Deserialization
Monthly
Arbitrary code execution as SYSTEM in Avira Internet Security's System Speedup component occurs when the privileged RealTimeOptimizer.exe process deserializes untrusted .NET binary data from a world-writable ProgramData location without validation. A local attacker can craft a malicious serialized payload to achieve immediate privilege escalation and full system compromise. No patch is currently available for this high-severity vulnerability.
PHP Object Injection in Database for CF7/WPforms/Elementor forms WordPress plugin.
Deserialization of untrusted data in Good Energy (goodenergy) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Pizza House (pizzahouse) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Dentario (dentario) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Kingler (kingler) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Tennis Club (tennis-sportclub) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Sweet Date (sweetdate) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
NextScripts NextScripts social-networks-auto-poster-facebook-twitter-g is affected by deserialization of untrusted data (CVSS 8.8).
BoldThemes Celeste versions 1.3.6 and earlier are vulnerable to unsafe deserialization that enables arbitrary object injection attacks over the network without authentication. An attacker can exploit this to achieve remote code execution or other malicious operations on affected systems. No patch is currently available for this vulnerability.
Object injection through unsafe deserialization in AivahThemes Car Zone up to version 3.7 allows authenticated attackers to execute arbitrary code with network access and no user interaction required. With a CVSS score of 8.8 indicating high severity, this vulnerability poses a significant risk to affected installations, though no patch is currently available. Attackers with valid credentials can exploit this flaw to gain complete system compromise including confidentiality, integrity, and availability impact.
Unsafe deserialization in the Au Pair Agency theme (versions up to 1.2.2) enables object injection attacks that could allow remote code execution on affected WordPress sites. An unauthenticated attacker can exploit this vulnerability to inject malicious objects and compromise server integrity, confidentiality, and availability. No patch is currently available.
gerritvanaaken Podlove Web Player podlove-web-player is affected by deserialization of untrusted data (CVSS 7.5).
blubrry PowerPress Podcasting powerpress is affected by deserialization of untrusted data (CVSS 8.8).
Deserialization of untrusted data in Mounthood (mounthood) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Jardi (jardi) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Estate (estate) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Equestrian Centre (equestrian-centre) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Object injection through unsafe deserialization in designthemes Dental Clinic version 3.7 and earlier allows authenticated attackers to execute arbitrary code with high impact on confidentiality, integrity, and availability. An attacker with valid credentials can exploit this CWE-502 weakness to inject malicious objects during the deserialization process, potentially compromising the entire application. No patch is currently available for this vulnerability.
maximsecudeal Secudeal Payments for Ecommerce secudeal-payments-for-ecommerce is affected by deserialization of untrusted data (CVSS 8.6).
Deserialization of untrusted data in Solaris (solaris) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Pets Club (petclub) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Handyman (handyman-services) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
ThemeGoods Grand Wedding through version 3.1.0 is vulnerable to remote object injection via unsafe deserialization of untrusted data, enabling attackers to execute arbitrary code without authentication. The vulnerability requires specific conditions to be met but carries high severity with complete compromise of confidentiality, integrity, and availability. No patch is currently available for affected installations.
Deserialization of untrusted data in Classter (classter) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Cisco Secure Firewall Management Center (FMC) contains a critical unauthenticated Java deserialization vulnerability (CVE-2026-20131, CVSS 10.0) in its web interface that enables remote code execution as root. KEV-listed with public PoC, this vulnerability allows complete compromise of the central management platform that controls all Cisco firewalls in the organization, enabling attackers to modify security policies, disable protections, and access all network traffic.
Remote code execution in Concrete CMS prior to version 9.4.8 stems from unsafe deserialization of PHP objects in the Express Entry List block configuration. An authenticated administrator can inject malicious serialized data through the columns parameter that executes arbitrary code when unserialized without validation. This allows attackers with admin privileges to achieve complete system compromise through stored object injection attacks.
RCE in Qwik JavaScript framework <= 1.19.0 via unsafe deserialization in server$ Runtime. EPSS 13.4% with PoC available.
Pickle deserialization RCE in Step-Video-T2V via API endpoints.
Chamilo LMS prior to 1.11.30 has an insecure deserialization vulnerability enabling remote code execution through crafted serialized data.
Chamilo is a learning management system. Prior to version 1.11.30, Chamilo is vulnerable to deserialization of untrusted data in /plugin/vchamilo/views/import.php via POST configuration_file; POST course_path; POST home_path parameters. [CVSS 4.9 MEDIUM]
Chamilo is a learning management system. Chamillo is affected by a post-authentication phar unserialize which leads to a remote code execution (RCE) within versions 1.11.12 to 1.11.26. [CVSS 7.2 HIGH]
U-Office Force by e-Excellence has an insecure deserialization vulnerability allowing unauthenticated remote code execution.
Unauthenticated attackers can inject malicious serialized PHP objects into the WP Mail Logging plugin (versions up to 1.15.0) through email forms, exploiting unsafe deserialization in the BaseModel class. When administrators view the logged emails, the injected payload deserializes into arbitrary PHP objects, potentially enabling code execution if leveraged with gadget chains from other installed plugins or themes. No patch is currently available.
Super Stage WP WordPre versions up to 1.0.1 is affected by deserialization of untrusted data (CVSS 6.5).
Uncontrolled resource consumption in hex_core, hex, and rebar3 package managers results from unsafe deserialization of untrusted data in API request handling, enabling remote attackers to trigger excessive memory allocation and denial of service without authentication. Affected versions include hex_core before 0.12.1, hex before 2.3.2, and rebar3 before 3.27.0, with no patch currently available. An attacker can exploit this remotely over the network to exhaust system resources and crash affected Erlang/Elixir build environments.
Remote code execution in intra-mart Accel Platform's IM-LogicDesigner module through insecure deserialization of crafted files imported by administrative users. An attacker with admin privileges can execute arbitrary code by importing a malicious file, with no patch currently available. The vulnerability affects all deployments where IM-LogicDesigner is enabled.
Heap memory corruption in the OCaml runtime (before 4.14.3 and 5.x before 5.4.1) lets an attacker who can feed crafted Marshal-format data into an application's deserialization path read past buffer bounds and, through a multi-phase chain, achieve code execution. The flaw lives in the readblock() routine of runtime/intern.c, which copies blocks using attacker-controlled lengths without bounds checks. There is no public exploit identified at time of analysis and EPSS is very low (0.04%), but multiple vendors (SUSE, Red Hat) have shipped fixed packages.
Arbitrary code execution in Flair's LanguageModel class (versions 0.4.1 and later) allows local attackers to execute arbitrary commands by crafting malicious ML model files that exploit unsafe deserialization. Affected users loading untrusted models from external sources face complete system compromise with no patch currently available. This vulnerability impacts all AI/ML applications using Flair's model loading functionality.
Stylemix uListing versions 2.2.0 and earlier contain an unsafe deserialization vulnerability that enables object injection attacks, allowing authenticated attackers with high privileges to execute arbitrary code on affected systems. With no available patch, this vulnerability presents a significant risk to organizations running vulnerable versions of the plugin. The network-accessible nature of the flaw (CVSS 7.2) means exploitation requires only valid credentials to trigger the attack.
Remote code execution in c3p0 (a Java JDBC connection-pooling library) before v0.12.0 allows an attacker who can set the `userOverridesAsString` property of a `ConnectionPoolDataSource` - or inject a crafted serialized object or `javax.naming.Reference` - to load and run arbitrary code on the application's CLASSPATH. The flaw stems from storing this writable Java-Bean property as a hex-encoded Java-serialized object, and is amplified by its dependency mchange-commons-java, which mirrored legacy JNDI behavior with ungated support for remote `factoryClassLocation` values, enabling download and execution of attacker-hosted classes. EPSS is low (0.15%) and there is no public exploit identified at time of analysis, though deserialization/JNDI gadget techniques against this library are publicly documented.
Remote code execution in LangGraph's caching layer affects applications that explicitly enable cache backends inheriting from BaseCache with nodes opted into caching via CachePolicy. An attacker can exploit unsafe deserialization through pickle when msgpack serialization fails, allowing arbitrary code execution on affected systems. This vulnerability requires explicit cache configuration and does not affect default deployments.
Unbounded memory allocation in Fiber v3 (prior to 3.1.0) allows unauthenticated remote attackers to trigger denial of service by sending a malicious fiber_flash cookie that forces deserialization of up to 85GB of memory. All v3 endpoints are vulnerable regardless of flash message usage, and public exploit code exists. No patch is currently available.
The Print Service component of Fiserv Originate Loans Peripherals (formerly Velocity Services) in unsupported version 2021.2.4 (build 4.7.3155.0011) uses deprecated .NET Remoting TCP channels that allow unsafe deserialization of untrusted data.
Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. [CVSS 8.8 HIGH]
Unsafe deserialization in the RedisCache component of datapizza-ai 0.0.2 allows authenticated local network attackers to achieve limited information disclosure and integrity compromise through manipulation of cache operations. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. Exploitation requires local network access and elevated privileges, making practical attacks difficult but feasible in trusted environments.
Funadmin up to version 7.1.0-rc4 contains an unsafe deserialization vulnerability in the AuthCloudService.php getMember function that allows authenticated remote attackers to manipulate the cloud_account parameter and execute arbitrary code. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.
Zumba Json Serializer versions 3.2.2 and below allow unrestricted PHP object instantiation during JSON deserialization, enabling attackers to trigger arbitrary class constructors and magic methods via malicious @type fields. When processing untrusted JSON input, this vulnerability can lead to PHP Object Injection and remote code execution if vulnerable gadget chains are present in the application or its dependencies. The vulnerability affects applications using affected PHP serialization libraries and currently lacks a patched version.
Unsafe deserialization in GFI Archiver's MArc.Core.Remoting service (port 8017) enables authenticated remote attackers to achieve unauthenticated remote code execution with SYSTEM privileges, despite the authentication requirement being bypassable. The vulnerability stems from insufficient validation of untrusted data during the deserialization process, allowing arbitrary code execution on affected systems. No patch is currently available.
Remote code execution in GFI Archiver's MArc.Store.Remoting.exe component stems from unsafe deserialization of untrusted data, allowing authenticated attackers to execute arbitrary code with SYSTEM privileges despite the authentication requirement being bypassable. The vulnerability affects the deserialization and archiver products due to insufficient validation of user-supplied input, enabling full system compromise. No patch is currently available.
Unsafe PHP deserialization in openITCOCKPIT Community Edition 5.3.1 and earlier allows authenticated attackers to inject malicious serialized objects through changelog entries, with public exploit code available. While no current attack path has been identified, an unrestricted unserialize() call creates a latent remote code execution vulnerability that could be exploited if future code changes introduce exploitable object types into the deserialization path. Authenticated access is required, but the HIGH severity rating reflects the potential for complete system compromise if this latent flaw is activated.
Remote code execution in openITCOCKPIT 5.3.1 and earlier via unsafe deserialization in the Gearman worker component, which calls unserialize() on untrusted job payloads without validation or class restrictions. Attackers can exploit this by submitting crafted serialized objects to trigger PHP Object Injection when Gearman is exposed to untrusted networks. Public exploit code exists for this vulnerability, and no patch is currently available.
leafcolor Applay - Shortcodes applay-shortcodes is affected by deserialization of untrusted data (CVSS 8.8).
Dotstore Woocommerce Category Banner Management banner-management-for-woocommerce is affected by deserialization of untrusted data (CVSS 8.8).
The Slider Responsive Slideshow WordPress plugin through version 1.5.4 contains an unsafe deserialization flaw that enables authenticated attackers to inject arbitrary objects and achieve remote code execution. An attacker with user-level access can exploit this vulnerability to compromise the affected website with high impact to confidentiality, integrity, and availability. No patch is currently available for this vulnerability.
Object injection in WP Life Image Gallery plugin versions 1.6.0 and earlier exploits unsafe deserialization to allow authenticated attackers to execute arbitrary code with high impact on confidentiality, integrity, and availability. The vulnerability requires valid user credentials but no user interaction, making it exploitable by low-privileged accounts. No patch is currently available for this HIGH severity vulnerability affecting popular WordPress gallery functionality.
Deserialization of untrusted data in Lorem Ipsum Books & Media (lorem-ipsum-books-media-store) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Extreme Store (extremestore) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Themesflat Elementor (themesflat-elementor) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in SevenHills (sevenhills) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in KindlyCare (kindlycare) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Capella (capella) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Prestige (prestige) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce is affected by deserialization of untrusted data (CVSS 8.8).
Deserialization of untrusted data in PhotoMe (photome) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of Untrusted Data vulnerability in fuelthemes PeakShops peakshops allows Object Injection.This issue affects PeakShops: from n/a through <= 1.5.9. [CVSS 8.8 HIGH]
Deserialization of Untrusted Data vulnerability in Kleor Contact Manager contact-manager allows Object Injection.This issue affects Contact Manager: from n/a through <= 9.1.1. [CVSS 8.8 HIGH]
Deserialization of untrusted data in Ippsum (ippsum) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
modeltheme ModelTheme Addons for WPBakery and Elementor modeltheme-addons-for-wpbakery is affected by deserialization of untrusted data (CVSS 8.8).
A WP Life Modal Popup Box modal-popup-box is affected by deserialization of untrusted data (CVSS 8.8).
Deserialization of untrusted data in Travelicious (travelicious) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Nestin (nestin) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in PatioTime (patiotime) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Arbitrary code execution in SPIP before 4.4.9 through insecure deserialization of untrusted serialized objects in the table_valeur filter and DATA iterator. An attacker with prior access or leveraging a separate vulnerability to inject malicious serialized data can trigger arbitrary object instantiation and achieve remote code execution. No patch is currently available, and the vulnerability persists despite SPIP's standard security protections.
CartFlows through version 2.1.19 contains an unsafe deserialization vulnerability that enables object injection attacks against WordPress installations using the plugin. An authenticated attacker with high privileges can exploit this flaw to achieve arbitrary code execution with full system access. No patch is currently available for this vulnerability.
PHP Object Injection in WpEvently (mage-eventpress) WordPress plugin.
Unsafe deserialization in Codetipi Valenti through version 5.6.3.5 enables authenticated attackers to inject arbitrary objects and achieve remote code execution. An attacker with valid credentials can exploit this vulnerability to execute malicious commands with the privileges of the affected application. No patch is currently available.
PHP Object Injection in Grand Restaurant WordPress theme.
YITHEMES YITH WooCommerce Compare yith-woocommerce-compare is affected by deserialization of untrusted data (CVSS 7.2).
Deserialization of Untrusted Data vulnerability in OpenText™ Directory Services allows Object Injection. The vulnerability could lead to remote code execution, denial of service, or privilege escalation.
PHP Object Injection in the Advanced AJAX Product Filters plugin for WordPress (versions up to 3.1.9.6) allows authenticated authors and above to deserialize malicious objects through the Live Composer compatibility layer. While the plugin itself lacks a gadget chain for exploitation, the vulnerability can enable arbitrary file deletion, data theft, or remote code execution if a POP chain exists in installed themes or plugins. No patch is currently available, and exploitation requires valid WordPress user credentials.
A vulnerability has been identified in Rexroth IndraWorks. This flaw allows an attacker to execute arbitrary code on the user's system by parsing a manipulated file containing malicious serialized data. [CVSS 7.8 HIGH]
A vulnerability has been identified in Rexroth IndraWorks. This flaw allows an attacker to execute arbitrary code on the user's system by parsing a manipulated file containing malicious serialized data. [CVSS 7.8 HIGH]
A vulnerability has been identified in the UA.Testclient utility, which is included in Rexroth IndraWorks. All versions prior to 15V24 are affected. [CVSS 7.8 HIGH]
A vulnerability has been identified in the OPC.Testclient utility, which is included in Rexroth IndraWorks. All versions prior to 15V24 are affected. [CVSS 7.8 HIGH]
Remote code execution in LightLLM 1.1.0 and prior lets unauthenticated attackers run arbitrary code on the PD master node when the framework runs in prefill-decode (PD) disaggregation mode. The PD master exposes WebSocket endpoints that feed inbound binary frames straight into Python's pickle.loads(), so any attacker able to reach that socket can execute code in the serving process. No CISA KEV listing exists and EPSS is modest at 0.83% (74th percentile), but a public technical write-up (chocapikk.com) plus a VulnCheck advisory mean publicly available exploit code exists, so this should be treated as an urgent internal-exposure risk.
JeecgBoot 3.9.1's RAG knowledge controller fails to properly validate ZIP file imports, allowing authenticated remote attackers to trigger unsafe deserialization with public exploit code available. The vulnerability requires authentication and complex attack execution but could enable information disclosure or integrity compromise. No patch is currently available from the vendor.
Static ASP.NET machineKey in Calero VeraSMART before 2022 R1. Hardcoded key enables ViewState deserialization attacks and cookie forgery.
ADB Explorer on Windows versions prior to Beta 0.9.26020 allows local attackers to achieve remote code execution by crafting a malicious App.txt settings file that exploits insecure JSON deserialization with enabled type name handling. An attacker can inject a gadget chain payload into the configuration file that executes arbitrary code when the application launches and processes settings. No patch is currently available for affected versions.
Hyland OnBase contains an unauthenticated .NET Remoting exposure in the OnBase Workflow Timer Service (Hyland.Core.Workflow.NTService.exe).
Arbitrary code execution as SYSTEM in Avira Internet Security's System Speedup component occurs when the privileged RealTimeOptimizer.exe process deserializes untrusted .NET binary data from a world-writable ProgramData location without validation. A local attacker can craft a malicious serialized payload to achieve immediate privilege escalation and full system compromise. No patch is currently available for this high-severity vulnerability.
PHP Object Injection in Database for CF7/WPforms/Elementor forms WordPress plugin.
Deserialization of untrusted data in Good Energy (goodenergy) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Pizza House (pizzahouse) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Dentario (dentario) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Kingler (kingler) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Tennis Club (tennis-sportclub) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Sweet Date (sweetdate) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
NextScripts NextScripts social-networks-auto-poster-facebook-twitter-g is affected by deserialization of untrusted data (CVSS 8.8).
BoldThemes Celeste versions 1.3.6 and earlier are vulnerable to unsafe deserialization that enables arbitrary object injection attacks over the network without authentication. An attacker can exploit this to achieve remote code execution or other malicious operations on affected systems. No patch is currently available for this vulnerability.
Object injection through unsafe deserialization in AivahThemes Car Zone up to version 3.7 allows authenticated attackers to execute arbitrary code with network access and no user interaction required. With a CVSS score of 8.8 indicating high severity, this vulnerability poses a significant risk to affected installations, though no patch is currently available. Attackers with valid credentials can exploit this flaw to gain complete system compromise including confidentiality, integrity, and availability impact.
Unsafe deserialization in the Au Pair Agency theme (versions up to 1.2.2) enables object injection attacks that could allow remote code execution on affected WordPress sites. An unauthenticated attacker can exploit this vulnerability to inject malicious objects and compromise server integrity, confidentiality, and availability. No patch is currently available.
gerritvanaaken Podlove Web Player podlove-web-player is affected by deserialization of untrusted data (CVSS 7.5).
blubrry PowerPress Podcasting powerpress is affected by deserialization of untrusted data (CVSS 8.8).
Deserialization of untrusted data in Mounthood (mounthood) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Jardi (jardi) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Estate (estate) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Equestrian Centre (equestrian-centre) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Object injection through unsafe deserialization in designthemes Dental Clinic version 3.7 and earlier allows authenticated attackers to execute arbitrary code with high impact on confidentiality, integrity, and availability. An attacker with valid credentials can exploit this CWE-502 weakness to inject malicious objects during the deserialization process, potentially compromising the entire application. No patch is currently available for this vulnerability.
maximsecudeal Secudeal Payments for Ecommerce secudeal-payments-for-ecommerce is affected by deserialization of untrusted data (CVSS 8.6).
Deserialization of untrusted data in Solaris (solaris) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Pets Club (petclub) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Handyman (handyman-services) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
ThemeGoods Grand Wedding through version 3.1.0 is vulnerable to remote object injection via unsafe deserialization of untrusted data, enabling attackers to execute arbitrary code without authentication. The vulnerability requires specific conditions to be met but carries high severity with complete compromise of confidentiality, integrity, and availability. No patch is currently available for affected installations.
Deserialization of untrusted data in Classter (classter) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Cisco Secure Firewall Management Center (FMC) contains a critical unauthenticated Java deserialization vulnerability (CVE-2026-20131, CVSS 10.0) in its web interface that enables remote code execution as root. KEV-listed with public PoC, this vulnerability allows complete compromise of the central management platform that controls all Cisco firewalls in the organization, enabling attackers to modify security policies, disable protections, and access all network traffic.
Remote code execution in Concrete CMS prior to version 9.4.8 stems from unsafe deserialization of PHP objects in the Express Entry List block configuration. An authenticated administrator can inject malicious serialized data through the columns parameter that executes arbitrary code when unserialized without validation. This allows attackers with admin privileges to achieve complete system compromise through stored object injection attacks.
RCE in Qwik JavaScript framework <= 1.19.0 via unsafe deserialization in server$ Runtime. EPSS 13.4% with PoC available.
Pickle deserialization RCE in Step-Video-T2V via API endpoints.
Chamilo LMS prior to 1.11.30 has an insecure deserialization vulnerability enabling remote code execution through crafted serialized data.
Chamilo is a learning management system. Prior to version 1.11.30, Chamilo is vulnerable to deserialization of untrusted data in /plugin/vchamilo/views/import.php via POST configuration_file; POST course_path; POST home_path parameters. [CVSS 4.9 MEDIUM]
Chamilo is a learning management system. Chamillo is affected by a post-authentication phar unserialize which leads to a remote code execution (RCE) within versions 1.11.12 to 1.11.26. [CVSS 7.2 HIGH]
U-Office Force by e-Excellence has an insecure deserialization vulnerability allowing unauthenticated remote code execution.
Unauthenticated attackers can inject malicious serialized PHP objects into the WP Mail Logging plugin (versions up to 1.15.0) through email forms, exploiting unsafe deserialization in the BaseModel class. When administrators view the logged emails, the injected payload deserializes into arbitrary PHP objects, potentially enabling code execution if leveraged with gadget chains from other installed plugins or themes. No patch is currently available.
Super Stage WP WordPre versions up to 1.0.1 is affected by deserialization of untrusted data (CVSS 6.5).
Uncontrolled resource consumption in hex_core, hex, and rebar3 package managers results from unsafe deserialization of untrusted data in API request handling, enabling remote attackers to trigger excessive memory allocation and denial of service without authentication. Affected versions include hex_core before 0.12.1, hex before 2.3.2, and rebar3 before 3.27.0, with no patch currently available. An attacker can exploit this remotely over the network to exhaust system resources and crash affected Erlang/Elixir build environments.
Remote code execution in intra-mart Accel Platform's IM-LogicDesigner module through insecure deserialization of crafted files imported by administrative users. An attacker with admin privileges can execute arbitrary code by importing a malicious file, with no patch currently available. The vulnerability affects all deployments where IM-LogicDesigner is enabled.
Heap memory corruption in the OCaml runtime (before 4.14.3 and 5.x before 5.4.1) lets an attacker who can feed crafted Marshal-format data into an application's deserialization path read past buffer bounds and, through a multi-phase chain, achieve code execution. The flaw lives in the readblock() routine of runtime/intern.c, which copies blocks using attacker-controlled lengths without bounds checks. There is no public exploit identified at time of analysis and EPSS is very low (0.04%), but multiple vendors (SUSE, Red Hat) have shipped fixed packages.
Arbitrary code execution in Flair's LanguageModel class (versions 0.4.1 and later) allows local attackers to execute arbitrary commands by crafting malicious ML model files that exploit unsafe deserialization. Affected users loading untrusted models from external sources face complete system compromise with no patch currently available. This vulnerability impacts all AI/ML applications using Flair's model loading functionality.
Stylemix uListing versions 2.2.0 and earlier contain an unsafe deserialization vulnerability that enables object injection attacks, allowing authenticated attackers with high privileges to execute arbitrary code on affected systems. With no available patch, this vulnerability presents a significant risk to organizations running vulnerable versions of the plugin. The network-accessible nature of the flaw (CVSS 7.2) means exploitation requires only valid credentials to trigger the attack.
Remote code execution in c3p0 (a Java JDBC connection-pooling library) before v0.12.0 allows an attacker who can set the `userOverridesAsString` property of a `ConnectionPoolDataSource` - or inject a crafted serialized object or `javax.naming.Reference` - to load and run arbitrary code on the application's CLASSPATH. The flaw stems from storing this writable Java-Bean property as a hex-encoded Java-serialized object, and is amplified by its dependency mchange-commons-java, which mirrored legacy JNDI behavior with ungated support for remote `factoryClassLocation` values, enabling download and execution of attacker-hosted classes. EPSS is low (0.15%) and there is no public exploit identified at time of analysis, though deserialization/JNDI gadget techniques against this library are publicly documented.
Remote code execution in LangGraph's caching layer affects applications that explicitly enable cache backends inheriting from BaseCache with nodes opted into caching via CachePolicy. An attacker can exploit unsafe deserialization through pickle when msgpack serialization fails, allowing arbitrary code execution on affected systems. This vulnerability requires explicit cache configuration and does not affect default deployments.
Unbounded memory allocation in Fiber v3 (prior to 3.1.0) allows unauthenticated remote attackers to trigger denial of service by sending a malicious fiber_flash cookie that forces deserialization of up to 85GB of memory. All v3 endpoints are vulnerable regardless of flash message usage, and public exploit code exists. No patch is currently available.
The Print Service component of Fiserv Originate Loans Peripherals (formerly Velocity Services) in unsupported version 2021.2.4 (build 4.7.3155.0011) uses deprecated .NET Remoting TCP channels that allow unsafe deserialization of untrusted data.
Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. [CVSS 8.8 HIGH]
Unsafe deserialization in the RedisCache component of datapizza-ai 0.0.2 allows authenticated local network attackers to achieve limited information disclosure and integrity compromise through manipulation of cache operations. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. Exploitation requires local network access and elevated privileges, making practical attacks difficult but feasible in trusted environments.
Funadmin up to version 7.1.0-rc4 contains an unsafe deserialization vulnerability in the AuthCloudService.php getMember function that allows authenticated remote attackers to manipulate the cloud_account parameter and execute arbitrary code. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.
Zumba Json Serializer versions 3.2.2 and below allow unrestricted PHP object instantiation during JSON deserialization, enabling attackers to trigger arbitrary class constructors and magic methods via malicious @type fields. When processing untrusted JSON input, this vulnerability can lead to PHP Object Injection and remote code execution if vulnerable gadget chains are present in the application or its dependencies. The vulnerability affects applications using affected PHP serialization libraries and currently lacks a patched version.
Unsafe deserialization in GFI Archiver's MArc.Core.Remoting service (port 8017) enables authenticated remote attackers to achieve unauthenticated remote code execution with SYSTEM privileges, despite the authentication requirement being bypassable. The vulnerability stems from insufficient validation of untrusted data during the deserialization process, allowing arbitrary code execution on affected systems. No patch is currently available.
Remote code execution in GFI Archiver's MArc.Store.Remoting.exe component stems from unsafe deserialization of untrusted data, allowing authenticated attackers to execute arbitrary code with SYSTEM privileges despite the authentication requirement being bypassable. The vulnerability affects the deserialization and archiver products due to insufficient validation of user-supplied input, enabling full system compromise. No patch is currently available.
Unsafe PHP deserialization in openITCOCKPIT Community Edition 5.3.1 and earlier allows authenticated attackers to inject malicious serialized objects through changelog entries, with public exploit code available. While no current attack path has been identified, an unrestricted unserialize() call creates a latent remote code execution vulnerability that could be exploited if future code changes introduce exploitable object types into the deserialization path. Authenticated access is required, but the HIGH severity rating reflects the potential for complete system compromise if this latent flaw is activated.
Remote code execution in openITCOCKPIT 5.3.1 and earlier via unsafe deserialization in the Gearman worker component, which calls unserialize() on untrusted job payloads without validation or class restrictions. Attackers can exploit this by submitting crafted serialized objects to trigger PHP Object Injection when Gearman is exposed to untrusted networks. Public exploit code exists for this vulnerability, and no patch is currently available.
leafcolor Applay - Shortcodes applay-shortcodes is affected by deserialization of untrusted data (CVSS 8.8).
Dotstore Woocommerce Category Banner Management banner-management-for-woocommerce is affected by deserialization of untrusted data (CVSS 8.8).
The Slider Responsive Slideshow WordPress plugin through version 1.5.4 contains an unsafe deserialization flaw that enables authenticated attackers to inject arbitrary objects and achieve remote code execution. An attacker with user-level access can exploit this vulnerability to compromise the affected website with high impact to confidentiality, integrity, and availability. No patch is currently available for this vulnerability.
Object injection in WP Life Image Gallery plugin versions 1.6.0 and earlier exploits unsafe deserialization to allow authenticated attackers to execute arbitrary code with high impact on confidentiality, integrity, and availability. The vulnerability requires valid user credentials but no user interaction, making it exploitable by low-privileged accounts. No patch is currently available for this HIGH severity vulnerability affecting popular WordPress gallery functionality.
Deserialization of untrusted data in Lorem Ipsum Books & Media (lorem-ipsum-books-media-store) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Extreme Store (extremestore) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Themesflat Elementor (themesflat-elementor) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in SevenHills (sevenhills) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in KindlyCare (kindlycare) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Capella (capella) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Prestige (prestige) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce is affected by deserialization of untrusted data (CVSS 8.8).
Deserialization of untrusted data in PhotoMe (photome) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of Untrusted Data vulnerability in fuelthemes PeakShops peakshops allows Object Injection.This issue affects PeakShops: from n/a through <= 1.5.9. [CVSS 8.8 HIGH]
Deserialization of Untrusted Data vulnerability in Kleor Contact Manager contact-manager allows Object Injection.This issue affects Contact Manager: from n/a through <= 9.1.1. [CVSS 8.8 HIGH]
Deserialization of untrusted data in Ippsum (ippsum) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
modeltheme ModelTheme Addons for WPBakery and Elementor modeltheme-addons-for-wpbakery is affected by deserialization of untrusted data (CVSS 8.8).
A WP Life Modal Popup Box modal-popup-box is affected by deserialization of untrusted data (CVSS 8.8).
Deserialization of untrusted data in Travelicious (travelicious) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Nestin (nestin) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in PatioTime (patiotime) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Arbitrary code execution in SPIP before 4.4.9 through insecure deserialization of untrusted serialized objects in the table_valeur filter and DATA iterator. An attacker with prior access or leveraging a separate vulnerability to inject malicious serialized data can trigger arbitrary object instantiation and achieve remote code execution. No patch is currently available, and the vulnerability persists despite SPIP's standard security protections.
CartFlows through version 2.1.19 contains an unsafe deserialization vulnerability that enables object injection attacks against WordPress installations using the plugin. An authenticated attacker with high privileges can exploit this flaw to achieve arbitrary code execution with full system access. No patch is currently available for this vulnerability.
PHP Object Injection in WpEvently (mage-eventpress) WordPress plugin.
Unsafe deserialization in Codetipi Valenti through version 5.6.3.5 enables authenticated attackers to inject arbitrary objects and achieve remote code execution. An attacker with valid credentials can exploit this vulnerability to execute malicious commands with the privileges of the affected application. No patch is currently available.
PHP Object Injection in Grand Restaurant WordPress theme.
YITHEMES YITH WooCommerce Compare yith-woocommerce-compare is affected by deserialization of untrusted data (CVSS 7.2).
Deserialization of Untrusted Data vulnerability in OpenText™ Directory Services allows Object Injection. The vulnerability could lead to remote code execution, denial of service, or privilege escalation.
PHP Object Injection in the Advanced AJAX Product Filters plugin for WordPress (versions up to 3.1.9.6) allows authenticated authors and above to deserialize malicious objects through the Live Composer compatibility layer. While the plugin itself lacks a gadget chain for exploitation, the vulnerability can enable arbitrary file deletion, data theft, or remote code execution if a POP chain exists in installed themes or plugins. No patch is currently available, and exploitation requires valid WordPress user credentials.
A vulnerability has been identified in Rexroth IndraWorks. This flaw allows an attacker to execute arbitrary code on the user's system by parsing a manipulated file containing malicious serialized data. [CVSS 7.8 HIGH]
A vulnerability has been identified in Rexroth IndraWorks. This flaw allows an attacker to execute arbitrary code on the user's system by parsing a manipulated file containing malicious serialized data. [CVSS 7.8 HIGH]
A vulnerability has been identified in the UA.Testclient utility, which is included in Rexroth IndraWorks. All versions prior to 15V24 are affected. [CVSS 7.8 HIGH]
A vulnerability has been identified in the OPC.Testclient utility, which is included in Rexroth IndraWorks. All versions prior to 15V24 are affected. [CVSS 7.8 HIGH]
Remote code execution in LightLLM 1.1.0 and prior lets unauthenticated attackers run arbitrary code on the PD master node when the framework runs in prefill-decode (PD) disaggregation mode. The PD master exposes WebSocket endpoints that feed inbound binary frames straight into Python's pickle.loads(), so any attacker able to reach that socket can execute code in the serving process. No CISA KEV listing exists and EPSS is modest at 0.83% (74th percentile), but a public technical write-up (chocapikk.com) plus a VulnCheck advisory mean publicly available exploit code exists, so this should be treated as an urgent internal-exposure risk.
JeecgBoot 3.9.1's RAG knowledge controller fails to properly validate ZIP file imports, allowing authenticated remote attackers to trigger unsafe deserialization with public exploit code available. The vulnerability requires authentication and complex attack execution but could enable information disclosure or integrity compromise. No patch is currently available from the vendor.
Static ASP.NET machineKey in Calero VeraSMART before 2022 R1. Hardcoded key enables ViewState deserialization attacks and cookie forgery.
ADB Explorer on Windows versions prior to Beta 0.9.26020 allows local attackers to achieve remote code execution by crafting a malicious App.txt settings file that exploits insecure JSON deserialization with enabled type name handling. An attacker can inject a gadget chain payload into the configuration file that executes arbitrary code when the application launches and processes settings. No patch is currently available for affected versions.
Hyland OnBase contains an unauthenticated .NET Remoting exposure in the OnBase Workflow Timer Service (Hyland.Core.Workflow.NTService.exe).