exploitation probability (0.10%), suggesting low observed exploitation likelihood despite high theoretical severity.
PHP object injection in BoldThemes Goldenblatt WordPress theme versions prior to 1.3.0 enables unauthenticated remote attackers to execute arbitrary code through deserialization of untrusted data. The vulnerability scores 9.8 (Critical) with network-exploitable attack vector requiring no privileges or user interaction. EPSS indicates low probability (0.10%, 28th percentile) of active exploitation, and no public exploit or KEV listing identified at time of analysis, suggesting theoretical high severity but currently limited real-world exploitation activity.
A vulnerability was found in LaChatterie Verger up to 1.2.10. This impacts the function redirectToAuthorization of the file /src/main/services/mcp/oauth/provider.ts. The manipulation of the argument URL results in deserialization. The attack can be executed remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
DataChain is a Python-based AI-data warehouse for transforming and analyzing unstructured data. Versions 0.34.1 and below allow for deseriaization of untrusted data because of the way the DataChain library reads serialized objects from environment variables (such as DATACHAIN__METASTORE and DATACHAIN__WAREHOUSE) in the loader.py module. An attacker with the ability to set these environment variables can trigger code execution when the application loads. This issue is fixed in version 0.34.2.
The Schema Plugin For Divi, Gutenberg & Shortcodes plugin for WordPress is vulnerable to Object Instantiation in all versions up to, and including, 4.3.2 via deserialization of untrusted input via the wpt_schema_breadcrumbs shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Pickle deserialization RCE in pyfory 0.12.0-0.12.2 and pyfury 0.1.0-0.10.3.
A vulnerability was detected in pmTicket Project-Management-Software up to 2ef379da2075f4761a2c9029cf91d073474e7486. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In DOXENSE WATCHDOC before 6.1.1.5332, Deserialization of Untrusted Data can lead to remote code execution through the .NET Remoting library in the Watchdoc administration interface. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability was found in GuanxingLu vlarl up to 31abc0baf53ef8f5db666a1c882e1ea64def2997. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability has been found in giantspatula SewKinect up to 7fd963ceb3385af3706af02b8a128a13399dffb1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A security vulnerability has been detected in LazyAGI LazyLLM up to 0.6.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability was determined in geyang ml-logger up to acf255bade5be6ad88d90735c8367b28cbe3a743. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Datart 1.0.0-rc.3 is vulnerable to Directory Traversal. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Deserialization of Untrusted Data vulnerability in Apache IoTDB.0.0 before 2.0.5. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SolarWinds Web Help Desk contains an unauthenticated deserialization RCE via AjaxProxy, a patch bypass of both CVE-2024-28988 and CVE-2024-28986, the third iteration of this vulnerability.
Deserialization of Untrusted Data vulnerability in awesomesupport Awesome Support allows Object Injection.3.4. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in ConveyThis Language Translate Widget for WordPress - ConveyThis allows Object Injection. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in raoinfotech GSheets Connector allows Object Injection.1.1. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability was determined in jeecgboot JimuReport up to 2.1.2. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was found in jeecgboot JimuReport up to 2.1.2. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability has been found in h2oai h2o-3 up to 3.46.08. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A flaw has been found in h2oai h2o-3 up to 3.46.08. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.8, allowing attackers to read arbitrary system files and execute arbitrary code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.843 and Application prior to 20.0.1923 (VA and SaaS deployments) contains dangerous PHP dead code present in. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Keras Model.load_model method can be exploited to achieve arbitrary code execution, even with safe_mode=True. Rated high severity (CVSS 8.6), this vulnerability is low attack complexity. No vendor patch available.
Snipe-IT before 8.1.18 allows unsafe deserialization. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.
Fortra GoAnywhere MFT contains a deserialization vulnerability in the License Servlet allowing command injection through crafted license response signatures.