Skip to main content

Deserialization

2662 CVEs technique

Monthly

CVE-2025-61880 HIGH PATCH This Week

In Infoblox NIOS through 9.0.7, insecure deserialization can result in remote code execution. [CVSS 8.8 HIGH]

RCE Deserialization Nios
NVD
CVSS 3.1
8.8
EPSS
0.9%
CVE-2026-26215 CRITICAL Act Now

{method} and /execute/{method} feed attacker-supplied request bodies straight into pickle.loads(), and the intended nonce authorization gate is bypassed because the nonce defaults to an empty string and is skipped by default. A detailed technical write-up (chocapikk.com) and a VulnCheck advisory describe the flaw; it is not listed in CISA KEV and EPSS is low (0.14%, 34th percentile), indicating no evidence of widespread active exploitation.

RCE Deserialization
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-0910 HIGH This Week

PHP object injection in wpForo Forum plugin versions up to 2.4.13 allows authenticated subscribers and above to deserialize untrusted data, potentially enabling arbitrary file deletion, data theft, or code execution if a POP chain exists in installed plugins or themes. The vulnerability requires an additional gadget chain to be exploitable, making its impact dependent on the broader plugin ecosystem of the target WordPress installation.

WordPress PHP Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-1235 MEDIUM This Month

WP eCommerce WordPre versions up to 3.15.1 is affected by deserialization of untrusted data (CVSS 6.5).

WordPress PHP Deserialization
NVD WPScan
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-21531 PyPI CRITICAL PATCH Act Now

Deserialization of untrusted data in Azure SDK allows unauthorized code execution over a network. EPSS 0.32%.

Azure Deserialization Azure Conversation Authoring Client Library
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-21511 HIGH PATCH This Week

Microsoft Outlook's unsafe deserialization of untrusted data enables remote attackers to spoof messages and identities without authentication over the network. This vulnerability affects Outlook, Word, and Microsoft 365 Apps, allowing attackers to impersonate legitimate senders and deceive users. No patch is currently available, making this a high-risk threat requiring immediate defensive measures.

Microsoft Outlook Deserialization 365 Apps Word +3
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-23685 MEDIUM This Month

Denial of service in SAP NetWeaver's JMS service stems from unsafe deserialization of malicious objects, allowing authenticated administrators with local access to crash the application. The vulnerability requires high privileges and local access but carries no risk to confidentiality or integrity. No patch is currently available.

SAP Denial Of Service Deserialization Netweaver
NVD
CVSS 3.1
4.4
EPSS
0.1%
CVE-2026-25923 CRITICAL Act Now

my little forum PHP forum software has an unrestricted file upload allowing authenticated users to upload dangerous file types.

PHP Deserialization File Upload My Little Forum
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-2113 MEDIUM POC This Month

Unsafe deserialization in yuan1994 tpadmin versions up to 1.3.12 allows remote attackers to execute arbitrary code via the WebUploader preview.php component without authentication. Public exploit code exists for this vulnerability, and affected installations running unsupported versions face immediate risk. The flaw enables complete system compromise with no patch available from the maintainer.

PHP Deserialization
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-25632 PyPI CRITICAL PATCH Act Now

EPyT-Flow hydraulic simulation package has a CVSS 10.0 insecure deserialization enabling code execution when loading simulation scenario files.

Python Command Injection Deserialization Epyt Flow
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
0.0%
CVE-2020-37071 CRITICAL POC Act Now

CraftCMS 3 vCard Plugin 1.0.0 has an insecure deserialization vulnerability allowing unauthenticated remote code execution through crafted vCard data.

PHP RCE Deserialization
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-25615 HIGH This Week

Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5668. [CVSS 7.2 HIGH]

Deserialization Blesta
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-25614 HIGH This Week

Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5680. [CVSS 7.5 HIGH]

Deserialization Blesta
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-62603 HIGH PATCH This Week

Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). [CVSS 7.5 HIGH]

Deserialization Fast Dds Debian Linux
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-70560 PyPI HIGH This Week

Boltz 2.0.0 contains an insecure deserialization vulnerability in its molecule loading functionality. The application uses Python pickle to deserialize molecule data files without validation. [CVSS 8.4 HIGH]

Python Deserialization Boltz RCE
NVD GitHub
CVSS 3.1
8.4
EPSS
0.1%
CVE-2025-70559 PyPI MEDIUM PATCH This Month

pdfminer.six before 20251230 contains an insecure deserialization vulnerability in the CMap loading mechanism. The library uses Python pickle to deserialize CMap cache files without validation. [CVSS 6.5 MEDIUM]

Python Privilege Escalation Deserialization RCE Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-24954 HIGH This Week

magepeopleteam WpEvently mage-eventpress is affected by deserialization of untrusted data (CVSS 8.8).

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-62348 PyPI HIGH PATCH This Week

Salt's junos execution module contained an unsafe YAML decode/load usage. A specially crafted YAML payload processed by the junos module could lead to unintended code execution under the context of the Salt process. [CVSS 7.8 HIGH]

RCE Deserialization Suse
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-1691 LOW POC Monitor

Unsafe deserialization in Bolo Solo up to version 2.6.4 through the SnakeYAML component allows authenticated attackers to execute arbitrary code remotely via the importMarkdownsSync function. Public exploit code exists for this vulnerability and no patch is currently available. Authenticated users with access to the backup functionality can trigger this flaw to compromise affected systems.

Java Deserialization
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-40553 CRITICAL Act Now

SolarWinds Web Help Desk has a second deserialization vulnerability (EPSS 11.9%) providing another unauthenticated RCE path alongside CVE-2025-40551.

RCE Deserialization Web Help Desk
NVD GitHub
CVSS 3.1
9.8
EPSS
11.9%
CVE-2025-40551 CRITICAL POC KEV THREAT Emergency

SolarWinds Web Help Desk contains an unauthenticated Java deserialization vulnerability (CVE-2025-40551, CVSS 9.8) that enables remote code execution. With EPSS 80.6% and KEV listing, this is the more severe of two concurrent WHD vulnerabilities, allowing attackers to execute arbitrary commands on the host server without any credentials.

RCE Deserialization Web Help Desk
NVD
CVSS 3.1
9.8
EPSS
80.6%
Threat
7.4
CVE-2026-24765 PHP HIGH POC PATCH GHSA This Week

Unsafe deserialization in PHPUnit versions before 8.5.52, 9.6.33, 10.5.62, 11.5.50, and 12.5.8 allows local attackers to execute arbitrary code by placing malicious serialized objects in `.coverage` files that are deserialized without validation during PHPT test execution. An attacker with file write access can exploit the `cleanupForCoverage()` method's lack of object class restrictions to trigger gadget chains through `__wakeup()` methods. This high-severity vulnerability (CVSS 7.8) affects developers and CI/CD systems running PHPUnit on Linux systems.

RCE Deserialization Debian Linux Phpunit Red Hat +1
NVD GitHub
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-24815 This Week

Unrestricted Upload of File with Dangerous Type, Deserialization of Untrusted Data vulnerability in datavane tis (tis-plugin/src/main/java/com/qlangtech/tis/extension/impl modules). This vulnerability is associated with program files XmlFile.Java.

Java Deserialization
NVD GitHub
EPSS
0.1%
CVE-2026-24656 Maven LOW PATCH Monitor

Deserialization of Untrusted Data vulnerability in Apache Karaf Decanter. The Decanter log socket collector exposes the port 4560, without authentication. [CVSS 3.7 LOW]

Apache Deserialization
NVD
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-0773 CRITICAL Act Now

Upsonic has an insecure deserialization via cloudpickle (EPSS 1.3%) enabling remote code execution through crafted serialized AI agent data.

RCE Deserialization AI / ML
NVD
CVSS 3.0
9.8
EPSS
1.3%
CVE-2026-0772 HIGH This Week

Remote code execution in Langflow's disk cache service allows authenticated attackers to execute arbitrary code by exploiting improper deserialization of untrusted data. The vulnerability affects Langflow installations and requires valid authentication credentials to exploit, enabling attackers to gain code execution within the service account context. No patch is currently available.

RCE Deserialization AI / ML Langflow
NVD
CVSS 3.0
7.5
EPSS
0.9%
CVE-2026-0764 CRITICAL Act Now

GPT Academic has a second insecure deserialization vulnerability in the upload function (EPSS 1.5%) allowing remote code execution through crafted file uploads.

RCE Deserialization AI / ML Gpt Academic
NVD
CVSS 3.0
9.8
EPSS
1.5%
CVE-2026-0763 CRITICAL Act Now

GPT Academic has an insecure deserialization in run_in_subprocess_wrapper_func (EPSS 1.7%) enabling remote code execution through crafted subprocess data.

RCE Deserialization AI / ML Gpt Academic
NVD
CVSS 3.0
9.8
EPSS
1.7%
CVE-2026-0762 HIGH This Week

Remote code execution in GPT Academic's stream_daas function results from improper deserialization of untrusted data when communicating with external servers, allowing unauthenticated attackers to execute arbitrary code with root privileges. The vulnerability requires interaction with a malicious DAAS server and currently has no available patch. Organizations using GPT Academic should implement network controls to restrict connections to untrusted DAAS services until patching is available.

RCE Deserialization AI / ML Gpt Academic
NVD
CVSS 3.0
8.1
EPSS
0.5%
CVE-2026-0760 CRITICAL Act Now

MetaGPT by Foundation Agents has an insecure deserialization in deserialize_message (EPSS 1.7%) enabling remote code execution through crafted serialized data in AI agent communications.

RCE Deserialization AI / ML Metagpt
NVD
CVSS 3.0
9.8
EPSS
1.7%
CVE-2025-15351 HIGH This Week

Anritsu VectorStar CHX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Anritsu VectorStar. [CVSS 7.8 HIGH]

RCE Deserialization Vectorstar
NVD
CVSS 3.0
7.8
EPSS
0.2%
CVE-2025-15350 HIGH This Week

Anritsu VectorStar CHX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Anritsu VectorStar. [CVSS 7.8 HIGH]

RCE Deserialization Vectorstar
NVD
CVSS 3.0
7.8
EPSS
0.2%
CVE-2025-15348 HIGH This Week

Anritsu ShockLine CHX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Anritsu ShockLine. [CVSS 7.8 HIGH]

RCE Deserialization Shockline
NVD
CVSS 3.0
7.8
EPSS
0.2%
CVE-2025-69099 HIGH This Week

Deserialization of Untrusted Data vulnerability in fuelthemes North north-wp allows Object Injection.This issue affects North: from n/a through <= 5.7.5. [CVSS 8.8 HIGH]

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-69079 CRITICAL Act Now

ThemeREX Sound/musicplace WordPress theme has an insecure deserialization vulnerability enabling PHP object injection and potential remote code execution.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-69036 HIGH This Week

strongholdthemes Tech Life CPT techlife-cpt is affected by deserialization of untrusted data (CVSS 8.8).

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-69035 HIGH This Week

strongholdthemes Dental Care CPT dentalcare-cpt is affected by deserialization of untrusted data (CVSS 8.8).

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-69002 HIGH This Week

Deserialization of Untrusted Data vulnerability in designthemes OneLife onelife allows Object Injection.This issue affects OneLife: from n/a through <= 3.9. [CVSS 8.8 HIGH]

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-68903 HIGH This Week

Deserialization of Untrusted Data vulnerability in AivahThemes Anona anona allows Object Injection.This issue affects Anona: from n/a through <= 8.0. [CVSS 8.8 HIGH]

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-68899 HIGH This Week

Deserialization of Untrusted Data vulnerability in designthemes Vivagh vivagh allows Object Injection.This issue affects Vivagh: from n/a through <= 2.4. [CVSS 8.8 HIGH]

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-68047 HIGH This Week

Deserialization of Untrusted Data vulnerability in Arraytics Eventin wp-event-solution allows Object Injection.This issue affects Eventin: from n/a through <= 4.1.1. [CVSS 8.8 HIGH]

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-67619 HIGH This Week

Deserialization of Untrusted Data vulnerability in designthemes Kids Heaven kids-world allows Object Injection.This issue affects Kids Heaven: from n/a through <= 3.2. [CVSS 8.8 HIGH]

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-67617 CRITICAL Act Now

Consult Aid WordPress theme has an insecure deserialization vulnerability allowing object injection that can lead to remote code execution.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-50004 HIGH This Week

Deserialization of Untrusted Data vulnerability in artbees JupiterX Core jupiterx-core allows Object Injection.This issue affects JupiterX Core: from n/a through <= 4.10.1. [CVSS 8.5 HIGH]

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-24009 PyPI HIGH PATCH This Week

Remote code execution in Docling Core versions 2.21.0 through 2.48.3 allows unauthenticated attackers to execute arbitrary code when applications deserialize untrusted YAML data using the `DoclingDocument.load_from_yaml()` method with vulnerable PyYAML versions. The vulnerability stems from unsafe deserialization practices (CWE-502) and affects document processing systems using affected library versions. No patch is currently available; mitigation requires upgrading to version 2.48.4 or ensuring PyYAML 5.4+ is installed.

RCE Deserialization Docling Core
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-24006 npm HIGH PATCH This Week

Seroval versions 1.4.0 and below are vulnerable to denial of service attacks due to unbounded recursion when serializing deeply nested objects, allowing remote attackers to crash applications by exceeding the call stack limit. The vulnerability affects the deserialization library's handling of complex data structures without depth validation. Version 1.4.1 introduces a configurable depthLimit parameter to prevent exploitation of this resource exhaustion condition.

Deserialization Denial Of Service Red Hat Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-23957 npm HIGH PATCH This Week

Seroval versions 1.4.0 and below are vulnerable to denial of service through malformed deserialization payloads that specify excessively large array lengths, causing the parsing process to consume excessive CPU resources and become unresponsive. An unauthenticated remote attacker can exploit this without user interaction by sending a crafted serialized object to any application using the vulnerable library. The vulnerability has been patched in version 1.4.1.

Deserialization Denial Of Service Red Hat Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-23956 npm HIGH PATCH GHSA This Week

Seroval versions 1.4.0 and below allow remote attackers to cause denial of service through maliciously crafted RegExp patterns during deserialization, either by exhausting memory with oversized patterns or triggering catastrophic backtracking (ReDoS). The vulnerability requires no authentication or user interaction and affects any application using the library to deserialize untrusted serialized data. A patch is available in version 1.4.1.

Denial Of Service Deserialization Seroval
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-23946 PyPI MEDIUM POC PATCH This Month

Remote code execution in Tendenci CMS versions 15.3.11 and below allows authenticated staff users to execute arbitrary code through unsafe pickle deserialization in the Helpdesk module's reporting function. The vulnerability stems from incomplete patching of CVE-2020-14942, where the run_report() function continues to use unsafe pickle.loads() despite the ticket_list() function being corrected. Public exploit code exists for this issue, though impact is limited to the privileges of the application's runtime user.

Python RCE Deserialization Tendenci
NVD GitHub
CVSS 3.1
6.8
EPSS
0.4%
CVE-2026-23737 npm HIGH POC PATCH This Week

Arbitrary code execution in Seroval versions 1.4.0 and below allows authenticated attackers to execute malicious JavaScript through improper deserialization handling in the fromJSON and fromCrossJSON functions. Exploitation requires multiple requests to the affected function and partial knowledge of runtime data usage, but grants full code execution capabilities. A patch is available in version 1.4.1 and later.

Deserialization Seroval Red Hat Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-23736 npm HIGH PATCH This Week

Seroval is affected by improperly controlled modification of object prototype attributes (prototype pollution) (CVSS 7.3).

Deserialization Seroval Red Hat Suse
NVD GitHub
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-23524 PHP CRITICAL PATCH Act Now

Laravel Reverb WebSocket server versions 1.6.3 and below have an insecure deserialization vulnerability enabling remote code execution on the backend server.

Redis Laravel RCE Deserialization Reverb
NVD GitHub
CVSS 3.1
9.8
EPSS
0.5%
CVE-2025-68141 HIGH POC This Week

EVerest is an EV charging software stack. Prior to version 2025.10.0, during the deserialization of a `DC_ChargeLoopRes` message that includes Receipt as well as TaxCosts, the vector `<DetailedTax>tax_costs` in the target `Receipt` structure is accessed out of bounds. [CVSS 7.4 HIGH]

Null Pointer Dereference Deserialization Everest
NVD GitHub
CVSS 3.1
7.4
EPSS
0.1%
CVE-2025-56005 CRITICAL POC PATCH Act Now

PLY (Python Lex-Yacc) library 3.11 has an unsafe feature enabling remote code execution through pickle deserialization of cached parser tables, with EPSS 0.91%.

Python RCE Deserialization Ply
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.9%
CVE-2026-0726 HIGH This Week

PHP object injection in the Nexter Extension plugin for WordPress (versions up to 4.4.6) allows unauthenticated remote attackers to deserialize untrusted data, potentially enabling arbitrary code execution, file deletion, or data theft if a compatible POP chain exists in other installed plugins or themes. The vulnerability has a high CVSS score of 8.1 but currently lacks a public exploit chain in the vulnerable software itself. No patch is currently available.

WordPress PHP Deserialization
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-0895 PHP PATCH This Week

The extension extends TYPO3’ FileSpool component, which was vulnerable to Insecure Deserialization prior to TYPO3-CORE-SA-2026-004 https://typo3.org/security/advisory/typo3-core-sa-2026-004 .

Typo3 Deserialization
NVD GitHub
EPSS
0.0%
CVE-2023-7334 CRITICAL POC Act Now

Changjetong T+ (through 16.x) has .NET deserialization RCE in an AjaxPro endpoint. Attacker-controlled JSON triggers deserialization of malicious .NET types. PoC available.

.NET RCE Deserialization
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-21226 PyPI HIGH PATCH This Week

Remote code execution in Azure Core Shared Client Library for Python results from insecure deserialization of untrusted data, allowing authenticated network-based attackers to achieve arbitrary code execution. The vulnerability affects Python applications utilizing the vulnerable library versions, with no patch currently available. This represents a high-severity risk for Azure SDK consumers handling external or user-supplied serialized data.

Python Azure Deserialization Azure Core Shared Client Library Suse
NVD
CVSS 3.1
7.5
EPSS
1.5%
CVE-2026-20963 CRITICAL POC KEV EUVD KEV PATCH THREAT Emergency

Microsoft Office SharePoint contains a deserialization vulnerability (CVE-2026-20963) that allows authenticated users to execute arbitrary code over the network through crafted serialized objects. KEV-listed with public PoC, this CVSS 8.8 vulnerability enables any SharePoint user to escalate to server-level code execution, making it a critical threat for organizations relying on SharePoint for document management and collaboration.

Microsoft Deserialization
NVD VulDB
CVSS 3.1
9.8
EPSS
1.6%
Threat
5.0
CVE-2026-0859 PHP HIGH PATCH This Week

Arbitrary PHP code execution in TYPO3 CMS versions 10.0.0 through 14.0.1 through unsafe deserialization of mail spool files, allowing local attackers with write access to the spool directory to execute malicious code when the mailer:spool:send command is executed. Affected versions span multiple release lines including 10.x, 11.x, 12.x, 13.x, and 14.x, requiring immediate patching to prevent web server compromise.

Typo3 PHP Deserialization
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-14021 PyPI HIGH POC PATCH This Week

Arbitrary code execution in LlamaIndex (run-llama/llama_index) versions up to and including 0.11.6 occurs when BGEM3Index.load_from_disk() calls pickle.load() on a multi_embed_store.pkl file read from an attacker-controlled persist_dir. A victim who loads a maliciously crafted index directory executes attacker-supplied code in their own process. Publicly available exploit code exists (huntr bounty submission), though EPSS is low (0.08%) and it is not listed in CISA KEV, so there is no public exploit identified as actively exploited.

Deserialization Llamaindex RCE
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.1%
CVE-2025-69276 HIGH This Week

Deserialization of Untrusted Data vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Object Injection.This issue affects DX NetOps Spectrum: 24.3.13 and earlier. [CVSS 8.8 HIGH]

Broadcom Linux Windows Deserialization Dx Netops Spectrum
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-22609 PyPI HIGH POC PATCH This Week

Fickling's static analyzer before version 0.1.7 fails to detect several dangerous Python modules in pickled objects, enabling attackers to craft malicious pickles that bypass safety checks and achieve arbitrary code execution. This vulnerability affects users relying on Fickling to validate untrusted serialized Python objects for safety. Public exploit code exists for this HIGH severity vulnerability, though a patch is available in version 0.1.7 and later.

Python Deserialization AI / ML Fickling
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-22608 PyPI HIGH PATCH This Week

Fickling before version 0.1.7 allows local attackers to achieve arbitrary code execution through Python pickle deserialization by chaining unblocked ctypes and pydoc modules, bypassing the tool's safety scanner which incorrectly reports malicious files as LIKELY_SAFE. An attacker with user interaction can exploit this vulnerability to execute code with the privileges of the Python process. A patch is available in version 0.1.7 and later.

Python RCE Deserialization AI / ML Fickling
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-22607 PyPI HIGH POC PATCH This Week

Fickling's static analyzer through version 0.1.6 fails to properly classify the cProfile module as unsafe during pickle analysis, causing malicious pickles leveraging cProfile.run() to be marked as SUSPICIOUS rather than OVERTLY_MALICIOUS. Organizations using Fickling as a security gate for deserialization decisions may be deceived into executing attacker-controlled code. Public exploit code exists for this vulnerability, and patches are available in version 0.1.7 and later.

Python Deserialization AI / ML Fickling
NVD GitHub
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-22606 PyPI HIGH POC PATCH This Week

Fickling's incomplete pickle analysis allows attackers to bypass security checks by using Python's runpy module to execute arbitrary code. Versions through 0.1.6 misclassify dangerous runpy-based payloads as merely suspicious rather than malicious, enabling code execution on systems that rely on Fickling to validate pickle safety. Public exploit code exists for this vulnerability, though a patch is available in version 0.1.7.

Python Deserialization AI / ML Fickling
NVD GitHub
CVSS 3.1
7.8
EPSS
0.1%
CVE-2025-67911 CRITICAL Act Now

Newsletters WordPress plugin by Tribulant (through 4.11) is vulnerable to PHP object injection through deserialization of untrusted data, potentially leading to RCE via POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-22187 Maven HIGH This Week

Unsafe deserialization in Bio-Formats up to version 8.3.0 allows local attackers to execute arbitrary code or cause denial of service by crafting malicious .bfmemo cache files that are automatically loaded during image processing without validation. The Memoizer class deserializes untrusted data from these files, enabling potential remote code execution if suitable Java gadget chains are available on the classpath. No patch is currently available for this vulnerability (CVSS 7.8).

Java RCE Denial Of Service Deserialization Bio Formats
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2025-69255 Cargo MEDIUM POC PATCH This Month

RustFS is a distributed object storage system built in Rust. [CVSS 4.0 MEDIUM]

Industrial Denial Of Service Deserialization Rustfs
NVD GitHub
CVSS 3.1
4.0
EPSS
0.4%
CVE-2025-47552 CRITICAL Act Now

DZS Video Gallery WordPress plugin (through 12.37) is vulnerable to PHP object injection through insecure deserialization. An unauthenticated attacker can inject arbitrary PHP objects, potentially achieving code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-47553 HIGH This Week

Deserialization of Untrusted Data vulnerability in Digital zoom studio DZS Video Gallery allows Object Injection.This issue affects DZS Video Gallery: from n/a through 12.25. [CVSS 8.8 HIGH]

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-31047 HIGH This Week

Deserialization of Untrusted Data vulnerability in Themify Themify Edmin allows Object Injection.This issue affects Themify Edmin: from n/a through 2.0.0. [CVSS 8.8 HIGH]

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-15453 LOW Monitor

A security vulnerability has been detected in milvu versions up to 2.6.7. is affected by improper input validation (CVSS 6.3).

Deserialization
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-21452 Maven HIGH POC PATCH This Week

MessagePack for Java versions prior to 0.9.11 are vulnerable to denial-of-service attacks through malicious .msgpack files that exploit unbounded heap allocation when deserializing EXT32 objects. An unauthenticated attacker can craft a small payload with attacker-controlled extension lengths that causes the library to attempt allocating excessive memory, leading to JVM heap exhaustion and service unavailability. Public exploit code exists for this vulnerability; organizations using affected versions should update immediately.

Java Deserialization Messagepack
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-15438 LOW POC Monitor

A vulnerability was determined in PluXml up to 5.8.22. Affected is the function FileCookieJar::__destruct of the file core/admin/medias.php of the component Media Management Module. [CVSS 4.7 MEDIUM]

PHP Deserialization
NVD VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-11157 PyPI HIGH PATCH This Week

A high-severity remote code execution vulnerability exists in feast-dev/feast version 0.53.0, specifically in the Kubernetes materializer job located at `feast/sdk/python/feast/infra/compute_engines/kubernetes/main.py`. [CVSS 7.8 HIGH]

Python Kubernetes RCE Deserialization
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2025-15375 LOW POC Monitor

A flaw has been found in EyouCMS up to 1.7.7. The impacted element is the function unserialize of the file application/api/controller/Ajax.php of the component arcpagelist Handler. Executing a manipulation of the argument attstr can lead to deserialization. The attack can be launched remotely. The exploit has been published and may be used. The vendor is "[a]cknowledging the existence of the vulnerability, we have completed the fix and will release a new version, v1.7.8".

PHP Deserialization Eyoucms
NVD VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-15246 LOW Monitor

A vulnerability was determined in aizuda snail-job up to 1.7.0 on macOS. Affected by this vulnerability is the function FurySerializer.deserialize of the component API. This manipulation of the argument argsStr causes deserialization. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.

Apple Deserialization
NVD VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-15222 LOW Monitor

A vulnerability has been found in Dromara Sa-Token up to 1.44.0. This issue affects the function ObjectInputStream.readObject of the file SaSerializerTemplateForJdkUseBase64.java. Such manipulation leads to deserialization. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Deserialization
NVD GitHub VulDB
CVSS 4.0
1.3
EPSS
0.1%
CVE-2025-68038 HIGH This Week

PHP object injection in Icegram Express Pro (WordPress email marketing plugin) through version 5.9.13 enables unauthenticated remote attackers to execute arbitrary code via unsafe deserialization of user-controlled data. With CVSS 9.8 (critical severity) and network-accessible attack vector requiring no authentication or user interaction, this represents a severe pre-authentication RCE risk. EPSS score of 0.06% (19th percentile) suggests low immediate exploitation probability, and no public exploit or CISA KEV listing identified at time of analysis, though Patchstack disclosure increases attacker awareness.

Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-60084 HIGH This Week

PHP object injection in PDF for Elementor Forms plugin through version 6.5.0 allows authenticated attackers to execute arbitrary code or manipulate application logic via deserialization of untrusted data. While CVSS scores this 8.8 (High), real-world risk is tempered by authentication requirement (PR:L) and low EPSS score (0.06%, 19th percentile), indicating minimal observed exploitation attempts. No CISA KEV listing or public exploit code identified, suggesting attacks remain theoretical rather than widespread.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-60083 HIGH This Week

Object injection via unsafe deserialization in PDF Invoice Builder for WooCommerce plugin allows authenticated attackers with low privileges to execute arbitrary PHP code, manipulate application objects, or trigger other malicious actions. Affects all versions through 6.5.0. No public exploit identified at time of analysis, with EPSS probability of 0.07% suggesting minimal real-world exploitation activity despite high CVSS score.

WordPress Woocommerce PHP Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-60082 HIGH This Week

Object injection via unsafe deserialization in PDF for WPForms plugin (versions ≤6.5.0) enables authenticated attackers to execute arbitrary PHP code or manipulate application state. The CVSS score of 8.8 reflects network-based exploitation with low complexity requiring only low-privileged authentication. EPSS probability of 0.07% (22nd percentile) suggests limited exploitation likelihood. No public exploit code or CISA KEV listing identified at time of analysis, indicating this remains a theoretical risk requiring proactive patching.

WordPress PHP Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-60081 HIGH This Week

Object injection via unsafe deserialization in PDF for Contact Form 7 WordPress plugin (versions ≤6.5.0) allows authenticated attackers to execute arbitrary PHP code or manipulate application state. Attack requires low-privileged user credentials but no user interaction, with network-accessible attack vector. EPSS probability remains low (0.07%, 22nd percentile) and no active exploitation confirmed at time of analysis. Publicly available exploit code exists per Patchstack disclosure.

WordPress PHP Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-60080 HIGH This Week

PHP object injection in PDF for Gravity Forms + Drag And Drop Template Builder (WordPress plugin) versions up to 6.5.0 allows authenticated attackers with low privileges to execute arbitrary code or manipulate application logic via unsafe deserialization. CVSS 7.5 (High) but EPSS probability of 0.07% (22nd percentile) indicates low observed exploitation likelihood. No public exploit identified at time of analysis, and attack requires high complexity (AC:H) with authenticated access (PR:L).

WordPress PHP Deserialization
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-14606 LOW Monitor

Deserialization vulnerability in Tiny RDM up to version 1.2.5 allows authenticated remote attackers to trigger unsafe pickle deserialization via the Pickle Decoding component, potentially leading to code execution. The attack requires high complexity and prior authentication, making practical exploitation difficult. Public exploit code is available, but the low EPSS score (0.10%) and absence of active exploitation tracking suggest limited real-world risk at present.

Deserialization
NVD GitHub VulDB
CVSS 4.0
1.3
EPSS
0.1%
CVE-2025-14476 HIGH This Week

PHP object injection in Doubly Cross Domain Copy Paste plugin (≤1.0.46) allows authenticated attackers with Subscriber-level privileges to execute arbitrary code via deserialized untrusted input from uploaded ZIP archives. Exploitation requires administrators to explicitly enable Subscriber access. Available POP chains enable code execution, file deletion, and sensitive data retrieval. Attack vector requires low privilege (PR:L) authentication with network accessibility and no user interaction. No public exploit identified at time of analysis.

PHP Information Disclosure WordPress RCE Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-67535 MEDIUM This Month

Deserialization of untrusted data in WP Maps WordPress plugin versions up to 4.8.6 allows high-privileged authenticated users to inject and instantiate arbitrary PHP objects, potentially leading to code execution or privilege escalation. While the CVSS score of 6.5 reflects high confidentiality and integrity impact, the requirement for administrator-level privileges (PR:H) and user interaction (UI:R) significantly constrains real-world exploitability. EPSS score of 0.04% indicates minimal observed exploitation likelihood despite the vulnerability's technical severity.

WordPress Deserialization Google
NVD
CVSS 3.1
6.6
EPSS
0.0%
CVE-2025-66631 NuGet HIGH PATCH This Week

A critical remote code execution vulnerability exists in CSLA .NET framework versions 5.5.4 and below due to insecure deserialization when using WcfProxy with the obsolete NetDataContractSerializer. This vulnerability allows unauthenticated remote attackers to execute arbitrary code on affected systems without user interaction, potentially leading to complete system compromise. While no active exploitation has been reported in CISA KEV and no public POC is mentioned, the vulnerability's network-exposed nature and low attack complexity make it a high-priority security concern.

RCE Deserialization
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.5%
CVE-2025-66622 Cargo HIGH PATCH This Week

A serialization bug in matrix-sdk-base allows remote attackers to cause denial-of-service by sending rooms with custom m.room.join_rules values, which stalls the sync process and prevents all room processing. The vulnerability affects matrix-sdk-base versions 0.14.1 and prior and has a high availability impact (CVSS 7.5) with a patch available in version 0.16.0. With a low EPSS score of 0.06% and no KEV listing, this represents a moderate real-world risk primarily concerning service availability rather than active exploitation.

Denial Of Service Deserialization Python Matrix Rust Sdk
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
EPSS 1% CVSS 8.8
HIGH PATCH This Week

In Infoblox NIOS through 9.0.7, insecure deserialization can result in remote code execution. [CVSS 8.8 HIGH]

RCE Deserialization Nios
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

{method} and /execute/{method} feed attacker-supplied request bodies straight into pickle.loads(), and the intended nonce authorization gate is bypassed because the nonce defaults to an empty string and is skipped by default. A detailed technical write-up (chocapikk.com) and a VulnCheck advisory describe the flaw; it is not listed in CISA KEV and EPSS is low (0.14%, 34th percentile), indicating no evidence of widespread active exploitation.

RCE Deserialization
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

PHP object injection in wpForo Forum plugin versions up to 2.4.13 allows authenticated subscribers and above to deserialize untrusted data, potentially enabling arbitrary file deletion, data theft, or code execution if a POP chain exists in installed plugins or themes. The vulnerability requires an additional gadget chain to be exploitable, making its impact dependent on the broader plugin ecosystem of the target WordPress installation.

WordPress PHP Deserialization
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

WP eCommerce WordPre versions up to 3.15.1 is affected by deserialization of untrusted data (CVSS 6.5).

WordPress PHP Deserialization
NVD WPScan
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Deserialization of untrusted data in Azure SDK allows unauthorized code execution over a network. EPSS 0.32%.

Azure Deserialization Azure Conversation Authoring Client Library
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Microsoft Outlook's unsafe deserialization of untrusted data enables remote attackers to spoof messages and identities without authentication over the network. This vulnerability affects Outlook, Word, and Microsoft 365 Apps, allowing attackers to impersonate legitimate senders and deceive users. No patch is currently available, making this a high-risk threat requiring immediate defensive measures.

Microsoft Outlook Deserialization +5
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Denial of service in SAP NetWeaver's JMS service stems from unsafe deserialization of malicious objects, allowing authenticated administrators with local access to crash the application. The vulnerability requires high privileges and local access but carries no risk to confidentiality or integrity. No patch is currently available.

SAP Denial Of Service Deserialization +1
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

my little forum PHP forum software has an unrestricted file upload allowing authenticated users to upload dangerous file types.

PHP Deserialization File Upload +1
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Unsafe deserialization in yuan1994 tpadmin versions up to 1.3.12 allows remote attackers to execute arbitrary code via the WebUploader preview.php component without authentication. Public exploit code exists for this vulnerability, and affected installations running unsupported versions face immediate risk. The flaw enables complete system compromise with no patch available from the maintainer.

PHP Deserialization
NVD GitHub VulDB
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

EPyT-Flow hydraulic simulation package has a CVSS 10.0 insecure deserialization enabling code execution when loading simulation scenario files.

Python Command Injection Deserialization +1
NVD GitHub VulDB
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

CraftCMS 3 vCard Plugin 1.0.0 has an insecure deserialization vulnerability allowing unauthenticated remote code execution through crafted vCard data.

PHP RCE Deserialization
NVD Exploit-DB
EPSS 0% CVSS 7.2
HIGH This Week

Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5668. [CVSS 7.2 HIGH]

Deserialization Blesta
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5680. [CVSS 7.5 HIGH]

Deserialization Blesta
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). [CVSS 7.5 HIGH]

Deserialization Fast Dds Debian Linux
NVD GitHub
EPSS 0% CVSS 8.4
HIGH This Week

Boltz 2.0.0 contains an insecure deserialization vulnerability in its molecule loading functionality. The application uses Python pickle to deserialize molecule data files without validation. [CVSS 8.4 HIGH]

Python Deserialization Boltz +1
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

pdfminer.six before 20251230 contains an insecure deserialization vulnerability in the CMap loading mechanism. The library uses Python pickle to deserialize CMap cache files without validation. [CVSS 6.5 MEDIUM]

Python Privilege Escalation Deserialization +2
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

magepeopleteam WpEvently mage-eventpress is affected by deserialization of untrusted data (CVSS 8.8).

Deserialization
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Salt's junos execution module contained an unsafe YAML decode/load usage. A specially crafted YAML payload processed by the junos module could lead to unintended code execution under the context of the Salt process. [CVSS 7.8 HIGH]

RCE Deserialization Suse
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

Unsafe deserialization in Bolo Solo up to version 2.6.4 through the SnakeYAML component allows authenticated attackers to execute arbitrary code remotely via the importMarkdownsSync function. Public exploit code exists for this vulnerability and no patch is currently available. Authenticated users with access to the backup functionality can trigger this flaw to compromise affected systems.

Java Deserialization
NVD GitHub VulDB
EPSS 12% CVSS 9.8
CRITICAL Act Now

SolarWinds Web Help Desk has a second deserialization vulnerability (EPSS 11.9%) providing another unauthenticated RCE path alongside CVE-2025-40551.

RCE Deserialization Web Help Desk
NVD GitHub
EPSS 81% 7.4 CVSS 9.8
CRITICAL POC KEV THREAT Emergency

SolarWinds Web Help Desk contains an unauthenticated Java deserialization vulnerability (CVE-2025-40551, CVSS 9.8) that enables remote code execution. With EPSS 80.6% and KEV listing, this is the more severe of two concurrent WHD vulnerabilities, allowing attackers to execute arbitrary commands on the host server without any credentials.

RCE Deserialization Web Help Desk
NVD
EPSS 0% CVSS 7.8
HIGH POC PATCH This Week

Unsafe deserialization in PHPUnit versions before 8.5.52, 9.6.33, 10.5.62, 11.5.50, and 12.5.8 allows local attackers to execute arbitrary code by placing malicious serialized objects in `.coverage` files that are deserialized without validation during PHPT test execution. An attacker with file write access can exploit the `cleanupForCoverage()` method's lack of object class restrictions to trigger gadget chains through `__wakeup()` methods. This high-severity vulnerability (CVSS 7.8) affects developers and CI/CD systems running PHPUnit on Linux systems.

RCE Deserialization Debian Linux +3
NVD GitHub
EPSS 0%
This Week

Unrestricted Upload of File with Dangerous Type, Deserialization of Untrusted Data vulnerability in datavane tis (tis-plugin/src/main/java/com/qlangtech/tis/extension/impl modules). This vulnerability is associated with program files XmlFile.Java.

Java Deserialization
NVD GitHub
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Deserialization of Untrusted Data vulnerability in Apache Karaf Decanter. The Decanter log socket collector exposes the port 4560, without authentication. [CVSS 3.7 LOW]

Apache Deserialization
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Upsonic has an insecure deserialization via cloudpickle (EPSS 1.3%) enabling remote code execution through crafted serialized AI agent data.

RCE Deserialization AI / ML
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Remote code execution in Langflow's disk cache service allows authenticated attackers to execute arbitrary code by exploiting improper deserialization of untrusted data. The vulnerability affects Langflow installations and requires valid authentication credentials to exploit, enabling attackers to gain code execution within the service account context. No patch is currently available.

RCE Deserialization AI / ML +1
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

GPT Academic has a second insecure deserialization vulnerability in the upload function (EPSS 1.5%) allowing remote code execution through crafted file uploads.

RCE Deserialization AI / ML +1
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

GPT Academic has an insecure deserialization in run_in_subprocess_wrapper_func (EPSS 1.7%) enabling remote code execution through crafted subprocess data.

RCE Deserialization AI / ML +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Remote code execution in GPT Academic's stream_daas function results from improper deserialization of untrusted data when communicating with external servers, allowing unauthenticated attackers to execute arbitrary code with root privileges. The vulnerability requires interaction with a malicious DAAS server and currently has no available patch. Organizations using GPT Academic should implement network controls to restrict connections to untrusted DAAS services until patching is available.

RCE Deserialization AI / ML +1
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

MetaGPT by Foundation Agents has an insecure deserialization in deserialize_message (EPSS 1.7%) enabling remote code execution through crafted serialized data in AI agent communications.

RCE Deserialization AI / ML +1
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Anritsu VectorStar CHX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Anritsu VectorStar. [CVSS 7.8 HIGH]

RCE Deserialization Vectorstar
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Anritsu VectorStar CHX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Anritsu VectorStar. [CVSS 7.8 HIGH]

RCE Deserialization Vectorstar
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Anritsu ShockLine CHX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Anritsu ShockLine. [CVSS 7.8 HIGH]

RCE Deserialization Shockline
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in fuelthemes North north-wp allows Object Injection.This issue affects North: from n/a through <= 5.7.5. [CVSS 8.8 HIGH]

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

ThemeREX Sound/musicplace WordPress theme has an insecure deserialization vulnerability enabling PHP object injection and potential remote code execution.

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

strongholdthemes Tech Life CPT techlife-cpt is affected by deserialization of untrusted data (CVSS 8.8).

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

strongholdthemes Dental Care CPT dentalcare-cpt is affected by deserialization of untrusted data (CVSS 8.8).

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in designthemes OneLife onelife allows Object Injection.This issue affects OneLife: from n/a through <= 3.9. [CVSS 8.8 HIGH]

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in AivahThemes Anona anona allows Object Injection.This issue affects Anona: from n/a through <= 8.0. [CVSS 8.8 HIGH]

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in designthemes Vivagh vivagh allows Object Injection.This issue affects Vivagh: from n/a through <= 2.4. [CVSS 8.8 HIGH]

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in Arraytics Eventin wp-event-solution allows Object Injection.This issue affects Eventin: from n/a through <= 4.1.1. [CVSS 8.8 HIGH]

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in designthemes Kids Heaven kids-world allows Object Injection.This issue affects Kids Heaven: from n/a through <= 3.2. [CVSS 8.8 HIGH]

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Consult Aid WordPress theme has an insecure deserialization vulnerability allowing object injection that can lead to remote code execution.

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in artbees JupiterX Core jupiterx-core allows Object Injection.This issue affects JupiterX Core: from n/a through <= 4.10.1. [CVSS 8.5 HIGH]

Deserialization
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Remote code execution in Docling Core versions 2.21.0 through 2.48.3 allows unauthenticated attackers to execute arbitrary code when applications deserialize untrusted YAML data using the `DoclingDocument.load_from_yaml()` method with vulnerable PyYAML versions. The vulnerability stems from unsafe deserialization practices (CWE-502) and affects document processing systems using affected library versions. No patch is currently available; mitigation requires upgrading to version 2.48.4 or ensuring PyYAML 5.4+ is installed.

RCE Deserialization Docling Core
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Seroval versions 1.4.0 and below are vulnerable to denial of service attacks due to unbounded recursion when serializing deeply nested objects, allowing remote attackers to crash applications by exceeding the call stack limit. The vulnerability affects the deserialization library's handling of complex data structures without depth validation. Version 1.4.1 introduces a configurable depthLimit parameter to prevent exploitation of this resource exhaustion condition.

Deserialization Denial Of Service Red Hat +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Seroval versions 1.4.0 and below are vulnerable to denial of service through malformed deserialization payloads that specify excessively large array lengths, causing the parsing process to consume excessive CPU resources and become unresponsive. An unauthenticated remote attacker can exploit this without user interaction by sending a crafted serialized object to any application using the vulnerable library. The vulnerability has been patched in version 1.4.1.

Deserialization Denial Of Service Red Hat +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Seroval versions 1.4.0 and below allow remote attackers to cause denial of service through maliciously crafted RegExp patterns during deserialization, either by exhausting memory with oversized patterns or triggering catastrophic backtracking (ReDoS). The vulnerability requires no authentication or user interaction and affects any application using the library to deserialize untrusted serialized data. A patch is available in version 1.4.1.

Denial Of Service Deserialization Seroval
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM POC PATCH This Month

Remote code execution in Tendenci CMS versions 15.3.11 and below allows authenticated staff users to execute arbitrary code through unsafe pickle deserialization in the Helpdesk module's reporting function. The vulnerability stems from incomplete patching of CVE-2020-14942, where the run_report() function continues to use unsafe pickle.loads() despite the ticket_list() function being corrected. Public exploit code exists for this issue, though impact is limited to the privileges of the application's runtime user.

Python RCE Deserialization +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Arbitrary code execution in Seroval versions 1.4.0 and below allows authenticated attackers to execute malicious JavaScript through improper deserialization handling in the fromJSON and fromCrossJSON functions. Exploitation requires multiple requests to the affected function and partial knowledge of runtime data usage, but grants full code execution capabilities. A patch is available in version 1.4.1 and later.

Deserialization Seroval Red Hat +1
NVD GitHub
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Seroval is affected by improperly controlled modification of object prototype attributes (prototype pollution) (CVSS 7.3).

Deserialization Seroval Red Hat +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Laravel Reverb WebSocket server versions 1.6.3 and below have an insecure deserialization vulnerability enabling remote code execution on the backend server.

Redis Laravel RCE +2
NVD GitHub
EPSS 0% CVSS 7.4
HIGH POC This Week

EVerest is an EV charging software stack. Prior to version 2025.10.0, during the deserialization of a `DC_ChargeLoopRes` message that includes Receipt as well as TaxCosts, the vector `<DetailedTax>tax_costs` in the target `Receipt` structure is accessed out of bounds. [CVSS 7.4 HIGH]

Null Pointer Dereference Deserialization Everest
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

PLY (Python Lex-Yacc) library 3.11 has an unsafe feature enabling remote code execution through pickle deserialization of cached parser tables, with EPSS 0.91%.

Python RCE Deserialization +1
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH This Week

PHP object injection in the Nexter Extension plugin for WordPress (versions up to 4.4.6) allows unauthenticated remote attackers to deserialize untrusted data, potentially enabling arbitrary code execution, file deletion, or data theft if a compatible POP chain exists in other installed plugins or themes. The vulnerability has a high CVSS score of 8.1 but currently lacks a public exploit chain in the vulnerable software itself. No patch is currently available.

WordPress PHP Deserialization
NVD
EPSS 0%
PATCH This Week

The extension extends TYPO3’ FileSpool component, which was vulnerable to Insecure Deserialization prior to TYPO3-CORE-SA-2026-004 https://typo3.org/security/advisory/typo3-core-sa-2026-004 .

Typo3 Deserialization
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Changjetong T+ (through 16.x) has .NET deserialization RCE in an AjaxPro endpoint. Attacker-controlled JSON triggers deserialization of malicious .NET types. PoC available.

.NET RCE Deserialization
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Azure Core Shared Client Library for Python results from insecure deserialization of untrusted data, allowing authenticated network-based attackers to achieve arbitrary code execution. The vulnerability affects Python applications utilizing the vulnerable library versions, with no patch currently available. This represents a high-severity risk for Azure SDK consumers handling external or user-supplied serialized data.

Python Azure Deserialization +2
NVD
EPSS 2% 5.0 CVSS 9.8
CRITICAL POC KEV EUVD KEV PATCH THREAT Emergency

Microsoft Office SharePoint contains a deserialization vulnerability (CVE-2026-20963) that allows authenticated users to execute arbitrary code over the network through crafted serialized objects. KEV-listed with public PoC, this CVSS 8.8 vulnerability enables any SharePoint user to escalate to server-level code execution, making it a critical threat for organizations relying on SharePoint for document management and collaboration.

Microsoft Deserialization
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Arbitrary PHP code execution in TYPO3 CMS versions 10.0.0 through 14.0.1 through unsafe deserialization of mail spool files, allowing local attackers with write access to the spool directory to execute malicious code when the mailer:spool:send command is executed. Affected versions span multiple release lines including 10.x, 11.x, 12.x, 13.x, and 14.x, requiring immediate patching to prevent web server compromise.

Typo3 PHP Deserialization
NVD GitHub
EPSS 0% CVSS 8.4
HIGH POC PATCH This Week

Arbitrary code execution in LlamaIndex (run-llama/llama_index) versions up to and including 0.11.6 occurs when BGEM3Index.load_from_disk() calls pickle.load() on a multi_embed_store.pkl file read from an attacker-controlled persist_dir. A victim who loads a maliciously crafted index directory executes attacker-supplied code in their own process. Publicly available exploit code exists (huntr bounty submission), though EPSS is low (0.08%) and it is not listed in CISA KEV, so there is no public exploit identified as actively exploited.

Deserialization Llamaindex RCE
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Object Injection.This issue affects DX NetOps Spectrum: 24.3.13 and earlier. [CVSS 8.8 HIGH]

Broadcom Linux Windows +2
NVD
EPSS 0% CVSS 7.8
HIGH POC PATCH This Week

Fickling's static analyzer before version 0.1.7 fails to detect several dangerous Python modules in pickled objects, enabling attackers to craft malicious pickles that bypass safety checks and achieve arbitrary code execution. This vulnerability affects users relying on Fickling to validate untrusted serialized Python objects for safety. Public exploit code exists for this HIGH severity vulnerability, though a patch is available in version 0.1.7 and later.

Python Deserialization AI / ML +1
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Fickling before version 0.1.7 allows local attackers to achieve arbitrary code execution through Python pickle deserialization by chaining unblocked ctypes and pydoc modules, bypassing the tool's safety scanner which incorrectly reports malicious files as LIKELY_SAFE. An attacker with user interaction can exploit this vulnerability to execute code with the privileges of the Python process. A patch is available in version 0.1.7 and later.

Python RCE Deserialization +2
NVD GitHub
EPSS 0% CVSS 7.8
HIGH POC PATCH This Week

Fickling's static analyzer through version 0.1.6 fails to properly classify the cProfile module as unsafe during pickle analysis, causing malicious pickles leveraging cProfile.run() to be marked as SUSPICIOUS rather than OVERTLY_MALICIOUS. Organizations using Fickling as a security gate for deserialization decisions may be deceived into executing attacker-controlled code. Public exploit code exists for this vulnerability, and patches are available in version 0.1.7 and later.

Python Deserialization AI / ML +1
NVD GitHub
EPSS 0% CVSS 7.8
HIGH POC PATCH This Week

Fickling's incomplete pickle analysis allows attackers to bypass security checks by using Python's runpy module to execute arbitrary code. Versions through 0.1.6 misclassify dangerous runpy-based payloads as merely suspicious rather than malicious, enabling code execution on systems that rely on Fickling to validate pickle safety. Public exploit code exists for this vulnerability, though a patch is available in version 0.1.7.

Python Deserialization AI / ML +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Newsletters WordPress plugin by Tribulant (through 4.11) is vulnerable to PHP object injection through deserialization of untrusted data, potentially leading to RCE via POP chains.

Deserialization
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Unsafe deserialization in Bio-Formats up to version 8.3.0 allows local attackers to execute arbitrary code or cause denial of service by crafting malicious .bfmemo cache files that are automatically loaded during image processing without validation. The Memoizer class deserializes untrusted data from these files, enabling potential remote code execution if suitable Java gadget chains are available on the classpath. No patch is currently available for this vulnerability (CVSS 7.8).

Java RCE Denial Of Service +2
NVD
EPSS 0% CVSS 4.0
MEDIUM POC PATCH This Month

RustFS is a distributed object storage system built in Rust. [CVSS 4.0 MEDIUM]

Industrial Denial Of Service Deserialization +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

DZS Video Gallery WordPress plugin (through 12.37) is vulnerable to PHP object injection through insecure deserialization. An unauthenticated attacker can inject arbitrary PHP objects, potentially achieving code execution through POP chains.

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in Digital zoom studio DZS Video Gallery allows Object Injection.This issue affects DZS Video Gallery: from n/a through 12.25. [CVSS 8.8 HIGH]

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in Themify Themify Edmin allows Object Injection.This issue affects Themify Edmin: from n/a through 2.0.0. [CVSS 8.8 HIGH]

Deserialization
NVD
EPSS 0% CVSS 2.1
LOW Monitor

A security vulnerability has been detected in milvu versions up to 2.6.7. is affected by improper input validation (CVSS 6.3).

Deserialization
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

MessagePack for Java versions prior to 0.9.11 are vulnerable to denial-of-service attacks through malicious .msgpack files that exploit unbounded heap allocation when deserializing EXT32 objects. An unauthenticated attacker can craft a small payload with attacker-controlled extension lengths that causes the library to attempt allocating excessive memory, leading to JVM heap exhaustion and service unavailability. Public exploit code exists for this vulnerability; organizations using affected versions should update immediately.

Java Deserialization Messagepack
NVD GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

A vulnerability was determined in PluXml up to 5.8.22. Affected is the function FileCookieJar::__destruct of the file core/admin/medias.php of the component Media Management Module. [CVSS 4.7 MEDIUM]

PHP Deserialization
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

A high-severity remote code execution vulnerability exists in feast-dev/feast version 0.53.0, specifically in the Kubernetes materializer job located at `feast/sdk/python/feast/infra/compute_engines/kubernetes/main.py`. [CVSS 7.8 HIGH]

Python Kubernetes RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

A flaw has been found in EyouCMS up to 1.7.7. The impacted element is the function unserialize of the file application/api/controller/Ajax.php of the component arcpagelist Handler. Executing a manipulation of the argument attstr can lead to deserialization. The attack can be launched remotely. The exploit has been published and may be used. The vendor is "[a]cknowledging the existence of the vulnerability, we have completed the fix and will release a new version, v1.7.8".

PHP Deserialization Eyoucms
NVD VulDB
EPSS 0% CVSS 2.1
LOW Monitor

A vulnerability was determined in aizuda snail-job up to 1.7.0 on macOS. Affected by this vulnerability is the function FurySerializer.deserialize of the component API. This manipulation of the argument argsStr causes deserialization. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.

Apple Deserialization
NVD VulDB
EPSS 0% CVSS 1.3
LOW Monitor

A vulnerability has been found in Dromara Sa-Token up to 1.44.0. This issue affects the function ObjectInputStream.readObject of the file SaSerializerTemplateForJdkUseBase64.java. Such manipulation leads to deserialization. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Deserialization
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH This Week

PHP object injection in Icegram Express Pro (WordPress email marketing plugin) through version 5.9.13 enables unauthenticated remote attackers to execute arbitrary code via unsafe deserialization of user-controlled data. With CVSS 9.8 (critical severity) and network-accessible attack vector requiring no authentication or user interaction, this represents a severe pre-authentication RCE risk. EPSS score of 0.06% (19th percentile) suggests low immediate exploitation probability, and no public exploit or CISA KEV listing identified at time of analysis, though Patchstack disclosure increases attacker awareness.

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

PHP object injection in PDF for Elementor Forms plugin through version 6.5.0 allows authenticated attackers to execute arbitrary code or manipulate application logic via deserialization of untrusted data. While CVSS scores this 8.8 (High), real-world risk is tempered by authentication requirement (PR:L) and low EPSS score (0.06%, 19th percentile), indicating minimal observed exploitation attempts. No CISA KEV listing or public exploit code identified, suggesting attacks remain theoretical rather than widespread.

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Object injection via unsafe deserialization in PDF Invoice Builder for WooCommerce plugin allows authenticated attackers with low privileges to execute arbitrary PHP code, manipulate application objects, or trigger other malicious actions. Affects all versions through 6.5.0. No public exploit identified at time of analysis, with EPSS probability of 0.07% suggesting minimal real-world exploitation activity despite high CVSS score.

WordPress Woocommerce PHP +1
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Object injection via unsafe deserialization in PDF for WPForms plugin (versions ≤6.5.0) enables authenticated attackers to execute arbitrary PHP code or manipulate application state. The CVSS score of 8.8 reflects network-based exploitation with low complexity requiring only low-privileged authentication. EPSS probability of 0.07% (22nd percentile) suggests limited exploitation likelihood. No public exploit code or CISA KEV listing identified at time of analysis, indicating this remains a theoretical risk requiring proactive patching.

WordPress PHP Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Object injection via unsafe deserialization in PDF for Contact Form 7 WordPress plugin (versions ≤6.5.0) allows authenticated attackers to execute arbitrary PHP code or manipulate application state. Attack requires low-privileged user credentials but no user interaction, with network-accessible attack vector. EPSS probability remains low (0.07%, 22nd percentile) and no active exploitation confirmed at time of analysis. Publicly available exploit code exists per Patchstack disclosure.

WordPress PHP Deserialization
NVD
EPSS 0% CVSS 7.5
HIGH This Week

PHP object injection in PDF for Gravity Forms + Drag And Drop Template Builder (WordPress plugin) versions up to 6.5.0 allows authenticated attackers with low privileges to execute arbitrary code or manipulate application logic via unsafe deserialization. CVSS 7.5 (High) but EPSS probability of 0.07% (22nd percentile) indicates low observed exploitation likelihood. No public exploit identified at time of analysis, and attack requires high complexity (AC:H) with authenticated access (PR:L).

WordPress PHP Deserialization
NVD
EPSS 0% CVSS 1.3
LOW Monitor

Deserialization vulnerability in Tiny RDM up to version 1.2.5 allows authenticated remote attackers to trigger unsafe pickle deserialization via the Pickle Decoding component, potentially leading to code execution. The attack requires high complexity and prior authentication, making practical exploitation difficult. Public exploit code is available, but the low EPSS score (0.10%) and absence of active exploitation tracking suggest limited real-world risk at present.

Deserialization
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

PHP object injection in Doubly Cross Domain Copy Paste plugin (≤1.0.46) allows authenticated attackers with Subscriber-level privileges to execute arbitrary code via deserialized untrusted input from uploaded ZIP archives. Exploitation requires administrators to explicitly enable Subscriber access. Available POP chains enable code execution, file deletion, and sensitive data retrieval. Attack vector requires low privilege (PR:L) authentication with network accessibility and no user interaction. No public exploit identified at time of analysis.

PHP Information Disclosure WordPress +2
NVD
EPSS 0% CVSS 6.6
MEDIUM This Month

Deserialization of untrusted data in WP Maps WordPress plugin versions up to 4.8.6 allows high-privileged authenticated users to inject and instantiate arbitrary PHP objects, potentially leading to code execution or privilege escalation. While the CVSS score of 6.5 reflects high confidentiality and integrity impact, the requirement for administrator-level privileges (PR:H) and user interaction (UI:R) significantly constrains real-world exploitability. EPSS score of 0.04% indicates minimal observed exploitation likelihood despite the vulnerability's technical severity.

WordPress Deserialization Google
NVD
EPSS 0% CVSS 7.2
HIGH PATCH This Week

A critical remote code execution vulnerability exists in CSLA .NET framework versions 5.5.4 and below due to insecure deserialization when using WcfProxy with the obsolete NetDataContractSerializer. This vulnerability allows unauthenticated remote attackers to execute arbitrary code on affected systems without user interaction, potentially leading to complete system compromise. While no active exploitation has been reported in CISA KEV and no public POC is mentioned, the vulnerability's network-exposed nature and low attack complexity make it a high-priority security concern.

RCE Deserialization
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

A serialization bug in matrix-sdk-base allows remote attackers to cause denial-of-service by sending rooms with custom m.room.join_rules values, which stalls the sync process and prevents all room processing. The vulnerability affects matrix-sdk-base versions 0.14.1 and prior and has a high availability impact (CVSS 7.5) with a patch available in version 0.16.0. With a low EPSS score of 0.06% and no KEV listing, this represents a moderate real-world risk primarily concerning service availability rather than active exploitation.

Denial Of Service Deserialization Python +1
NVD GitHub VulDB
Prev Page 8 of 30 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy