Skip to main content

Deserialization

2662 CVEs technique

Monthly

CVE-2026-27749 HIGH This Week

Arbitrary code execution as SYSTEM in Avira Internet Security's System Speedup component occurs when the privileged RealTimeOptimizer.exe process deserializes untrusted .NET binary data from a world-writable ProgramData location without validation. A local attacker can craft a malicious serialized payload to achieve immediate privilege escalation and full system compromise. No patch is currently available for this high-severity vulnerability.

Deserialization RCE Internet Security
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-2599 CRITICAL Act Now

PHP Object Injection in Database for CF7/WPforms/Elementor forms WordPress plugin.

WordPress PHP Deserialization Information Disclosure
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-28105 CRITICAL Act Now

Deserialization of untrusted data in Good Energy (goodenergy) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-28074 CRITICAL Act Now

Deserialization of untrusted data in Pizza House (pizzahouse) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-27439 CRITICAL Act Now

Deserialization of untrusted data in Dentario (dentario) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-27438 CRITICAL Act Now

Deserialization of untrusted data in Kingler (kingler) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-27437 CRITICAL Act Now

Deserialization of untrusted data in Tennis Club (tennis-sportclub) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-27417 CRITICAL Act Now

Deserialization of untrusted data in Sweet Date (sweetdate) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-27379 HIGH This Week

NextScripts NextScripts social-networks-auto-poster-facebook-twitter-g is affected by deserialization of untrusted data (CVSS 8.8).

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-27369 HIGH This Week

BoldThemes Celeste versions 1.3.6 and earlier are vulnerable to unsafe deserialization that enables arbitrary object injection attacks over the network without authentication. An attacker can exploit this to achieve remote code execution or other malicious operations on affected systems. No patch is currently available for this vulnerability.

Deserialization
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-27338 HIGH This Week

Object injection through unsafe deserialization in AivahThemes Car Zone up to version 3.7 allows authenticated attackers to execute arbitrary code with network access and no user interaction required. With a CVSS score of 8.8 indicating high severity, this vulnerability poses a significant risk to affected installations, though no patch is currently available. Attackers with valid credentials can exploit this flaw to gain complete system compromise including confidentiality, integrity, and availability impact.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-27098 HIGH This Week

Unsafe deserialization in the Au Pair Agency theme (versions up to 1.2.2) enables object injection attacks that could allow remote code execution on affected WordPress sites. An unauthenticated attacker can exploit this vulnerability to inject malicious objects and compromise server integrity, confidentiality, and availability. No patch is currently available.

Deserialization
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-24385 HIGH This Week

gerritvanaaken Podlove Web Player podlove-web-player is affected by deserialization of untrusted data (CVSS 7.5).

Deserialization
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-23798 HIGH This Week

blubrry PowerPress Podcasting powerpress is affected by deserialization of untrusted data (CVSS 8.8).

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-22501 CRITICAL Act Now

Deserialization of untrusted data in Mounthood (mounthood) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-22497 CRITICAL Act Now

Deserialization of untrusted data in Jardi (jardi) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-22475 CRITICAL Act Now

Deserialization of untrusted data in Estate (estate) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-22474 CRITICAL Act Now

Deserialization of untrusted data in Equestrian Centre (equestrian-centre) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-22473 HIGH This Week

Object injection through unsafe deserialization in designthemes Dental Clinic version 3.7 and earlier allows authenticated attackers to execute arbitrary code with high impact on confidentiality, integrity, and availability. An attacker with valid credentials can exploit this CWE-502 weakness to inject malicious objects during the deserialization process, potentially compromising the entire application. No patch is currently available for this vulnerability.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-22471 HIGH This Week

maximsecudeal Secudeal Payments for Ecommerce secudeal-payments-for-ecommerce is affected by deserialization of untrusted data (CVSS 8.6).

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-22454 CRITICAL Act Now

Deserialization of untrusted data in Solaris (solaris) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-22453 CRITICAL Act Now

Deserialization of untrusted data in Pets Club (petclub) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-22451 CRITICAL Act Now

Deserialization of untrusted data in Handyman (handyman-services) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-22417 CRITICAL Act Now

ThemeGoods Grand Wedding through version 3.1.0 is vulnerable to remote object injection via unsafe deserialization of untrusted data, enabling attackers to execute arbitrary code without authentication. The vulnerability requires specific conditions to be met but carries high severity with complete compromise of confidentiality, integrity, and availability. No patch is currently available for affected installations.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-54001 CRITICAL Act Now

Deserialization of untrusted data in Classter (classter) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-20131 CRITICAL POC KEV THREAT Emergency

Cisco Secure Firewall Management Center (FMC) contains a critical unauthenticated Java deserialization vulnerability (CVE-2026-20131, CVSS 10.0) in its web interface that enables remote code execution as root. KEV-listed with public PoC, this vulnerability allows complete compromise of the central management platform that controls all Cisco firewalls in the organization, enabling attackers to modify security policies, disable protections, and access all network traffic.

Cisco Java Deserialization RCE
NVD VulDB GitHub
CVSS 3.1
10.0
EPSS
0.6%
Threat
6.0
CVE-2026-3452 PHP HIGH PATCH This Week

Remote code execution in Concrete CMS prior to version 9.4.8 stems from unsafe deserialization of PHP objects in the Express Entry List block configuration. An authenticated administrator can inject malicious serialized data through the columns parameter that executes arbitrary code when unserialized without validation. This allows attackers with admin privileges to achieve complete system compromise through stored object injection attacks.

PHP RCE Deserialization Concrete Cms
NVD GitHub
CVSS 3.1
7.2
EPSS
0.5%
CVE-2026-27971 npm CRITICAL POC PATCH THREAT Act Now

RCE in Qwik JavaScript framework <= 1.19.0 via unsafe deserialization in server$ Runtime. EPSS 13.4% with PoC available.

RCE Deserialization Qwik
NVD GitHub
CVSS 3.1
9.8
EPSS
13.4%
CVE-2025-57622 CRITICAL Act Now

Pickle deserialization RCE in Step-Video-T2V via API endpoints.

Deserialization AI / ML
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-52998 CRITICAL PATCH Act Now

Chamilo LMS prior to 1.11.30 has an insecure deserialization vulnerability enabling remote code execution through crafted serialized data.

Deserialization Chamilo Lms
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-50198 MEDIUM POC PATCH This Month

Chamilo is a learning management system. Prior to version 1.11.30, Chamilo is vulnerable to deserialization of untrusted data in /plugin/vchamilo/views/import.php via POST configuration_file; POST course_path; POST home_path parameters. [CVSS 4.9 MEDIUM]

PHP Deserialization Chamilo Lms
NVD GitHub
CVSS 3.1
4.9
EPSS
0.1%
CVE-2024-47886 HIGH POC This Week

Chamilo is a learning management system. Chamillo is affected by a post-authentication phar unserialize which leads to a remote code execution (RCE) within versions 1.11.12 to 1.11.26. [CVSS 7.2 HIGH]

RCE Deserialization Chamilo Lms
NVD GitHub
CVSS 3.1
7.2
EPSS
0.9%
CVE-2026-3422 CRITICAL Act Now

U-Office Force by e-Excellence has an insecure deserialization vulnerability allowing unauthenticated remote code execution.

Deserialization U Office Force
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-2471 HIGH This Week

Unauthenticated attackers can inject malicious serialized PHP objects into the WP Mail Logging plugin (versions up to 1.15.0) through email forms, exploiting unsafe deserialization in the BaseModel class. When administrators view the logged emails, the injected payload deserializes into arbitrary PHP objects, potentially enabling code execution if leveraged with gadget chains from other installed plugins or themes. No patch is currently available.

WordPress PHP Deserialization
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-1542 MEDIUM This Month

Super Stage WP WordPre versions up to 1.0.1 is affected by deserialization of untrusted data (CVSS 6.5).

WordPress PHP Deserialization
NVD WPScan
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-21619 LOW Monitor

Uncontrolled resource consumption in hex_core, hex, and rebar3 package managers results from unsafe deserialization of untrusted data in API request handling, enabling remote attackers to trigger excessive memory allocation and denial of service without authentication. Affected versions include hex_core before 0.12.1, hex before 2.3.2, and rebar3 before 3.27.0, with no patch currently available. An attacker can exploit this remotely over the network to exhaust system resources and crash affected Erlang/Elixir build environments.

Deserialization Denial Of Service Rebar3 Hex Hex Core
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-27776 HIGH This Week

Remote code execution in intra-mart Accel Platform's IM-LogicDesigner module through insecure deserialization of crafted files imported by administrative users. An attacker with admin privileges can execute arbitrary code by importing a malicious file, with no patch currently available. The vulnerability affects all deployments where IM-LogicDesigner is enabled.

Deserialization RCE Accel Platform
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-28364 HIGH PATCH This Week

Heap memory corruption in the OCaml runtime (before 4.14.3 and 5.x before 5.4.1) lets an attacker who can feed crafted Marshal-format data into an application's deserialization path read past buffer bounds and, through a multi-phase chain, achieve code execution. The flaw lives in the readblock() routine of runtime/intern.c, which copies blocks using attacker-controlled lengths without bounds checks. There is no public exploit identified at time of analysis and EPSS is very low (0.04%), but multiple vendors (SUSE, Red Hat) have shipped fixed packages.

RCE Buffer Overflow Deserialization Ocaml
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-3071 HIGH This Week

Arbitrary code execution in Flair's LanguageModel class (versions 0.4.1 and later) allows local attackers to execute arbitrary commands by crafting malicious ML model files that exploit unsafe deserialization. Affected users loading untrusted models from external sources face complete system compromise with no patch currently available. This vulnerability impacts all AI/ML applications using Flair's model loading functionality.

Deserialization AI / ML
NVD
CVSS 3.1
8.4
EPSS
0.1%
CVE-2026-28138 HIGH This Week

Stylemix uListing versions 2.2.0 and earlier contain an unsafe deserialization vulnerability that enables object injection attacks, allowing authenticated attackers with high privileges to execute arbitrary code on affected systems. With no available patch, this vulnerability presents a significant risk to organizations running vulnerable versions of the plugin. The network-accessible nature of the flaw (CVSS 7.2) means exploitation requires only valid credentials to trigger the attack.

Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-27830 Maven HIGH PATCH This Week

Remote code execution in c3p0 (a Java JDBC connection-pooling library) before v0.12.0 allows an attacker who can set the `userOverridesAsString` property of a `ConnectionPoolDataSource` - or inject a crafted serialized object or `javax.naming.Reference` - to load and run arbitrary code on the application's CLASSPATH. The flaw stems from storing this writable Java-Bean property as a hex-encoded Java-serialized object, and is amplified by its dependency mchange-commons-java, which mirrored legacy JNDI behavior with ungated support for remote `factoryClassLocation` values, enabling download and execution of attacker-hosted classes. EPSS is low (0.15%) and there is no public exploit identified at time of analysis, though deserialization/JNDI gadget techniques against this library are publicly documented.

Java Deserialization Code Injection RCE
NVD GitHub VulDB
CVSS 4.0
8.9
EPSS
0.1%
CVE-2026-27794 PyPI MEDIUM PATCH This Month

Remote code execution in LangGraph's caching layer affects applications that explicitly enable cache backends inheriting from BaseCache with nodes opted into caching via CachePolicy. An attacker can exploit unsafe deserialization through pickle when msgpack serialization fails, allowing arbitrary code execution on affected systems. This vulnerability requires explicit cache configuration and does not affect default deployments.

Redis RCE SQLi Deserialization AI / ML +1
NVD GitHub
CVSS 3.1
6.6
EPSS
0.3%
CVE-2026-25899 Go HIGH POC PATCH This Week

Unbounded memory allocation in Fiber v3 (prior to 3.1.0) allows unauthenticated remote attackers to trigger denial of service by sending a malicious fiber_flash cookie that forces deserialization of up to 85GB of memory. All v3 endpoints are vulnerable regardless of flash message usage, and public exploit code exists. No patch is currently available.

Deserialization Fiber Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-21665 This Week

The Print Service component of Fiserv Originate Loans Peripherals (formerly Velocity Services) in unsupported version 2021.2.4 (build 4.7.3155.0011) uses deprecated .NET Remoting TCP channels that allow unsafe deserialization of untrusted data.

.NET RCE Deserialization
NVD
EPSS
0.4%
CVE-2026-25747 Maven HIGH POC PATCH This Week

Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. [CVSS 8.8 HIGH]

Apache Java Deserialization Camel RCE
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-2970 PyPI LOW POC Monitor

Unsafe deserialization in the RedisCache component of datapizza-ai 0.0.2 allows authenticated local network attackers to achieve limited information disclosure and integrity compromise through manipulation of cache operations. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. Exploitation requires local network access and elevated privileges, making practical attacks difficult but feasible in trusted environments.

Redis Deserialization
NVD GitHub VulDB
CVSS 4.0
1.2
EPSS
0.0%
CVE-2026-2898 PHP LOW POC Monitor

Funadmin up to version 7.1.0-rc4 contains an unsafe deserialization vulnerability in the AuthCloudService.php getMember function that allows authenticated remote attackers to manipulate the cloud_account parameter and execute arbitrary code. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.

PHP Deserialization
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-27206 PHP HIGH PATCH This Week

Zumba Json Serializer versions 3.2.2 and below allow unrestricted PHP object instantiation during JSON deserialization, enabling attackers to trigger arbitrary class constructors and magic methods via malicious @type fields. When processing untrusted JSON input, this vulnerability can lead to PHP Object Injection and remote code execution if vulnerable gadget chains are present in the application or its dependencies. The vulnerability affects applications using affected PHP serialization libraries and currently lacks a patched version.

PHP RCE Deserialization
NVD GitHub
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-2037 HIGH This Week

Unsafe deserialization in GFI Archiver's MArc.Core.Remoting service (port 8017) enables authenticated remote attackers to achieve unauthenticated remote code execution with SYSTEM privileges, despite the authentication requirement being bypassable. The vulnerability stems from insufficient validation of untrusted data during the deserialization process, allowing arbitrary code execution on affected systems. No patch is currently available.

RCE Deserialization Archiver
NVD
CVSS 3.0
8.8
EPSS
1.0%
CVE-2026-2036 HIGH This Week

Remote code execution in GFI Archiver's MArc.Store.Remoting.exe component stems from unsafe deserialization of untrusted data, allowing authenticated attackers to execute arbitrary code with SYSTEM privileges despite the authentication requirement being bypassable. The vulnerability affects the deserialization and archiver products due to insufficient validation of user-supplied input, enabling full system compromise. No patch is currently available.

RCE Deserialization Archiver
NVD
CVSS 3.0
8.8
EPSS
1.0%
CVE-2026-24892 HIGH POC PATCH This Week

Unsafe PHP deserialization in openITCOCKPIT Community Edition 5.3.1 and earlier allows authenticated attackers to inject malicious serialized objects through changelog entries, with public exploit code available. While no current attack path has been identified, an unrestricted unserialize() call creates a latent remote code execution vulnerability that could be exploited if future code changes introduce exploitable object types into the deserialization path. Authenticated access is required, but the HIGH severity rating reflects the potential for complete system compromise if this latent flaw is activated.

PHP Prometheus RCE Deserialization Openitcockpit
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-24891 HIGH POC This Week

Remote code execution in openITCOCKPIT 5.3.1 and earlier via unsafe deserialization in the Gearman worker component, which calls unserialize() on untrusted job payloads without validation or class restrictions. Attackers can exploit this by submitting crafted serialized objects to trigger PHP Object Injection when Gearman is exposed to untrusted networks. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP Prometheus Deserialization Openitcockpit
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-22384 CRITICAL Act Now

leafcolor Applay - Shortcodes applay-shortcodes is affected by deserialization of untrusted data (CVSS 8.8).

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-22354 HIGH This Week

Dotstore Woocommerce Category Banner Management banner-management-for-woocommerce is affected by deserialization of untrusted data (CVSS 8.8).

WordPress Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-22346 HIGH This Week

The Slider Responsive Slideshow WordPress plugin through version 1.5.4 contains an unsafe deserialization flaw that enables authenticated attackers to inject arbitrary objects and achieve remote code execution. An attacker with user-level access can exploit this vulnerability to compromise the affected website with high impact to confidentiality, integrity, and availability. No patch is currently available for this vulnerability.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-22345 HIGH This Week

Object injection in WP Life Image Gallery plugin versions 1.6.0 and earlier exploits unsafe deserialization to allow authenticated attackers to execute arbitrary code with high impact on confidentiality, integrity, and availability. The vulnerability requires valid user credentials but no user interaction, making it exploitable by low-privileged accounts. No patch is currently available for this HIGH severity vulnerability affecting popular WordPress gallery functionality.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-69405 CRITICAL Act Now

Deserialization of untrusted data in Lorem Ipsum Books & Media (lorem-ipsum-books-media-store) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-69404 CRITICAL Act Now

Deserialization of untrusted data in Extreme Store (extremestore) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-69382 CRITICAL Act Now

Deserialization of untrusted data in Themesflat Elementor (themesflat-elementor) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-69372 CRITICAL Act Now

Deserialization of untrusted data in SevenHills (sevenhills) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-69371 CRITICAL Act Now

Deserialization of untrusted data in KindlyCare (kindlycare) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-69370 CRITICAL Act Now

Deserialization of untrusted data in Capella (capella) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-69329 CRITICAL Act Now

Deserialization of untrusted data in Prestige (prestige) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-69328 HIGH This Week

magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce is affected by deserialization of untrusted data (CVSS 8.8).

WordPress Deserialization PHP
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-69301 CRITICAL Act Now

Deserialization of untrusted data in PhotoMe (photome) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-69294 HIGH This Week

Deserialization of Untrusted Data vulnerability in fuelthemes PeakShops peakshops allows Object Injection.This issue affects PeakShops: from n/a through <= 1.5.9. [CVSS 8.8 HIGH]

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-68853 HIGH This Week

Deserialization of Untrusted Data vulnerability in Kleor Contact Manager contact-manager allows Object Injection.This issue affects Contact Manager: from n/a through <= 9.1.1. [CVSS 8.8 HIGH]

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-68541 CRITICAL Act Now

Deserialization of untrusted data in Ippsum (ippsum) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-68531 HIGH This Week

modeltheme ModelTheme Addons for WPBakery and Elementor modeltheme-addons-for-wpbakery is affected by deserialization of untrusted data (CVSS 8.8).

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-68526 HIGH This Week

A WP Life Modal Popup Box modal-popup-box is affected by deserialization of untrusted data (CVSS 8.8).

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-67997 CRITICAL Act Now

Deserialization of untrusted data in Travelicious (travelicious) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-67996 CRITICAL Act Now

Deserialization of untrusted data in Nestin (nestin) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-67995 CRITICAL Act Now

Deserialization of untrusted data in PatioTime (patiotime) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-27475 HIGH This Week

Arbitrary code execution in SPIP before 4.4.9 through insecure deserialization of untrusted serialized objects in the table_valeur filter and DATA iterator. An attacker with prior access or leveraging a separate vulnerability to inject malicious serialized data can trigger arbitrary object instantiation and achieve remote code execution. No patch is currently available, and the vulnerability persists despite SPIP's standard security protections.

Deserialization Spip
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-25316 HIGH This Week

CartFlows through version 2.1.19 contains an unsafe deserialization vulnerability that enables object injection attacks against WordPress installations using the plugin. An authenticated attacker with high privileges can exploit this flaw to achieve arbitrary code execution with full system access. No patch is currently available for this vulnerability.

Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-23549 CRITICAL Act Now

PHP Object Injection in WpEvently (mage-eventpress) WordPress plugin.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-23544 HIGH This Week

Unsafe deserialization in Codetipi Valenti through version 5.6.3.5 enables authenticated attackers to inject arbitrary objects and achieve remote code execution. An attacker with valid credentials can exploit this vulnerability to execute malicious commands with the privileges of the affected application. No patch is currently available.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-23542 CRITICAL Act Now

PHP Object Injection in Grand Restaurant WordPress theme.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-22333 HIGH This Week

YITHEMES YITH WooCommerce Compare yith-woocommerce-compare is affected by deserialization of untrusted data (CVSS 7.2).

WordPress Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-15579 This Week

Deserialization of Untrusted Data vulnerability in OpenText™ Directory Services allows Object Injection. The vulnerability could lead to remote code execution, denial of service, or privilege escalation.

RCE Denial Of Service Privilege Escalation Deserialization
NVD
EPSS
0.4%
CVE-2026-1426 HIGH This Week

PHP Object Injection in the Advanced AJAX Product Filters plugin for WordPress (versions up to 3.1.9.6) allows authenticated authors and above to deserialize malicious objects through the Live Composer compatibility layer. While the plugin itself lacks a gadget chain for exploitation, the vulnerability can enable arbitrary file deletion, data theft, or remote code execution if a POP chain exists in installed themes or plugins. No patch is currently available, and exploitation requires valid WordPress user credentials.

WordPress PHP Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-60038 HIGH This Week

A vulnerability has been identified in Rexroth IndraWorks. This flaw allows an attacker to execute arbitrary code on the user's system by parsing a manipulated file containing malicious serialized data. [CVSS 7.8 HIGH]

RCE Deserialization Rexroth Indraworks
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2025-60037 HIGH This Week

A vulnerability has been identified in Rexroth IndraWorks. This flaw allows an attacker to execute arbitrary code on the user's system by parsing a manipulated file containing malicious serialized data. [CVSS 7.8 HIGH]

RCE Deserialization Rexroth Indraworks
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2025-60036 HIGH This Week

A vulnerability has been identified in the UA.Testclient utility, which is included in Rexroth IndraWorks. All versions prior to 15V24 are affected. [CVSS 7.8 HIGH]

RCE Deserialization Rexroth Ua.Testclient Rexroth Indraworks
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2025-60035 HIGH This Week

A vulnerability has been identified in the OPC.Testclient utility, which is included in Rexroth IndraWorks. All versions prior to 15V24 are affected. [CVSS 7.8 HIGH]

RCE Deserialization Rexroth Indraworks
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-26220 CRITICAL Act Now

Remote code execution in LightLLM 1.1.0 and prior lets unauthenticated attackers run arbitrary code on the PD master node when the framework runs in prefill-decode (PD) disaggregation mode. The PD master exposes WebSocket endpoints that feed inbound binary frames straight into Python's pickle.loads(), so any attacker able to reach that socket can execute code in the serving process. No CISA KEV listing exists and EPSS is modest at 0.83% (74th percentile), but a public technical write-up (chocapikk.com) plus a VulnCheck advisory mean publicly available exploit code exists, so this should be treated as an urgent internal-exposure risk.

RCE Deserialization
NVD GitHub
CVSS 4.0
9.3
EPSS
0.8%
CVE-2026-2555 MEDIUM POC This Month

JeecgBoot 3.9.1's RAG knowledge controller fails to properly validate ZIP file imports, allowing authenticated remote attackers to trigger unsafe deserialization with public exploit code available. The vulnerability requires authentication and complex attack execution but could enable information disclosure or integrity compromise. No patch is currently available from the vendor.

Java Deserialization AI / ML Jeecg Boot
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-26335 CRITICAL POC Act Now

Static ASP.NET machineKey in Calero VeraSMART before 2022 R1. Hardcoded key enables ViewState deserialization attacks and cookie forgery.

IIS .NET RCE Deserialization Verasmart
NVD Exploit-DB VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-26208 HIGH This Week

ADB Explorer on Windows versions prior to Beta 0.9.26020 allows local attackers to achieve remote code execution by crafting a malicious App.txt settings file that exploits insecure JSON deserialization with enabled type name handling. An attacker can inject a gadget chain payload into the configuration file that executes arbitrary code when the application launches and processes settings. No patch is currently available for affected versions.

Windows RCE Deserialization
NVD GitHub
CVSS 3.1
7.8
EPSS
0.5%
CVE-2026-26221 CRITICAL Act Now

Hyland OnBase contains an unauthenticated .NET Remoting exposure in the OnBase Workflow Timer Service (Hyland.Core.Workflow.NTService.exe).

RCE Deserialization
NVD
CVSS 4.0
9.3
EPSS
1.3%
EPSS 0% CVSS 7.8
HIGH This Week

Arbitrary code execution as SYSTEM in Avira Internet Security's System Speedup component occurs when the privileged RealTimeOptimizer.exe process deserializes untrusted .NET binary data from a world-writable ProgramData location without validation. A local attacker can craft a malicious serialized payload to achieve immediate privilege escalation and full system compromise. No patch is currently available for this high-severity vulnerability.

Deserialization RCE Internet Security
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

PHP Object Injection in Database for CF7/WPforms/Elementor forms WordPress plugin.

WordPress PHP Deserialization +1
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of untrusted data in Good Energy (goodenergy) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of untrusted data in Pizza House (pizzahouse) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of untrusted data in Dentario (dentario) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of untrusted data in Kingler (kingler) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of untrusted data in Tennis Club (tennis-sportclub) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of untrusted data in Sweet Date (sweetdate) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

NextScripts NextScripts social-networks-auto-poster-facebook-twitter-g is affected by deserialization of untrusted data (CVSS 8.8).

Deserialization
NVD
EPSS 0% CVSS 8.1
HIGH This Week

BoldThemes Celeste versions 1.3.6 and earlier are vulnerable to unsafe deserialization that enables arbitrary object injection attacks over the network without authentication. An attacker can exploit this to achieve remote code execution or other malicious operations on affected systems. No patch is currently available for this vulnerability.

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Object injection through unsafe deserialization in AivahThemes Car Zone up to version 3.7 allows authenticated attackers to execute arbitrary code with network access and no user interaction required. With a CVSS score of 8.8 indicating high severity, this vulnerability poses a significant risk to affected installations, though no patch is currently available. Attackers with valid credentials can exploit this flaw to gain complete system compromise including confidentiality, integrity, and availability impact.

Deserialization
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unsafe deserialization in the Au Pair Agency theme (versions up to 1.2.2) enables object injection attacks that could allow remote code execution on affected WordPress sites. An unauthenticated attacker can exploit this vulnerability to inject malicious objects and compromise server integrity, confidentiality, and availability. No patch is currently available.

Deserialization
NVD
EPSS 0% CVSS 7.5
HIGH This Week

gerritvanaaken Podlove Web Player podlove-web-player is affected by deserialization of untrusted data (CVSS 7.5).

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

blubrry PowerPress Podcasting powerpress is affected by deserialization of untrusted data (CVSS 8.8).

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of untrusted data in Mounthood (mounthood) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of untrusted data in Jardi (jardi) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of untrusted data in Estate (estate) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of untrusted data in Equestrian Centre (equestrian-centre) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Object injection through unsafe deserialization in designthemes Dental Clinic version 3.7 and earlier allows authenticated attackers to execute arbitrary code with high impact on confidentiality, integrity, and availability. An attacker with valid credentials can exploit this CWE-502 weakness to inject malicious objects during the deserialization process, potentially compromising the entire application. No patch is currently available for this vulnerability.

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

maximsecudeal Secudeal Payments for Ecommerce secudeal-payments-for-ecommerce is affected by deserialization of untrusted data (CVSS 8.6).

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of untrusted data in Solaris (solaris) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of untrusted data in Pets Club (petclub) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of untrusted data in Handyman (handyman-services) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

ThemeGoods Grand Wedding through version 3.1.0 is vulnerable to remote object injection via unsafe deserialization of untrusted data, enabling attackers to execute arbitrary code without authentication. The vulnerability requires specific conditions to be met but carries high severity with complete compromise of confidentiality, integrity, and availability. No patch is currently available for affected installations.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of untrusted data in Classter (classter) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
EPSS 1% 6.0 CVSS 10.0
CRITICAL POC KEV THREAT Emergency

Cisco Secure Firewall Management Center (FMC) contains a critical unauthenticated Java deserialization vulnerability (CVE-2026-20131, CVSS 10.0) in its web interface that enables remote code execution as root. KEV-listed with public PoC, this vulnerability allows complete compromise of the central management platform that controls all Cisco firewalls in the organization, enabling attackers to modify security policies, disable protections, and access all network traffic.

Cisco Java Deserialization +1
NVD VulDB GitHub
EPSS 1% CVSS 7.2
HIGH PATCH This Week

Remote code execution in Concrete CMS prior to version 9.4.8 stems from unsafe deserialization of PHP objects in the Express Entry List block configuration. An authenticated administrator can inject malicious serialized data through the columns parameter that executes arbitrary code when unserialized without validation. This allows attackers with admin privileges to achieve complete system compromise through stored object injection attacks.

PHP RCE Deserialization +1
NVD GitHub
EPSS 13% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

RCE in Qwik JavaScript framework <= 1.19.0 via unsafe deserialization in server$ Runtime. EPSS 13.4% with PoC available.

RCE Deserialization Qwik
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Pickle deserialization RCE in Step-Video-T2V via API endpoints.

Deserialization AI / ML
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Chamilo LMS prior to 1.11.30 has an insecure deserialization vulnerability enabling remote code execution through crafted serialized data.

Deserialization Chamilo Lms
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM POC PATCH This Month

Chamilo is a learning management system. Prior to version 1.11.30, Chamilo is vulnerable to deserialization of untrusted data in /plugin/vchamilo/views/import.php via POST configuration_file; POST course_path; POST home_path parameters. [CVSS 4.9 MEDIUM]

PHP Deserialization Chamilo Lms
NVD GitHub
EPSS 1% CVSS 7.2
HIGH POC This Week

Chamilo is a learning management system. Chamillo is affected by a post-authentication phar unserialize which leads to a remote code execution (RCE) within versions 1.11.12 to 1.11.26. [CVSS 7.2 HIGH]

RCE Deserialization Chamilo Lms
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

U-Office Force by e-Excellence has an insecure deserialization vulnerability allowing unauthenticated remote code execution.

Deserialization U Office Force
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated attackers can inject malicious serialized PHP objects into the WP Mail Logging plugin (versions up to 1.15.0) through email forms, exploiting unsafe deserialization in the BaseModel class. When administrators view the logged emails, the injected payload deserializes into arbitrary PHP objects, potentially enabling code execution if leveraged with gadget chains from other installed plugins or themes. No patch is currently available.

WordPress PHP Deserialization
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Super Stage WP WordPre versions up to 1.0.1 is affected by deserialization of untrusted data (CVSS 6.5).

WordPress PHP Deserialization
NVD WPScan
EPSS 0% CVSS 2.0
LOW Monitor

Uncontrolled resource consumption in hex_core, hex, and rebar3 package managers results from unsafe deserialization of untrusted data in API request handling, enabling remote attackers to trigger excessive memory allocation and denial of service without authentication. Affected versions include hex_core before 0.12.1, hex before 2.3.2, and rebar3 before 3.27.0, with no patch currently available. An attacker can exploit this remotely over the network to exhaust system resources and crash affected Erlang/Elixir build environments.

Deserialization Denial Of Service Rebar3 +2
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Remote code execution in intra-mart Accel Platform's IM-LogicDesigner module through insecure deserialization of crafted files imported by administrative users. An attacker with admin privileges can execute arbitrary code by importing a malicious file, with no patch currently available. The vulnerability affects all deployments where IM-LogicDesigner is enabled.

Deserialization RCE Accel Platform
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Heap memory corruption in the OCaml runtime (before 4.14.3 and 5.x before 5.4.1) lets an attacker who can feed crafted Marshal-format data into an application's deserialization path read past buffer bounds and, through a multi-phase chain, achieve code execution. The flaw lives in the readblock() routine of runtime/intern.c, which copies blocks using attacker-controlled lengths without bounds checks. There is no public exploit identified at time of analysis and EPSS is very low (0.04%), but multiple vendors (SUSE, Red Hat) have shipped fixed packages.

RCE Buffer Overflow Deserialization +1
NVD GitHub
EPSS 0% CVSS 8.4
HIGH This Week

Arbitrary code execution in Flair's LanguageModel class (versions 0.4.1 and later) allows local attackers to execute arbitrary commands by crafting malicious ML model files that exploit unsafe deserialization. Affected users loading untrusted models from external sources face complete system compromise with no patch currently available. This vulnerability impacts all AI/ML applications using Flair's model loading functionality.

Deserialization AI / ML
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stylemix uListing versions 2.2.0 and earlier contain an unsafe deserialization vulnerability that enables object injection attacks, allowing authenticated attackers with high privileges to execute arbitrary code on affected systems. With no available patch, this vulnerability presents a significant risk to organizations running vulnerable versions of the plugin. The network-accessible nature of the flaw (CVSS 7.2) means exploitation requires only valid credentials to trigger the attack.

Deserialization
NVD
EPSS 0% CVSS 8.9
HIGH PATCH This Week

Remote code execution in c3p0 (a Java JDBC connection-pooling library) before v0.12.0 allows an attacker who can set the `userOverridesAsString` property of a `ConnectionPoolDataSource` - or inject a crafted serialized object or `javax.naming.Reference` - to load and run arbitrary code on the application's CLASSPATH. The flaw stems from storing this writable Java-Bean property as a hex-encoded Java-serialized object, and is amplified by its dependency mchange-commons-java, which mirrored legacy JNDI behavior with ungated support for remote `factoryClassLocation` values, enabling download and execution of attacker-hosted classes. EPSS is low (0.15%) and there is no public exploit identified at time of analysis, though deserialization/JNDI gadget techniques against this library are publicly documented.

Java Deserialization Code Injection +1
NVD GitHub VulDB
EPSS 0% CVSS 6.6
MEDIUM PATCH This Month

Remote code execution in LangGraph's caching layer affects applications that explicitly enable cache backends inheriting from BaseCache with nodes opted into caching via CachePolicy. An attacker can exploit unsafe deserialization through pickle when msgpack serialization fails, allowing arbitrary code execution on affected systems. This vulnerability requires explicit cache configuration and does not affect default deployments.

Redis RCE SQLi +3
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Unbounded memory allocation in Fiber v3 (prior to 3.1.0) allows unauthenticated remote attackers to trigger denial of service by sending a malicious fiber_flash cookie that forces deserialization of up to 85GB of memory. All v3 endpoints are vulnerable regardless of flash message usage, and public exploit code exists. No patch is currently available.

Deserialization Fiber Suse
NVD GitHub
EPSS 0%
This Week

The Print Service component of Fiserv Originate Loans Peripherals (formerly Velocity Services) in unsupported version 2021.2.4 (build 4.7.3155.0011) uses deprecated .NET Remoting TCP channels that allow unsafe deserialization of untrusted data.

.NET RCE Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. [CVSS 8.8 HIGH]

Apache Java Deserialization +2
NVD GitHub
EPSS 0% CVSS 1.2
LOW POC Monitor

Unsafe deserialization in the RedisCache component of datapizza-ai 0.0.2 allows authenticated local network attackers to achieve limited information disclosure and integrity compromise through manipulation of cache operations. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. Exploitation requires local network access and elevated privileges, making practical attacks difficult but feasible in trusted environments.

Redis Deserialization
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

Funadmin up to version 7.1.0-rc4 contains an unsafe deserialization vulnerability in the AuthCloudService.php getMember function that allows authenticated remote attackers to manipulate the cloud_account parameter and execute arbitrary code. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.

PHP Deserialization
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Zumba Json Serializer versions 3.2.2 and below allow unrestricted PHP object instantiation during JSON deserialization, enabling attackers to trigger arbitrary class constructors and magic methods via malicious @type fields. When processing untrusted JSON input, this vulnerability can lead to PHP Object Injection and remote code execution if vulnerable gadget chains are present in the application or its dependencies. The vulnerability affects applications using affected PHP serialization libraries and currently lacks a patched version.

PHP RCE Deserialization
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

Unsafe deserialization in GFI Archiver's MArc.Core.Remoting service (port 8017) enables authenticated remote attackers to achieve unauthenticated remote code execution with SYSTEM privileges, despite the authentication requirement being bypassable. The vulnerability stems from insufficient validation of untrusted data during the deserialization process, allowing arbitrary code execution on affected systems. No patch is currently available.

RCE Deserialization Archiver
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Remote code execution in GFI Archiver's MArc.Store.Remoting.exe component stems from unsafe deserialization of untrusted data, allowing authenticated attackers to execute arbitrary code with SYSTEM privileges despite the authentication requirement being bypassable. The vulnerability affects the deserialization and archiver products due to insufficient validation of user-supplied input, enabling full system compromise. No patch is currently available.

RCE Deserialization Archiver
NVD
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Unsafe PHP deserialization in openITCOCKPIT Community Edition 5.3.1 and earlier allows authenticated attackers to inject malicious serialized objects through changelog entries, with public exploit code available. While no current attack path has been identified, an unrestricted unserialize() call creates a latent remote code execution vulnerability that could be exploited if future code changes introduce exploitable object types into the deserialization path. Authenticated access is required, but the HIGH severity rating reflects the potential for complete system compromise if this latent flaw is activated.

PHP Prometheus RCE +2
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC This Week

Remote code execution in openITCOCKPIT 5.3.1 and earlier via unsafe deserialization in the Gearman worker component, which calls unserialize() on untrusted job payloads without validation or class restrictions. Attackers can exploit this by submitting crafted serialized objects to trigger PHP Object Injection when Gearman is exposed to untrusted networks. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP Prometheus Deserialization +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

leafcolor Applay - Shortcodes applay-shortcodes is affected by deserialization of untrusted data (CVSS 8.8).

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Dotstore Woocommerce Category Banner Management banner-management-for-woocommerce is affected by deserialization of untrusted data (CVSS 8.8).

WordPress Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

The Slider Responsive Slideshow WordPress plugin through version 1.5.4 contains an unsafe deserialization flaw that enables authenticated attackers to inject arbitrary objects and achieve remote code execution. An attacker with user-level access can exploit this vulnerability to compromise the affected website with high impact to confidentiality, integrity, and availability. No patch is currently available for this vulnerability.

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Object injection in WP Life Image Gallery plugin versions 1.6.0 and earlier exploits unsafe deserialization to allow authenticated attackers to execute arbitrary code with high impact on confidentiality, integrity, and availability. The vulnerability requires valid user credentials but no user interaction, making it exploitable by low-privileged accounts. No patch is currently available for this HIGH severity vulnerability affecting popular WordPress gallery functionality.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of untrusted data in Lorem Ipsum Books & Media (lorem-ipsum-books-media-store) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of untrusted data in Extreme Store (extremestore) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of untrusted data in Themesflat Elementor (themesflat-elementor) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of untrusted data in SevenHills (sevenhills) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of untrusted data in KindlyCare (kindlycare) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of untrusted data in Capella (capella) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of untrusted data in Prestige (prestige) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce is affected by deserialization of untrusted data (CVSS 8.8).

WordPress Deserialization PHP
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of untrusted data in PhotoMe (photome) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in fuelthemes PeakShops peakshops allows Object Injection.This issue affects PeakShops: from n/a through <= 1.5.9. [CVSS 8.8 HIGH]

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in Kleor Contact Manager contact-manager allows Object Injection.This issue affects Contact Manager: from n/a through <= 9.1.1. [CVSS 8.8 HIGH]

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of untrusted data in Ippsum (ippsum) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

modeltheme ModelTheme Addons for WPBakery and Elementor modeltheme-addons-for-wpbakery is affected by deserialization of untrusted data (CVSS 8.8).

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

A WP Life Modal Popup Box modal-popup-box is affected by deserialization of untrusted data (CVSS 8.8).

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of untrusted data in Travelicious (travelicious) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of untrusted data in Nestin (nestin) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of untrusted data in PatioTime (patiotime) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Arbitrary code execution in SPIP before 4.4.9 through insecure deserialization of untrusted serialized objects in the table_valeur filter and DATA iterator. An attacker with prior access or leveraging a separate vulnerability to inject malicious serialized data can trigger arbitrary object instantiation and achieve remote code execution. No patch is currently available, and the vulnerability persists despite SPIP's standard security protections.

Deserialization Spip
NVD
EPSS 0% CVSS 7.2
HIGH This Week

CartFlows through version 2.1.19 contains an unsafe deserialization vulnerability that enables object injection attacks against WordPress installations using the plugin. An authenticated attacker with high privileges can exploit this flaw to achieve arbitrary code execution with full system access. No patch is currently available for this vulnerability.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

PHP Object Injection in WpEvently (mage-eventpress) WordPress plugin.

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Unsafe deserialization in Codetipi Valenti through version 5.6.3.5 enables authenticated attackers to inject arbitrary objects and achieve remote code execution. An attacker with valid credentials can exploit this vulnerability to execute malicious commands with the privileges of the affected application. No patch is currently available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

PHP Object Injection in Grand Restaurant WordPress theme.

Deserialization
NVD
EPSS 0% CVSS 7.2
HIGH This Week

YITHEMES YITH WooCommerce Compare yith-woocommerce-compare is affected by deserialization of untrusted data (CVSS 7.2).

WordPress Deserialization
NVD
EPSS 0%
This Week

Deserialization of Untrusted Data vulnerability in OpenText™ Directory Services allows Object Injection. The vulnerability could lead to remote code execution, denial of service, or privilege escalation.

RCE Denial Of Service Privilege Escalation +1
NVD
EPSS 0% CVSS 8.8
HIGH This Week

PHP Object Injection in the Advanced AJAX Product Filters plugin for WordPress (versions up to 3.1.9.6) allows authenticated authors and above to deserialize malicious objects through the Live Composer compatibility layer. While the plugin itself lacks a gadget chain for exploitation, the vulnerability can enable arbitrary file deletion, data theft, or remote code execution if a POP chain exists in installed themes or plugins. No patch is currently available, and exploitation requires valid WordPress user credentials.

WordPress PHP Deserialization
NVD
EPSS 0% CVSS 7.8
HIGH This Week

A vulnerability has been identified in Rexroth IndraWorks. This flaw allows an attacker to execute arbitrary code on the user's system by parsing a manipulated file containing malicious serialized data. [CVSS 7.8 HIGH]

RCE Deserialization Rexroth Indraworks
NVD
EPSS 0% CVSS 7.8
HIGH This Week

A vulnerability has been identified in Rexroth IndraWorks. This flaw allows an attacker to execute arbitrary code on the user's system by parsing a manipulated file containing malicious serialized data. [CVSS 7.8 HIGH]

RCE Deserialization Rexroth Indraworks
NVD
EPSS 0% CVSS 7.8
HIGH This Week

A vulnerability has been identified in the UA.Testclient utility, which is included in Rexroth IndraWorks. All versions prior to 15V24 are affected. [CVSS 7.8 HIGH]

RCE Deserialization Rexroth Ua.Testclient +1
NVD
EPSS 0% CVSS 7.8
HIGH This Week

A vulnerability has been identified in the OPC.Testclient utility, which is included in Rexroth IndraWorks. All versions prior to 15V24 are affected. [CVSS 7.8 HIGH]

RCE Deserialization Rexroth Indraworks
NVD
EPSS 1% CVSS 9.3
CRITICAL Act Now

Remote code execution in LightLLM 1.1.0 and prior lets unauthenticated attackers run arbitrary code on the PD master node when the framework runs in prefill-decode (PD) disaggregation mode. The PD master exposes WebSocket endpoints that feed inbound binary frames straight into Python's pickle.loads(), so any attacker able to reach that socket can execute code in the serving process. No CISA KEV listing exists and EPSS is modest at 0.83% (74th percentile), but a public technical write-up (chocapikk.com) plus a VulnCheck advisory mean publicly available exploit code exists, so this should be treated as an urgent internal-exposure risk.

RCE Deserialization
NVD GitHub
EPSS 0% CVSS 5.0
MEDIUM POC This Month

JeecgBoot 3.9.1's RAG knowledge controller fails to properly validate ZIP file imports, allowing authenticated remote attackers to trigger unsafe deserialization with public exploit code available. The vulnerability requires authentication and complex attack execution but could enable information disclosure or integrity compromise. No patch is currently available from the vendor.

Java Deserialization AI / ML +1
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Static ASP.NET machineKey in Calero VeraSMART before 2022 R1. Hardcoded key enables ViewState deserialization attacks and cookie forgery.

IIS .NET RCE +2
NVD Exploit-DB VulDB
EPSS 0% CVSS 7.8
HIGH This Week

ADB Explorer on Windows versions prior to Beta 0.9.26020 allows local attackers to achieve remote code execution by crafting a malicious App.txt settings file that exploits insecure JSON deserialization with enabled type name handling. An attacker can inject a gadget chain payload into the configuration file that executes arbitrary code when the application launches and processes settings. No patch is currently available for affected versions.

Windows RCE Deserialization
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL Act Now

Hyland OnBase contains an unauthenticated .NET Remoting exposure in the OnBase Workflow Timer Service (Hyland.Core.Workflow.NTService.exe).

RCE Deserialization
NVD
Prev Page 7 of 30 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy