Deserialization
Monthly
Microsoft SharePoint Server contains a deserialization vulnerability allowing unauthenticated remote code execution over the network, with active exploitation confirmed and patches pending full release.
Object injection via unsafe deserialization in designthemes Visual Art | Gallery WordPress Theme (versions 2.4 and earlier) allows attackers to instantiate arbitrary PHP objects, potentially leading to remote code execution or information disclosure depending on available gadget chains in the WordPress environment. No CVSS vector is available, and exploitation probability is low at 0.16 EPSS percentile 36%, with no confirmed public exploit code or active exploitation reported at time of analysis.
Deserialization of untrusted data in Codexpert Inc's CoSchool LMS WordPress plugin through version 1.4.3 enables PHP object injection attacks, potentially allowing remote code execution or arbitrary action execution by unauthenticated attackers. EPSS score of 0.13% (33rd percentile) indicates low measured exploitation probability at time of analysis, with no confirmed active exploitation or public exploit code identified.
Deserialization of untrusted data in the Guru Team Site Chat on Telegram WordPress plugin through version 1.0.4 enables PHP object injection attacks. An attacker can inject malicious serialized objects that, when unserialized by the plugin, trigger arbitrary code execution or enable further exploitation via gadget chain abuse. No CVSS score is assigned and exploitation probability is low (EPSS 0.13%), but the vulnerability affects all installations of this plugin up to and including version 1.0.4.
Deserialization of untrusted data in the exact-links WordPress plugin (versions up to 3.0.7) enables object injection attacks that could allow remote code execution or privilege escalation. The vulnerability stems from improper handling of serialized PHP objects without validation, permitting attackers to instantiate arbitrary objects and exploit magic methods for malicious purposes. While no CVSS vector or exploit proof-of-concept is publicly documented, the underlying deserialization flaw (CWE-502) represents a critical attack surface in WordPress environments.
Object injection via unsafe deserialization in NooTheme Yogi WordPress theme versions before 2.9.3 allows attackers to instantiate arbitrary PHP objects, potentially leading to remote code execution or data manipulation. The vulnerability affects all Yogi theme installations below version 2.9.3 and carries a low exploitation probability (EPSS 0.16%, percentile 36%), with no confirmed active exploitation at time of analysis.
Object injection via unsafe deserialization in JetFormBuilder WordPress plugin through version 3.5.1.2 allows attackers to instantiate arbitrary PHP objects and potentially achieve remote code execution. The vulnerability affects all versions up to and including 3.5.1.2, with no CVSS score publicly assigned yet. EPSS exploitation probability is low at 0.14% (35th percentile), and no public exploit code or confirmed active exploitation has been identified at this time.
The Friends plugin for WordPress versions up to 3.5.1 contains a PHP Object Injection vulnerability in the query_vars parameter that allows authenticated subscribers and above to inject malicious serialized objects through unsafe deserialization. While the plugin itself lacks a known gadget chain (POP chain), successful exploitation depends on the presence of vulnerable code in other installed plugins or themes; if such a chain exists, attackers can achieve arbitrary file deletion, data exfiltration, or remote code execution, but exploitation requires knowledge of the site's SALT_NONCE and SALT_KEY values.
The SureForms - Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.7.3 via the use of file_exists() in the delete_entry_files() function without restriction on the path provided. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
A vulnerability, which was classified as critical, was found in lty628 Aidigu up to 1.8.2. This affects the function checkUserCookie of the file /application/common.php of the component PHP Object Handler. The manipulation of the argument rememberMe leads to deserialization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Adobe Experience Manager versions 6.5.23.0 and earlier contain a deserialization of untrusted data vulnerability that allows unauthenticated remote code execution. No user interaction is required, making this a direct attack against enterprise content management infrastructure.
Adobe Connect versions 24.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution by an attacker. Exploitation of this issue does require user interaction and scope is changed.
Deserialization of untrusted data in Microsoft Office allows an unauthorized attacker to elevate privileges locally.
SAP NetWeaver Enterprise Portal Federated Portal Network is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.
SAP NetWeaver XML Data Archiving Service allows an authenticated attacker with administrative privileges to exploit an insecure Java deserialization vulnerability by sending a specially crafted serialized Java object. This could lead to high impact on confidentiality, integrity, and availability of the application.
SAP NetWeaver Enterprise Portal Administration is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.
A critical vulnerability in SAP NetWeaver Application server for Java Log Viewer enables authenticated administrator users to exploit unsafe Java object deserialization. Successful exploitation can lead to full operating system compromise, granting attackers complete control over the affected system. This results in a severe impact on the confidentiality, integrity, and availability of the application and host environment.
Mescius ActiveReports.NET TypeResolutionService Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Mescius ActiveReports.NET. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the TypeResolutionService class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25397.
Mescius ActiveReports.NET ReadValue Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Mescius ActiveReports.NET. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the implementation of the ReadValue method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25246.
A vulnerability has been found in BoyunCMS up to 1.21 on PHP7 and classified as critical. Affected by this vulnerability is an unknown functionality of the file install/install2.php of the component Installation Handler. The manipulation of the argument db_host leads to deserialization. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.
A critical deserialization vulnerability exists in the run-llama/llama_index library's JsonPickleSerializer component, affecting versions v0.12.27 through v0.12.40. This vulnerability allows remote code execution due to an insecure fallback to Python's pickle module. JsonPickleSerializer prioritizes deserialization using pickle.loads(), which can execute arbitrary code when processing untrusted data. Attackers can exploit this by crafting malicious payloads to achieve full system compromise. The root cause includes an insecure fallback mechanism, lack of validation or safeguards, misleading design, and violation of Python security guidelines.
Deserialization of Untrusted Data vulnerability in designthemes Red Art allows Object Injection. This issue affects Red Art: from n/a through 3.7.
Deserialization of Untrusted Data vulnerability in BestWpDeveloper WooCommerce Product Multi-Action allows Object Injection. This issue affects WooCommerce Product Multi-Action: from n/a through 1.3.
ASNA Assist and ASNA Registrar before 2025-03-31 allow deserialization attacks against .NET remoting. These are Windows system services that support license key management and deprecated Windows network authentication. The services are implemented with .NET remoting and can be exploited via well-known deserialization techniques inherent in the technology. Because the services run with SYSTEM-level rights, exploits can be crafted to achieve escalation of privilege and arbitrary code execution. This affects DataGate for SQL Server 17.0.36.0 and 16.0.89.0, DataGate Component Suite 17.0.36.0 and 16.0.89.0, DataGate Monitor 17.0.26.0 and 16.0.65.0, DataGate WebPak 17.0.37.0 and 16.0.90.0, Monarch for .NET 11.4.50.0 and 10.0.62.0, Encore RPG 4.1.36.0, Visual RPG .NET FW 17.0.37.0 and 16.0.90.0, Visual RPG .NET FW Windows Deployment 17.0.36.0 and 16.0.89.0, WingsRPG 11.0.38.0 and 10.0.95.0, Mobile RPG 11.0.35.0 and 10.0.94.0, Monarch Framework for .NET FW 11.0.36.0 and 10.0.89.0, Browser Terminal 17.0.37.0 and 16.0.90.0, Visual RPG Classic 5.2.7.0 and 5.1.17.0, Visual RPG Deployment 5.2.7.0 and 5.1.17.0, and DataGate Studio 17.0.38.0 and 16.0.104.0.
An unauthenticated remote command execution vulnerability exists in the applyCT component of the Hikvision Integrated Security Management Platform due to the use of a vulnerable version of the Fastjson library. The endpoint /bic/ssoService/v1/applyCT deserializes untrusted user input, allowing an attacker to trigger Fastjson's auto-type feature to load arbitrary Java classes. By referencing a malicious class via an LDAP URL, an attacker can achieve remote code execution on the underlying system. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.
The education theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.6.10 via deserialization of untrusted input in the 'themerex_callback_view_more_posts' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
The Forminator Forms - Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.44.2 via deserialization of untrusted input in the 'entry_delete_upload_files' function. This makes it possible for unauthenticated attackers to inject a PHP Object through a PHAR file. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. Deserialization occurs when the form submission is deleted, whether by an Administrator or via auto-deletion determined by plugin settings.
A PHP objection injection vulnerability exists in the Monero Project’s Laravel-based forum software due to unsafe handling of untrusted input in the /get/image/ endpoint. The application passes a user-supplied link parameter directly to file_get_contents() without validation. MIME type checks using PHP’s finfo can be bypassed via crafted stream filter chains that prepend spoofed headers, allowing access to internal Laravel configuration files. An attacker can extract the APP_KEY from config/app.php, forge encrypted cookies, and trigger unsafe unserialize() calls, leading to reliable remote code execution.
Delta Electronics DTN Soft Project File Parsing Deserialization of Untrusted Data Remote Code Execution
Delta Electronics DTM Soft Project File Parsing Deserialization of Untrusted Data Remote Code Execution
In Akka through 2.10.6, akka-cluster-metrics uses Java serialization for cluster metrics.
Deserialization of Untrusted Data vulnerability in Apache Seata (incubating).
Deserialization of Untrusted Data vulnerability in uxper Nuss allows Object Injection. This issue affects Nuss: from n/a through 1.3.3.
Deserialization of Untrusted Data vulnerability in uxper Sala allows Object Injection. This issue affects Sala: from n/a through 1.1.3.
Deserialization of Untrusted Data vulnerability in pebas CouponXxL allows Object Injection. This issue affects CouponXxL: from n/a through 3.0.0.
Deserialization of Untrusted Data vulnerability in BoldThemes Amwerk allows Object Injection. This issue affects Amwerk: from n/a through 1.2.0.
Deserialization of Untrusted Data vulnerability in pep.vn WP Optimize By xTraffic allows Object Injection. This issue affects WP Optimize By xTraffic: from n/a through 5.1.6.
IBM WebSphere Application Server (WAS) versions 8.5 and 9.0 are vulnerable to remote code execution through deserialization of untrusted serialized objects, allowing unauthenticated network attackers to execute arbitrary code with high confidence despite moderate attack complexity. This is a critical Java deserialization vulnerability (CWE-502) affecting enterprise application servers in widespread use; exploitation status and EPSS probability are not yet public but the CVSS 9.0 score and network-accessible attack vector indicate this is a priority concern for organizations running affected WAS versions.
CVE-2025-2566 is an unsafe Java deserialization vulnerability in Kaleris NAVIS N4 ULC that allows unauthenticated attackers to execute arbitrary code on affected servers through specially crafted requests. The vulnerability affects Kaleris NAVIS N4 Ultra Light Client installations and presents critical risk due to its network-accessible attack vector, lack of authentication requirements, and remote code execution impact. Given the CVSS 9.3 score and unauthenticated attack surface, this should be treated as a priority vulnerability for organizations running affected versions.
SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 contain a PHP object injection vulnerability via the SugarRestSerialize.php script. The rest_data parameter is passed to unserialize() without validation, allowing unauthenticated attackers to inject malicious PHP objects for remote code execution.
PowSyBl versions 6.3.0 through 6.7.1 contain an unsafe deserialization vulnerability in the SparseMatrix.read() method that allows remote attackers to achieve arbitrary code execution and privilege escalation without authentication or user interaction. The vulnerability affects the powsybl-math library, a core component of the Power System Blocks framework used in power grid management software. Exploitation requires only network access to an application exposing the vulnerable deserialization method.
A vulnerability, which was classified as critical, has been found in Upsonic up to 0.55.6. This issue affects the function cloudpickle.loads of the file /tools/add_tool of the component Pickle Handler. The manipulation leads to deserialization. The exploit has been disclosed to the public and may be used.
Unauthorized users can perform Arbitrary File Read and Deserialization attack by submit job using restful api-v1. Unauthorized users can access `/hazelcast/rest/maps/submit-job` to submit job. An attacker can set extra params in mysql url to perform Arbitrary File Read and Deserialization attack. This issue affects Apache SeaTunnel: <=2.3.10 Users are recommended to upgrade to version 2.3.11, and enable restful api-v2 & open https two-way authentication , which fixes the issue.
Pre-authentication remote code execution vulnerability in Trend Micro Endpoint Encryption PolicyServer caused by insecure deserialization. Attackers can exploit this vulnerability over the network without authentication to achieve arbitrary code execution with complete system compromise (confidentiality, integrity, and availability impact). This is a critical, actively exploitable vulnerability affecting Trend Micro Endpoint Encryption deployments; similar to CVE-2025-49213 but in a different vulnerable method, indicating a pattern of insecure deserialization issues in the same product.
Post-authentication insecure deserialization vulnerability in Trend Micro Endpoint Encryption PolicyServer that allows remote code execution with high impact on confidentiality, integrity, and availability. While the CVSS score of 8.8 is significant, exploitation requires prior low-privileged code execution on the target system, substantially reducing real-world attack surface compared to unauthenticated network exploits. The vulnerability affects Trend Micro Endpoint Encryption installations and should be prioritized based on organizational exposure to this specific product line and internal threat modeling of low-privileged account compromise scenarios.
Critical pre-authentication remote code execution vulnerability in Trend Micro Endpoint Encryption PolicyServer caused by insecure deserialization. An unauthenticated attacker can exploit this vulnerability over the network with no user interaction required to achieve complete system compromise (confidentiality, integrity, and availability impact). This vulnerability is actively being tracked and should be prioritized for immediate patching as it requires no privileges or complex attack conditions.
Pre-authentication remote code execution vulnerability in Trend Micro Endpoint Encryption PolicyServer caused by insecure deserialization in an unnamed method. An unauthenticated attacker on the network can exploit this over the network without user interaction to achieve complete system compromise (confidentiality, integrity, and availability impact). This vulnerability is actively monitored and represents a critical threat requiring immediate patching.
Critical pre-authentication remote code execution vulnerability in Trend Micro Apex Central versions below 8.0.7007, caused by insecure deserialization in a specific method. The vulnerability allows unauthenticated remote attackers to execute arbitrary code with complete system compromise (confidentiality, integrity, and availability impact). With a CVSS score of 9.8 and network-based attack vector requiring no user interaction, this represents an immediately exploitable critical threat to exposed Apex Central installations.
Pre-authentication remote code execution vulnerability stemming from insecure deserialization in Trend Micro Apex Central versions below 8.0.7007. An unauthenticated attacker can exploit this vulnerability over the network with low complexity to achieve complete system compromise (confidentiality, integrity, and availability). This vulnerability is actively tracked by CISA as a known exploited vulnerability (KEV) with high CVSS 9.8 severity and carries significant real-world risk due to its network-accessible, authentication-bypass nature.
Deserialization of untrusted data vulnerability in impleCode eCommerce Product Catalog versions up to 3.4.3 that allows authenticated attackers with high privileges to perform object injection attacks. The vulnerability enables remote code execution or unauthorized data manipulation through malicious serialized objects. While the CVSS score of 7.2 is moderate-to-high, the requirement for high privileges (PR:H) significantly limits real-world exploitability; however, this should not be underestimated in multi-tenant or insider threat scenarios.
A deserialization vulnerability in CRM Perks Integration for Contact Form 7 and Zoho CRM (CVSS 9.8). Critical severity with potential for significant impact on affected systems.
Critical deserialization of untrusted data vulnerability in themeton Spare (versions up to 1.7) that allows remote attackers to achieve object injection without authentication or user interaction. With a CVSS score of 9.8 and network-accessible attack vector, this vulnerability enables complete system compromise including confidentiality, integrity, and availability breaches. The vulnerability's presence in a serialization library makes it particularly dangerous as it can be exploited by any network-connected attacker sending specially crafted serialized objects.
Critical deserialization of untrusted data vulnerability in the yuliaz Rapyd Payment Extension for WooCommerce (versions through 1.2.0) that allows unauthenticated remote attackers to perform object injection attacks. The vulnerability has a CVSS score of 9.8 with network-accessible attack vector and no authentication required, meaning any internet-connected attacker can exploit this without user interaction. If actively exploited or proof-of-concept code is available, this represents an immediate risk to all unpatched WooCommerce installations using this payment plugin.
Critical deserialization vulnerability in Dell ControlVault3 that allows unauthenticated local attackers to achieve arbitrary code execution by sending specially crafted responses to the cvhDecapsulateCmd functionality. The vulnerability affects ControlVault3 prior to version 5.15.10.14 and ControlVault3 Plus prior to 6.2.26.36. An attacker who can compromise ControlVault firmware or intercept responses can trigger remote code execution with system-level privileges, making this a high-impact vulnerability despite the moderate attack complexity requirement.
handcraftedinthealps goodby-csv is a highly memory efficient, flexible and extendable open-source CSV import/export library. Prior to 1.4.3, goodby-csv could be used as part of a chain of methods that is exploitable when an insecure deserialization vulnerability exists in an application. This so-called "gadget chain" presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability. The problem is patched with Version 1.4.3.
Critical deserialization vulnerability in Microsoft Office SharePoint that allows authenticated attackers to execute arbitrary code remotely with high impact to confidentiality, integrity, and availability. The vulnerability affects SharePoint environments where an authorized user can submit malicious serialized objects, bypassing input validation due to unsafe deserialization practices (CWE-502). While the attack requires valid credentials (PR:L), the network-accessible attack vector (AV:N), low attack complexity (AC:L), and high CVSS score of 8.8 indicate significant real-world risk, particularly in organizations with broad internal user bases or federated access.
Critical deserialization vulnerability in Microsoft Office SharePoint that allows authenticated attackers to execute arbitrary code remotely without user interaction. The vulnerability affects SharePoint environments where untrusted data is deserialized, enabling network-based code execution with high impact to confidentiality, integrity, and availability. While no public exploit code has been confirmed in open intelligence sources, the CVSS 8.8 rating and low attack complexity suggest this is a high-priority patch for all affected organizations.
Critical deserialization of untrusted data vulnerability in LoftOcean CozyStay that enables object injection attacks. All versions before 1.7.1 are affected, allowing unauthenticated remote attackers to achieve complete system compromise (confidentiality, integrity, and availability impact) with no user interaction required. This is a network-exploitable vulnerability with CVSS 9.8 severity indicating maximum real-world risk.
Critical deserialization of untrusted data vulnerability in LoftOcean TinySalt that enables object injection attacks. This vulnerability affects TinySalt versions prior to 3.10.0 and allows unauthenticated remote attackers to achieve complete system compromise (confidentiality, integrity, and availability impact) with no user interaction required. The attack vector is network-based with low complexity, resulting in a CVSS 9.8 critical severity rating; exploitation status and POC availability cannot be confirmed from provided data, but the vulnerability's remote and unauthenticated nature suggests high real-world exploitability.
A remote code execution vulnerability in A possible security vulnerability (CVSS 8.8). High severity vulnerability requiring prompt remediation.
A deserialization vulnerability (CVSS 9.8). Critical severity with potential for significant impact on affected systems.
Critical deserialization of untrusted data vulnerability in themeton PIMP (Creative MultiPurpose) plugin affecting versions through 1.7, allowing unauthenticated remote attackers to inject arbitrary objects and achieve complete system compromise (confidentiality, integrity, and availability impact). The CVSS 9.8 score reflects the network-accessible, authentication-free attack vector with high impact across all three security dimensions. Exploitation requires no user interaction and can be performed by any unauthenticated network attacker, making this a severe priority if the KEV catalog confirms active exploitation or POC availability.
Critical deserialization vulnerability in themeton FLAP - Business WordPress Theme (versions up to 1.5) that allows unauthenticated remote attackers to achieve arbitrary object injection without user interaction. The vulnerability has a near-perfect CVSS score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating complete compromise of confidentiality, integrity, and availability is possible. Given the network-accessible attack vector and low complexity, this represents a critical risk to all WordPress installations using vulnerable theme versions.
Critical deserialization of untrusted data vulnerability in themeton's 'The Fashion - Model Agency One Page Beauty Theme' WordPress theme (versions up to 1.4.4) that enables object injection attacks. An unauthenticated, remote attacker can exploit this with no user interaction required to achieve complete system compromise including confidentiality, integrity, and availability breaches. The CVSS 9.8 score reflects the critical nature (network-accessible, low complexity, no privileges needed, high impact across all security properties), though real-world exploitation likelihood depends on whether public POCs exist and if the vulnerability is actively being weaponized in the wild.
Kafbat UI version 1.0.0 contains an unsafe deserialization vulnerability (CWE-502) that allows unauthenticated remote attackers to execute arbitrary code on affected servers with no user interaction required. This is a critical pre-authentication RCE affecting Kafka cluster management infrastructure. The vulnerability has a CVSS score of 8.9 with high impact across confidentiality, integrity, and availability; patch is available in version 1.1.0.
Critical deserialization of untrusted data vulnerability in Apache InLong versions 1.13.0 through 2.0.x that allows authenticated attackers to read arbitrary files through parameter manipulation ('double writing' the param). With a CVSS 9.8 score and network-based attack vector requiring no user interaction, this represents a high-severity information disclosure risk affecting data ingestion pipeline deployments.
Critical deserialization of untrusted data vulnerability in Axiomthemes Sweet Dessert that enables object injection attacks. The vulnerability affects Sweet Dessert versions before 1.1.13 and allows remote attackers to inject malicious serialized objects without authentication, potentially achieving remote code execution with complete system compromise. With a CVSS score of 9.8 and network-based attack vector requiring no user interaction or privileges, this represents a critical internet-exposed risk.
Critical deserialization vulnerability in AncoraThemes Mr. Murphy WordPress theme that allows unauthenticated remote attackers to inject arbitrary objects and achieve complete system compromise (confidentiality, integrity, and availability impact). All versions before 1.2.12.1 are vulnerable. With a CVSS score of 9.8 and network-accessible attack vector requiring no authentication or user interaction, this vulnerability presents an immediate, high-priority threat to affected WordPress installations.
A deserialization vulnerability in ThemeGoods Photography (CVSS 8.5). High severity vulnerability requiring prompt remediation.
A deserialization vulnerability in Teastudio (CVSS 8.8). High severity vulnerability requiring prompt remediation.
Critical remote code execution vulnerability in Soar Cloud HRD Human Resource Management System (versions through 7.3.2025.0408) caused by unsafe deserialization of untrusted data in the download file function. An unauthenticated remote attacker can exploit this to execute arbitrary system commands with no user interaction required, achieving complete compromise of confidentiality, integrity, and availability. The CVSS 9.8 severity and network-accessible attack vector indicate this is a high-priority threat requiring immediate patching.
Deserialization vulnerability in the IPC module Impact: Successful exploitation of this vulnerability may affect availability.
A vulnerability classified as critical was found in Shenzhen Dashi Tongzhou Information Technology AgileBPM up to 2.5.0. Affected by this vulnerability is the function executeScript of the file /src/main/java/com/dstz/sys/rest/controller/SysScriptController.java of the component Groovy Script Handler. The manipulation of the argument script leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
A vulnerability classified as critical has been found in Shenzhen Dashi Tongzhou Information Technology AgileBPM up to 2.5.0. Affected is the function parseStrByFreeMarker of the file /src/main/java/com/dstz/sys/rest/controller/SysToolsController.java. The manipulation of the argument str leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
A vulnerability in the web-based management interface of Cisco Unified CCX could allow an authenticated, remote attacker to execute arbitrary code on an affected device. To exploit this vulnerability, the attacker must have valid administrative credentials. This vulnerability is due to insecure deserialization of Java objects by the affected software. An attacker could exploit this vulnerability by sending a crafted Java object to an affected device. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system of an affected device as a low-privilege user. A successful exploit could also allow the attacker to undertake further actions to elevate their privileges to root.
A vulnerability in the file opening process of Cisco Unified Contact Center Express (Unified CCX) Editor could allow an unauthenticated attacker to execute arbitrary code on an affected device. This vulnerability is due to insecure deserialization of Java objects by the affected software. An attacker could exploit this vulnerability by persuading an authenticated, local user to open a crafted .aef file. A successful exploit could allow the attacker to execute arbitrary code on the host that is running the editor application with the privileges of the user who launched it.
A vulnerability was found in ChestnutCMS up to 15.1. It has been declared as critical. This vulnerability affects unknown code of the file /dev-api/groovy/exec of the component API Endpoint. The manipulation leads to deserialization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Insecure deserialization in Auth0-PHP SDK 8.0.0-BETA3 to before 8.3.1.
Critical remote code execution vulnerability in slackero phpwcms affecting versions up to 1.9.45 and 1.10.8. The vulnerability exists in the image_resized.php file where unsanitized input to the 'imgfile' parameter is passed to PHP's is_file() and getimagesize() functions, leading to unsafe deserialization. An unauthenticated remote attacker can exploit this to achieve arbitrary code execution with a CVSS score of 7.3; the vulnerability has been publicly disclosed with working exploits available, making active exploitation highly probable.
A vulnerability was found in slackero phpwcms up to 1.9.45/1.10.8. It has been rated as critical. This issue affects the function file_get_contents/is_file of the file include/inc_lib/content/cnt21.readform.inc.php of the component Custom Source Tab. The manipulation of the argument cpage_custom leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.9.46 and 1.10.9 is able to address this issue. It is recommended to upgrade the affected component.
A vulnerability was detected in slackero phpwcms up to 1.9.45/1.10.8. The impacted element is an unknown function of the file include/inc_module/mod_feedimport/inc/processing.inc.php of the component Feedimport Module. Performing manipulation of the argument cnt_text results in deserialization. The attack can be initiated remotely. The exploit is now public and may be used. Upgrading to version 1.9.46 and 1.10.9 is sufficient to resolve this issue. The patch is named 41a72eca0baa9d9d0214fec97db2400bc082d2a9. It is recommended to upgrade the affected component.
The Ninja Tables - Easy Data Table Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.0.18 via deserialization of untrusted input from the args[callback] parameter . This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute arbitrary functions, though it does not allow user supplied parameters only single functions can be called so the impact is limited.
Dassault Systemes DELMIA Apriso (releases 2020-2025) contains an unauthenticated deserialization vulnerability (CVE-2025-5086, CVSS 9.0) that enables remote code execution on manufacturing execution systems. KEV-listed with EPSS 39.2% and public PoC, this vulnerability threatens industrial manufacturing operations by targeting the MES (Manufacturing Execution System) layer that controls production processes.
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows authenticated users to achieve remote code execution through a crafted upload URL. With EPSS 90.4% and KEV listing, this vulnerability in one of the most widely deployed open-source webmail platforms enables any email user to compromise the mail server, accessing all hosted mailboxes.
A vulnerability was found in zhilink 智互联(深圳)科技有限公司 ADP Application Developer Platform 应用开发者平台 1.0.0 and classified as critical. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in ThimPress Course Builder allows Object Injection.6.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Deserialization of Untrusted Data vulnerability in Apache InLong.13.0 through 2.1.0. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Apache InLong.13.0 through 2.1.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Apache InLong.13.0 through 2.1.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Microsoft SharePoint Server contains a deserialization vulnerability allowing unauthenticated remote code execution over the network, with active exploitation confirmed and patches pending full release.
Object injection via unsafe deserialization in designthemes Visual Art | Gallery WordPress Theme (versions 2.4 and earlier) allows attackers to instantiate arbitrary PHP objects, potentially leading to remote code execution or information disclosure depending on available gadget chains in the WordPress environment. No CVSS vector is available, and exploitation probability is low at 0.16 EPSS percentile 36%, with no confirmed public exploit code or active exploitation reported at time of analysis.
Deserialization of untrusted data in Codexpert Inc's CoSchool LMS WordPress plugin through version 1.4.3 enables PHP object injection attacks, potentially allowing remote code execution or arbitrary action execution by unauthenticated attackers. EPSS score of 0.13% (33rd percentile) indicates low measured exploitation probability at time of analysis, with no confirmed active exploitation or public exploit code identified.
Deserialization of untrusted data in the Guru Team Site Chat on Telegram WordPress plugin through version 1.0.4 enables PHP object injection attacks. An attacker can inject malicious serialized objects that, when unserialized by the plugin, trigger arbitrary code execution or enable further exploitation via gadget chain abuse. No CVSS score is assigned and exploitation probability is low (EPSS 0.13%), but the vulnerability affects all installations of this plugin up to and including version 1.0.4.
Deserialization of untrusted data in the exact-links WordPress plugin (versions up to 3.0.7) enables object injection attacks that could allow remote code execution or privilege escalation. The vulnerability stems from improper handling of serialized PHP objects without validation, permitting attackers to instantiate arbitrary objects and exploit magic methods for malicious purposes. While no CVSS vector or exploit proof-of-concept is publicly documented, the underlying deserialization flaw (CWE-502) represents a critical attack surface in WordPress environments.
Object injection via unsafe deserialization in NooTheme Yogi WordPress theme versions before 2.9.3 allows attackers to instantiate arbitrary PHP objects, potentially leading to remote code execution or data manipulation. The vulnerability affects all Yogi theme installations below version 2.9.3 and carries a low exploitation probability (EPSS 0.16%, percentile 36%), with no confirmed active exploitation at time of analysis.
Object injection via unsafe deserialization in JetFormBuilder WordPress plugin through version 3.5.1.2 allows attackers to instantiate arbitrary PHP objects and potentially achieve remote code execution. The vulnerability affects all versions up to and including 3.5.1.2, with no CVSS score publicly assigned yet. EPSS exploitation probability is low at 0.14% (35th percentile), and no public exploit code or confirmed active exploitation has been identified at this time.
The Friends plugin for WordPress versions up to 3.5.1 contains a PHP Object Injection vulnerability in the query_vars parameter that allows authenticated subscribers and above to inject malicious serialized objects through unsafe deserialization. While the plugin itself lacks a known gadget chain (POP chain), successful exploitation depends on the presence of vulnerable code in other installed plugins or themes; if such a chain exists, attackers can achieve arbitrary file deletion, data exfiltration, or remote code execution, but exploitation requires knowledge of the site's SALT_NONCE and SALT_KEY values.
The SureForms - Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.7.3 via the use of file_exists() in the delete_entry_files() function without restriction on the path provided. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
A vulnerability, which was classified as critical, was found in lty628 Aidigu up to 1.8.2. This affects the function checkUserCookie of the file /application/common.php of the component PHP Object Handler. The manipulation of the argument rememberMe leads to deserialization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Adobe Experience Manager versions 6.5.23.0 and earlier contain a deserialization of untrusted data vulnerability that allows unauthenticated remote code execution. No user interaction is required, making this a direct attack against enterprise content management infrastructure.
Adobe Connect versions 24.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution by an attacker. Exploitation of this issue does require user interaction and scope is changed.
Deserialization of untrusted data in Microsoft Office allows an unauthorized attacker to elevate privileges locally.
SAP NetWeaver Enterprise Portal Federated Portal Network is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.
SAP NetWeaver XML Data Archiving Service allows an authenticated attacker with administrative privileges to exploit an insecure Java deserialization vulnerability by sending a specially crafted serialized Java object. This could lead to high impact on confidentiality, integrity, and availability of the application.
SAP NetWeaver Enterprise Portal Administration is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.
A critical vulnerability in SAP NetWeaver Application server for Java Log Viewer enables authenticated administrator users to exploit unsafe Java object deserialization. Successful exploitation can lead to full operating system compromise, granting attackers complete control over the affected system. This results in a severe impact on the confidentiality, integrity, and availability of the application and host environment.
Mescius ActiveReports.NET TypeResolutionService Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Mescius ActiveReports.NET. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the TypeResolutionService class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25397.
Mescius ActiveReports.NET ReadValue Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Mescius ActiveReports.NET. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the implementation of the ReadValue method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25246.
A vulnerability has been found in BoyunCMS up to 1.21 on PHP7 and classified as critical. Affected by this vulnerability is an unknown functionality of the file install/install2.php of the component Installation Handler. The manipulation of the argument db_host leads to deserialization. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.
A critical deserialization vulnerability exists in the run-llama/llama_index library's JsonPickleSerializer component, affecting versions v0.12.27 through v0.12.40. This vulnerability allows remote code execution due to an insecure fallback to Python's pickle module. JsonPickleSerializer prioritizes deserialization using pickle.loads(), which can execute arbitrary code when processing untrusted data. Attackers can exploit this by crafting malicious payloads to achieve full system compromise. The root cause includes an insecure fallback mechanism, lack of validation or safeguards, misleading design, and violation of Python security guidelines.
Deserialization of Untrusted Data vulnerability in designthemes Red Art allows Object Injection. This issue affects Red Art: from n/a through 3.7.
Deserialization of Untrusted Data vulnerability in BestWpDeveloper WooCommerce Product Multi-Action allows Object Injection. This issue affects WooCommerce Product Multi-Action: from n/a through 1.3.
ASNA Assist and ASNA Registrar before 2025-03-31 allow deserialization attacks against .NET remoting. These are Windows system services that support license key management and deprecated Windows network authentication. The services are implemented with .NET remoting and can be exploited via well-known deserialization techniques inherent in the technology. Because the services run with SYSTEM-level rights, exploits can be crafted to achieve escalation of privilege and arbitrary code execution. This affects DataGate for SQL Server 17.0.36.0 and 16.0.89.0, DataGate Component Suite 17.0.36.0 and 16.0.89.0, DataGate Monitor 17.0.26.0 and 16.0.65.0, DataGate WebPak 17.0.37.0 and 16.0.90.0, Monarch for .NET 11.4.50.0 and 10.0.62.0, Encore RPG 4.1.36.0, Visual RPG .NET FW 17.0.37.0 and 16.0.90.0, Visual RPG .NET FW Windows Deployment 17.0.36.0 and 16.0.89.0, WingsRPG 11.0.38.0 and 10.0.95.0, Mobile RPG 11.0.35.0 and 10.0.94.0, Monarch Framework for .NET FW 11.0.36.0 and 10.0.89.0, Browser Terminal 17.0.37.0 and 16.0.90.0, Visual RPG Classic 5.2.7.0 and 5.1.17.0, Visual RPG Deployment 5.2.7.0 and 5.1.17.0, and DataGate Studio 17.0.38.0 and 16.0.104.0.
An unauthenticated remote command execution vulnerability exists in the applyCT component of the Hikvision Integrated Security Management Platform due to the use of a vulnerable version of the Fastjson library. The endpoint /bic/ssoService/v1/applyCT deserializes untrusted user input, allowing an attacker to trigger Fastjson's auto-type feature to load arbitrary Java classes. By referencing a malicious class via an LDAP URL, an attacker can achieve remote code execution on the underlying system. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.
The education theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.6.10 via deserialization of untrusted input in the 'themerex_callback_view_more_posts' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
The Forminator Forms - Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.44.2 via deserialization of untrusted input in the 'entry_delete_upload_files' function. This makes it possible for unauthenticated attackers to inject a PHP Object through a PHAR file. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. Deserialization occurs when the form submission is deleted, whether by an Administrator or via auto-deletion determined by plugin settings.
A PHP objection injection vulnerability exists in the Monero Project’s Laravel-based forum software due to unsafe handling of untrusted input in the /get/image/ endpoint. The application passes a user-supplied link parameter directly to file_get_contents() without validation. MIME type checks using PHP’s finfo can be bypassed via crafted stream filter chains that prepend spoofed headers, allowing access to internal Laravel configuration files. An attacker can extract the APP_KEY from config/app.php, forge encrypted cookies, and trigger unsafe unserialize() calls, leading to reliable remote code execution.
Delta Electronics DTN Soft Project File Parsing Deserialization of Untrusted Data Remote Code Execution
Delta Electronics DTM Soft Project File Parsing Deserialization of Untrusted Data Remote Code Execution
In Akka through 2.10.6, akka-cluster-metrics uses Java serialization for cluster metrics.
Deserialization of Untrusted Data vulnerability in Apache Seata (incubating).
Deserialization of Untrusted Data vulnerability in uxper Nuss allows Object Injection. This issue affects Nuss: from n/a through 1.3.3.
Deserialization of Untrusted Data vulnerability in uxper Sala allows Object Injection. This issue affects Sala: from n/a through 1.1.3.
Deserialization of Untrusted Data vulnerability in pebas CouponXxL allows Object Injection. This issue affects CouponXxL: from n/a through 3.0.0.
Deserialization of Untrusted Data vulnerability in BoldThemes Amwerk allows Object Injection. This issue affects Amwerk: from n/a through 1.2.0.
Deserialization of Untrusted Data vulnerability in pep.vn WP Optimize By xTraffic allows Object Injection. This issue affects WP Optimize By xTraffic: from n/a through 5.1.6.
IBM WebSphere Application Server (WAS) versions 8.5 and 9.0 are vulnerable to remote code execution through deserialization of untrusted serialized objects, allowing unauthenticated network attackers to execute arbitrary code with high confidence despite moderate attack complexity. This is a critical Java deserialization vulnerability (CWE-502) affecting enterprise application servers in widespread use; exploitation status and EPSS probability are not yet public but the CVSS 9.0 score and network-accessible attack vector indicate this is a priority concern for organizations running affected WAS versions.
CVE-2025-2566 is an unsafe Java deserialization vulnerability in Kaleris NAVIS N4 ULC that allows unauthenticated attackers to execute arbitrary code on affected servers through specially crafted requests. The vulnerability affects Kaleris NAVIS N4 Ultra Light Client installations and presents critical risk due to its network-accessible attack vector, lack of authentication requirements, and remote code execution impact. Given the CVSS 9.3 score and unauthenticated attack surface, this should be treated as a priority vulnerability for organizations running affected versions.
SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 contain a PHP object injection vulnerability via the SugarRestSerialize.php script. The rest_data parameter is passed to unserialize() without validation, allowing unauthenticated attackers to inject malicious PHP objects for remote code execution.
PowSyBl versions 6.3.0 through 6.7.1 contain an unsafe deserialization vulnerability in the SparseMatrix.read() method that allows remote attackers to achieve arbitrary code execution and privilege escalation without authentication or user interaction. The vulnerability affects the powsybl-math library, a core component of the Power System Blocks framework used in power grid management software. Exploitation requires only network access to an application exposing the vulnerable deserialization method.
A vulnerability, which was classified as critical, has been found in Upsonic up to 0.55.6. This issue affects the function cloudpickle.loads of the file /tools/add_tool of the component Pickle Handler. The manipulation leads to deserialization. The exploit has been disclosed to the public and may be used.
Unauthorized users can perform Arbitrary File Read and Deserialization attack by submit job using restful api-v1. Unauthorized users can access `/hazelcast/rest/maps/submit-job` to submit job. An attacker can set extra params in mysql url to perform Arbitrary File Read and Deserialization attack. This issue affects Apache SeaTunnel: <=2.3.10 Users are recommended to upgrade to version 2.3.11, and enable restful api-v2 & open https two-way authentication , which fixes the issue.
Pre-authentication remote code execution vulnerability in Trend Micro Endpoint Encryption PolicyServer caused by insecure deserialization. Attackers can exploit this vulnerability over the network without authentication to achieve arbitrary code execution with complete system compromise (confidentiality, integrity, and availability impact). This is a critical, actively exploitable vulnerability affecting Trend Micro Endpoint Encryption deployments; similar to CVE-2025-49213 but in a different vulnerable method, indicating a pattern of insecure deserialization issues in the same product.
Post-authentication insecure deserialization vulnerability in Trend Micro Endpoint Encryption PolicyServer that allows remote code execution with high impact on confidentiality, integrity, and availability. While the CVSS score of 8.8 is significant, exploitation requires prior low-privileged code execution on the target system, substantially reducing real-world attack surface compared to unauthenticated network exploits. The vulnerability affects Trend Micro Endpoint Encryption installations and should be prioritized based on organizational exposure to this specific product line and internal threat modeling of low-privileged account compromise scenarios.
Critical pre-authentication remote code execution vulnerability in Trend Micro Endpoint Encryption PolicyServer caused by insecure deserialization. An unauthenticated attacker can exploit this vulnerability over the network with no user interaction required to achieve complete system compromise (confidentiality, integrity, and availability impact). This vulnerability is actively being tracked and should be prioritized for immediate patching as it requires no privileges or complex attack conditions.
Pre-authentication remote code execution vulnerability in Trend Micro Endpoint Encryption PolicyServer caused by insecure deserialization in an unnamed method. An unauthenticated attacker on the network can exploit this over the network without user interaction to achieve complete system compromise (confidentiality, integrity, and availability impact). This vulnerability is actively monitored and represents a critical threat requiring immediate patching.
Critical pre-authentication remote code execution vulnerability in Trend Micro Apex Central versions below 8.0.7007, caused by insecure deserialization in a specific method. The vulnerability allows unauthenticated remote attackers to execute arbitrary code with complete system compromise (confidentiality, integrity, and availability impact). With a CVSS score of 9.8 and network-based attack vector requiring no user interaction, this represents an immediately exploitable critical threat to exposed Apex Central installations.
Pre-authentication remote code execution vulnerability stemming from insecure deserialization in Trend Micro Apex Central versions below 8.0.7007. An unauthenticated attacker can exploit this vulnerability over the network with low complexity to achieve complete system compromise (confidentiality, integrity, and availability). This vulnerability is actively tracked by CISA as a known exploited vulnerability (KEV) with high CVSS 9.8 severity and carries significant real-world risk due to its network-accessible, authentication-bypass nature.
Deserialization of untrusted data vulnerability in impleCode eCommerce Product Catalog versions up to 3.4.3 that allows authenticated attackers with high privileges to perform object injection attacks. The vulnerability enables remote code execution or unauthorized data manipulation through malicious serialized objects. While the CVSS score of 7.2 is moderate-to-high, the requirement for high privileges (PR:H) significantly limits real-world exploitability; however, this should not be underestimated in multi-tenant or insider threat scenarios.
A deserialization vulnerability in CRM Perks Integration for Contact Form 7 and Zoho CRM (CVSS 9.8). Critical severity with potential for significant impact on affected systems.
Critical deserialization of untrusted data vulnerability in themeton Spare (versions up to 1.7) that allows remote attackers to achieve object injection without authentication or user interaction. With a CVSS score of 9.8 and network-accessible attack vector, this vulnerability enables complete system compromise including confidentiality, integrity, and availability breaches. The vulnerability's presence in a serialization library makes it particularly dangerous as it can be exploited by any network-connected attacker sending specially crafted serialized objects.
Critical deserialization of untrusted data vulnerability in the yuliaz Rapyd Payment Extension for WooCommerce (versions through 1.2.0) that allows unauthenticated remote attackers to perform object injection attacks. The vulnerability has a CVSS score of 9.8 with network-accessible attack vector and no authentication required, meaning any internet-connected attacker can exploit this without user interaction. If actively exploited or proof-of-concept code is available, this represents an immediate risk to all unpatched WooCommerce installations using this payment plugin.
Critical deserialization vulnerability in Dell ControlVault3 that allows unauthenticated local attackers to achieve arbitrary code execution by sending specially crafted responses to the cvhDecapsulateCmd functionality. The vulnerability affects ControlVault3 prior to version 5.15.10.14 and ControlVault3 Plus prior to 6.2.26.36. An attacker who can compromise ControlVault firmware or intercept responses can trigger remote code execution with system-level privileges, making this a high-impact vulnerability despite the moderate attack complexity requirement.
handcraftedinthealps goodby-csv is a highly memory efficient, flexible and extendable open-source CSV import/export library. Prior to 1.4.3, goodby-csv could be used as part of a chain of methods that is exploitable when an insecure deserialization vulnerability exists in an application. This so-called "gadget chain" presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability. The problem is patched with Version 1.4.3.
Critical deserialization vulnerability in Microsoft Office SharePoint that allows authenticated attackers to execute arbitrary code remotely with high impact to confidentiality, integrity, and availability. The vulnerability affects SharePoint environments where an authorized user can submit malicious serialized objects, bypassing input validation due to unsafe deserialization practices (CWE-502). While the attack requires valid credentials (PR:L), the network-accessible attack vector (AV:N), low attack complexity (AC:L), and high CVSS score of 8.8 indicate significant real-world risk, particularly in organizations with broad internal user bases or federated access.
Critical deserialization vulnerability in Microsoft Office SharePoint that allows authenticated attackers to execute arbitrary code remotely without user interaction. The vulnerability affects SharePoint environments where untrusted data is deserialized, enabling network-based code execution with high impact to confidentiality, integrity, and availability. While no public exploit code has been confirmed in open intelligence sources, the CVSS 8.8 rating and low attack complexity suggest this is a high-priority patch for all affected organizations.
Critical deserialization of untrusted data vulnerability in LoftOcean CozyStay that enables object injection attacks. All versions before 1.7.1 are affected, allowing unauthenticated remote attackers to achieve complete system compromise (confidentiality, integrity, and availability impact) with no user interaction required. This is a network-exploitable vulnerability with CVSS 9.8 severity indicating maximum real-world risk.
Critical deserialization of untrusted data vulnerability in LoftOcean TinySalt that enables object injection attacks. This vulnerability affects TinySalt versions prior to 3.10.0 and allows unauthenticated remote attackers to achieve complete system compromise (confidentiality, integrity, and availability impact) with no user interaction required. The attack vector is network-based with low complexity, resulting in a CVSS 9.8 critical severity rating; exploitation status and POC availability cannot be confirmed from provided data, but the vulnerability's remote and unauthenticated nature suggests high real-world exploitability.
A remote code execution vulnerability in A possible security vulnerability (CVSS 8.8). High severity vulnerability requiring prompt remediation.
A deserialization vulnerability (CVSS 9.8). Critical severity with potential for significant impact on affected systems.
Critical deserialization of untrusted data vulnerability in themeton PIMP (Creative MultiPurpose) plugin affecting versions through 1.7, allowing unauthenticated remote attackers to inject arbitrary objects and achieve complete system compromise (confidentiality, integrity, and availability impact). The CVSS 9.8 score reflects the network-accessible, authentication-free attack vector with high impact across all three security dimensions. Exploitation requires no user interaction and can be performed by any unauthenticated network attacker, making this a severe priority if the KEV catalog confirms active exploitation or POC availability.
Critical deserialization vulnerability in themeton FLAP - Business WordPress Theme (versions up to 1.5) that allows unauthenticated remote attackers to achieve arbitrary object injection without user interaction. The vulnerability has a near-perfect CVSS score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating complete compromise of confidentiality, integrity, and availability is possible. Given the network-accessible attack vector and low complexity, this represents a critical risk to all WordPress installations using vulnerable theme versions.
Critical deserialization of untrusted data vulnerability in themeton's 'The Fashion - Model Agency One Page Beauty Theme' WordPress theme (versions up to 1.4.4) that enables object injection attacks. An unauthenticated, remote attacker can exploit this with no user interaction required to achieve complete system compromise including confidentiality, integrity, and availability breaches. The CVSS 9.8 score reflects the critical nature (network-accessible, low complexity, no privileges needed, high impact across all security properties), though real-world exploitation likelihood depends on whether public POCs exist and if the vulnerability is actively being weaponized in the wild.
Kafbat UI version 1.0.0 contains an unsafe deserialization vulnerability (CWE-502) that allows unauthenticated remote attackers to execute arbitrary code on affected servers with no user interaction required. This is a critical pre-authentication RCE affecting Kafka cluster management infrastructure. The vulnerability has a CVSS score of 8.9 with high impact across confidentiality, integrity, and availability; patch is available in version 1.1.0.
Critical deserialization of untrusted data vulnerability in Apache InLong versions 1.13.0 through 2.0.x that allows authenticated attackers to read arbitrary files through parameter manipulation ('double writing' the param). With a CVSS 9.8 score and network-based attack vector requiring no user interaction, this represents a high-severity information disclosure risk affecting data ingestion pipeline deployments.
Critical deserialization of untrusted data vulnerability in Axiomthemes Sweet Dessert that enables object injection attacks. The vulnerability affects Sweet Dessert versions before 1.1.13 and allows remote attackers to inject malicious serialized objects without authentication, potentially achieving remote code execution with complete system compromise. With a CVSS score of 9.8 and network-based attack vector requiring no user interaction or privileges, this represents a critical internet-exposed risk.
Critical deserialization vulnerability in AncoraThemes Mr. Murphy WordPress theme that allows unauthenticated remote attackers to inject arbitrary objects and achieve complete system compromise (confidentiality, integrity, and availability impact). All versions before 1.2.12.1 are vulnerable. With a CVSS score of 9.8 and network-accessible attack vector requiring no authentication or user interaction, this vulnerability presents an immediate, high-priority threat to affected WordPress installations.
A deserialization vulnerability in ThemeGoods Photography (CVSS 8.5). High severity vulnerability requiring prompt remediation.
A deserialization vulnerability in Teastudio (CVSS 8.8). High severity vulnerability requiring prompt remediation.
Critical remote code execution vulnerability in Soar Cloud HRD Human Resource Management System (versions through 7.3.2025.0408) caused by unsafe deserialization of untrusted data in the download file function. An unauthenticated remote attacker can exploit this to execute arbitrary system commands with no user interaction required, achieving complete compromise of confidentiality, integrity, and availability. The CVSS 9.8 severity and network-accessible attack vector indicate this is a high-priority threat requiring immediate patching.
Deserialization vulnerability in the IPC module Impact: Successful exploitation of this vulnerability may affect availability.
A vulnerability classified as critical was found in Shenzhen Dashi Tongzhou Information Technology AgileBPM up to 2.5.0. Affected by this vulnerability is the function executeScript of the file /src/main/java/com/dstz/sys/rest/controller/SysScriptController.java of the component Groovy Script Handler. The manipulation of the argument script leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
A vulnerability classified as critical has been found in Shenzhen Dashi Tongzhou Information Technology AgileBPM up to 2.5.0. Affected is the function parseStrByFreeMarker of the file /src/main/java/com/dstz/sys/rest/controller/SysToolsController.java. The manipulation of the argument str leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
A vulnerability in the web-based management interface of Cisco Unified CCX could allow an authenticated, remote attacker to execute arbitrary code on an affected device. To exploit this vulnerability, the attacker must have valid administrative credentials. This vulnerability is due to insecure deserialization of Java objects by the affected software. An attacker could exploit this vulnerability by sending a crafted Java object to an affected device. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system of an affected device as a low-privilege user. A successful exploit could also allow the attacker to undertake further actions to elevate their privileges to root.
A vulnerability in the file opening process of Cisco Unified Contact Center Express (Unified CCX) Editor could allow an unauthenticated attacker to execute arbitrary code on an affected device. This vulnerability is due to insecure deserialization of Java objects by the affected software. An attacker could exploit this vulnerability by persuading an authenticated, local user to open a crafted .aef file. A successful exploit could allow the attacker to execute arbitrary code on the host that is running the editor application with the privileges of the user who launched it.
A vulnerability was found in ChestnutCMS up to 15.1. It has been declared as critical. This vulnerability affects unknown code of the file /dev-api/groovy/exec of the component API Endpoint. The manipulation leads to deserialization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Insecure deserialization in Auth0-PHP SDK 8.0.0-BETA3 to before 8.3.1.
Critical remote code execution vulnerability in slackero phpwcms affecting versions up to 1.9.45 and 1.10.8. The vulnerability exists in the image_resized.php file where unsanitized input to the 'imgfile' parameter is passed to PHP's is_file() and getimagesize() functions, leading to unsafe deserialization. An unauthenticated remote attacker can exploit this to achieve arbitrary code execution with a CVSS score of 7.3; the vulnerability has been publicly disclosed with working exploits available, making active exploitation highly probable.
A vulnerability was found in slackero phpwcms up to 1.9.45/1.10.8. It has been rated as critical. This issue affects the function file_get_contents/is_file of the file include/inc_lib/content/cnt21.readform.inc.php of the component Custom Source Tab. The manipulation of the argument cpage_custom leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.9.46 and 1.10.9 is able to address this issue. It is recommended to upgrade the affected component.
A vulnerability was detected in slackero phpwcms up to 1.9.45/1.10.8. The impacted element is an unknown function of the file include/inc_module/mod_feedimport/inc/processing.inc.php of the component Feedimport Module. Performing manipulation of the argument cnt_text results in deserialization. The attack can be initiated remotely. The exploit is now public and may be used. Upgrading to version 1.9.46 and 1.10.9 is sufficient to resolve this issue. The patch is named 41a72eca0baa9d9d0214fec97db2400bc082d2a9. It is recommended to upgrade the affected component.
The Ninja Tables - Easy Data Table Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.0.18 via deserialization of untrusted input from the args[callback] parameter . This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute arbitrary functions, though it does not allow user supplied parameters only single functions can be called so the impact is limited.
Dassault Systemes DELMIA Apriso (releases 2020-2025) contains an unauthenticated deserialization vulnerability (CVE-2025-5086, CVSS 9.0) that enables remote code execution on manufacturing execution systems. KEV-listed with EPSS 39.2% and public PoC, this vulnerability threatens industrial manufacturing operations by targeting the MES (Manufacturing Execution System) layer that controls production processes.
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows authenticated users to achieve remote code execution through a crafted upload URL. With EPSS 90.4% and KEV listing, this vulnerability in one of the most widely deployed open-source webmail platforms enables any email user to compromise the mail server, accessing all hosted mailboxes.
A vulnerability was found in zhilink 智互联(深圳)科技有限公司 ADP Application Developer Platform 应用开发者平台 1.0.0 and classified as critical. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in ThimPress Course Builder allows Object Injection.6.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Deserialization of Untrusted Data vulnerability in Apache InLong.13.0 through 2.1.0. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Apache InLong.13.0 through 2.1.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Apache InLong.13.0 through 2.1.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.