Skip to main content

Deserialization

2662 CVEs technique

Monthly

CVE-2025-63721 HIGH POC This Week

HummerRisk thru v1.5.0 is using a vulnerable Snakeyaml component, allowing attackers with normal user privileges to hit the /rule/add API and thereby achieve RCE and take over the server.

Deserialization Hummerrisk
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-66571 CRITICAL POC Act Now

UNA CMS versions 9.0.0-RC1 - 14.0.0-RC4 contain a PHP object injection vulnerability in BxBaseMenuSetAclLevel.php where the profile_id POST parameter is passed to PHP unserialize() without proper handling, allowing remote, unauthenticated attackers to inject arbitrary PHP objects and potentially write and execute arbitrary PHP code.

PHP Deserialization
NVD GitHub Exploit-DB
CVSS 4.0
9.3
EPSS
0.3%
CVE-2025-55182 npm CRITICAL POC KEV EUVD KEV PATCH THREAT Act Now

React Server Components in React 19.x contain a critical pre-authentication remote code execution vulnerability (CVE-2025-55182, CVSS 10.0) through unsafe deserialization of HTTP request payloads. With EPSS 71.1% and KEV listing, this vulnerability affects any application using React Server Components with react-server-dom-webpack, react-server-dom-turbopack, or react-server-dom-parcel — enabling complete server compromise through a single HTTP request.

Deserialization RCE React Next.Js Red Hat +1
NVD GitHub Exploit-DB VulDB
CVSS 3.1
10.0
EPSS
71.1%
Threat
9.1
CVE-2025-41700 HIGH PATCH This Week

An unauthenticated attacker can trick a local user into executing arbitrary code by opening a deliberately manipulated CODESYS project file with a CODESYS development system. This arbitrary code is executed in the user context.

RCE Deserialization Codesys
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-13805 Maven LOW POC Monitor

A weakness has been identified in nutzam NutzBoot up to 2.6.0-SNAPSHOT. This affects the function getInputStream of the file nutzcloud/nutzcloud-literpc/src/main/java/org/nutz/boot/starter/literpc/impl/endpoint/http/HttpServletRpcEndpoint.java of the component LiteRpc-Serializer. Executing a manipulation can lead to deserialization. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit has been made available to the public and could be used for attacks.

Deserialization Java
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.1%
CVE-2025-9191 MEDIUM This Month

The Houzez theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.1.6 via deserialization of untrusted input in saved-search-item.php. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization PHP Information Disclosure WordPress
NVD
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-62703 PyPI HIGH POC PATCH This Week

Fugue is a unified interface for distributed computing that lets users execute Python, Pandas, and SQL code on Spark, Dask, and Ray with minimal rewrites. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Deserialization RCE Python Fugue
NVD GitHub
CVSS 3.1
8.8
EPSS
0.6%
CVE-2025-51746 CRITICAL Act Now

An issue was discovered in jishenghua JSH_ERP 2.3.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Jsherp
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-51745 CRITICAL Act Now

An issue was discovered in jishenghua JSH_ERP 2.3.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Jsherp
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-51744 CRITICAL Act Now

An issue was discovered in jishenghua JSH_ERP 2.3.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Jsherp
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-51743 CRITICAL Act Now

An issue was discovered in jishenghua JSH_ERP 2.3.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Jsherp
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-51742 CRITICAL Act Now

An issue was discovered in jishenghua JSH_ERP 2.3.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Jsherp
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-61168 CRITICAL Act Now

An issue in the cms_rest.php component of SIGB PMB v8.0.1.14 allows attackers to execute arbitrary code via unserializing an arbitrary file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization PHP RCE Pmb
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-13467 Maven MEDIUM PATCH This Month

A flaw was found in the Keycloak LDAP User Federation provider. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Java Red Hat
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-66073 HIGH This Week

PHP object injection in WP Webhooks plugin versions through 3.3.8 allows authenticated administrators to execute arbitrary code through unsafe deserialization of untrusted data. Exploitation requires high-privilege WordPress admin access but achieves complete system compromise once triggered. EPSS score of 0.09% indicates low observed exploitation despite network-reachable attack vector, likely due to the elevated privilege requirement limiting real-world opportunities.

Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-66055 HIGH This Month

Deserialization of Untrusted Data vulnerability in Icegram Email Subscribers & Newsletters email-subscribers allows Object Injection.9.10. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-59245 CRITICAL This Week

Microsoft SharePoint Online Elevation of Privilege Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Microsoft Sharepoint Online
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2025-36072 HIGH This Month

IBM webMethods Integration 10.11 through 10.11_Core_Fix22, 10.15 through 10.15_Core_Fix22, and 11.1 through 11.1_Core_Fix6 IBM webMethods Integration allow an authenticated user to execute arbitrary. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE IBM Webmethods Integration
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2025-64408 Maven MEDIUM PATCH This Month

Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through user-controllable URL parameters. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Apache Java Causeway
NVD
CVSS 3.1
6.3
EPSS
0.8%
CVE-2025-13145 HIGH This Month

The WP Import - Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.33.1. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization PHP Information Disclosure WordPress
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-60455 PyPI HIGH POC PATCH This Week

Unsafe Deserialization vulnerability in Modular Max Serve before 25.6, specifically when the "--experimental-enable-kvcache-agent" feature is used allowing attackers to execute arbitrary code. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Deserialization RCE Max
NVD GitHub
CVSS 3.1
8.4
EPSS
0.1%
CVE-2025-12844 HIGH This Month

The AI Engine plugin for WordPress is vulnerable to PHP Object Injection via PHAR Deserialization in all versions up to, and including, 3.1.8 via deserialization of untrusted input in the. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization PHP Information Disclosure WordPress
NVD GitHub
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-11367 CRITICAL This Week

The N-central Software Probe < 2025.4 is vulnerable to Remote Code Execution via deserialization. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE N Central
NVD
CVSS 4.0
10.0
EPSS
1.5%
CVE-2025-62204 HIGH This Month

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Microsoft Sharepoint Server
NVD
CVSS 3.1
8.0
EPSS
3.0%
CVE-2025-64512 PyPI HIGH POC PATCH This Week

Pdfminer.six is a community maintained fork of the original PDFMiner, a tool for extracting information from PDF documents. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Deserialization RCE Pdfminer Six Debian Linux Suse
NVD GitHub
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-63617 MEDIUM POC This Week

ktg-mes before commit a484f96 (2025-07-03) has a fastjson deserialization vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Ktg Mes
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-12099 HIGH This Month

The Academy LMS - WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.3.8 via deserialization of. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization PHP Information Disclosure WordPress
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-64439 PyPI HIGH PATCH This Month

LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE
NVD GitHub
CVSS 4.0
7.4
EPSS
0.8%
CVE-2025-27917 HIGH POC This Month

An issue was discovered in AnyDesk for Windows before 9.0.5, AnyDesk for macOS before 9.0.1, AnyDesk for Linux before 7.0.0, AnyDesk for iOS before 7.1.2, and AnyDesk for Android before 8.0.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Google Apple Null Pointer Dereference Microsoft +6
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2025-62035 HIGH This Month

Deserialization of Untrusted Data vulnerability in uxper Togo togo.0.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-60245 CRITICAL This Week

Deserialization of Untrusted Data vulnerability in WP User Manager WP User Manager wp-user-manager allows Object Injection.9.12. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-58998 CRITICAL This Week

Deserialization of Untrusted Data vulnerability in Cristián Lávaque s2Member s2member allows Object Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-58636 CRITICAL This Week

Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Keap/Infusionsoft gf-infusionsoft allows Object Injection.2.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-58619 HIGH This Month

Deserialization of Untrusted Data vulnerability in sbouey Falang multilanguage falang allows Object Injection.3.65. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-58592 HIGH This Month

Deserialization of Untrusted Data vulnerability in Cozmoslabs TranslatePress translatepress-multilingual allows Object Injection.10.2. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-54719 HIGH This Month

Deserialization of Untrusted Data vulnerability in NooTheme Yogi - Health Beauty & Yoga noo-yogi allows Object Injection.9.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-53586 HIGH This Week

PHP object injection in NooTheme WeMusic WordPress theme version ≤1.9.1 allows authenticated attackers with low privileges to execute arbitrary code or manipulate application logic through unsafe deserialization of untrusted data. Reported by Patchstack audit team. EPSS exploitation probability is low (0.10%, 27th percentile), indicating limited observed attacker interest despite the critical CVSS 8.8 rating. No active exploitation confirmed by CISA KEV at time of analysis.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-53242 CRITICAL This Week

Deserialization of Untrusted Data vulnerability in VictorThemes Seil seil allows Object Injection.7.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-49393 CRITICAL This Week

Deserialization of Untrusted Data vulnerability in Fetch Designs Sign-up Sheets sign-up-sheets allows Object Injection.3.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-49386 HIGH This Week

PHP object injection in WordPress plugin Preserve Code Formatting 4.0.1 and earlier enables authenticated attackers to execute arbitrary code or manipulate application state. Remote attackers with low-privilege WordPress accounts (Contributor-level or above) can inject malicious serialized objects through unsafe deserialization, achieving high impact to confidentiality, integrity, and availability. EPSS score of 0.10% indicates minimal widespread exploitation activity, though the vulnerability requires only low-complexity exploitation with no user interaction once authenticated access is obtained.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-48086 MEDIUM This Month

Deserialization of Untrusted Data vulnerability in wpdreams Ajax Search Lite ajax-search-lite allows Object Injection.13.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2025-64164 HIGH POC PATCH This Week

Dataease is an open source data visualization analysis tool. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Oracle Java Dataease
NVD GitHub
CVSS 4.0
8.9
EPSS
0.1%
CVE-2025-8871 MEDIUM This Month

The Everest Forms (Pro) plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.7 via deserialization of untrusted input in the mime_content_type(). Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization PHP Information Disclosure WordPress
NVD
CVSS 3.1
5.6
EPSS
0.2%
CVE-2025-12305 LOW POC Monitor

Remote code execution in Shiyi Blog up to version 1.2.1 allows authenticated remote attackers to execute arbitrary code via unsafe deserialization in the Job Handler component (SysJobController.java). The CVSS score of 2.1 reflects required authenticated access and limited scope, but the combination of public exploit availability, demonstrated deserialization flaw, and network accessibility creates moderate operational risk despite the low severity rating.

Java Deserialization Shiyi Blog
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-34292 CRITICAL Act Now

Remote code execution in Rox, the PHP platform powering the BeWelcome hospitality-exchange community, arises from unsafe unserialize() calls on attacker-controllable input: the POST parameter `formkit_memory_recovery` handled by RoxPostHandler::getCallbackAction and the `bwRemember` 'memory cookie' read by RoxModelBase::getMemoryCookie. Because usable PHP gadget chains ship in Rox and its bundled libraries, an attacker with low-level access can trigger PHP object injection to write arbitrary files or execute code, resulting in full site compromise. The issue carries a CVSS 4.0 base score of 9.4 and was fixed in commit c60bf04 (2025-06-16); no public exploit identified at time of analysis, though a referenced technical gist may contain exploitation detail.

PHP RCE Deserialization
NVD GitHub
CVSS 4.0
9.4
EPSS
0.5%
CVE-2025-60238 CRITICAL Act Now

PHP object injection in UNIVERSAM WordPress plugin through deserialization of untrusted data allows remote unauthenticated attackers to achieve critical impact including remote code execution, complete data compromise, and denial of service. Affects all versions up to and including 9.03. EPSS exploitation probability is relatively low at 0.10% (28th percentile), with no public exploit identified at time of analysis, suggesting a lower immediate real-world risk despite the critical CVSS 9.8 score.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-60216 CRITICAL Act Now

PHP object injection in BoldThemes Addison WordPress theme versions prior to 1.4.8 enables unauthenticated remote attackers to execute arbitrary code through unsafe deserialization. The vulnerability carries a critical CVSS 9.8 score with network-accessible attack vector requiring no privileges or user interaction. No public exploit identified at time of analysis, with EPSS indicating 10th percentile exploitation probability (0.10%), suggesting low observed exploitation likelihood despite high theoretical severity.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-60214 CRITICAL Act Now

PHP object injection in BoldThemes Goldenblatt WordPress theme versions prior to 1.3.0 enables unauthenticated remote attackers to execute arbitrary code through deserialization of untrusted data. The vulnerability scores 9.8 (Critical) with network-exploitable attack vector requiring no privileges or user interaction. EPSS indicates low probability (0.10%, 28th percentile) of active exploitation, and no public exploit or KEV listing identified at time of analysis, suggesting theoretical high severity but currently limited real-world exploitation activity.

WordPress Deserialization Code Injection
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-59007 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in themesflat TF Woo Product Grid Addon For Elementor tf-woo-product-grid allows Object Injection.This issue affects TF Woo Product Grid Addon For Elementor: from n/a through <= 1.0.1.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-49380 CRITICAL Act Now

PHP object injection in WooCommerce Vehicle Parts Finder plugin versions up to 3.7 enables remote unauthenticated attackers to achieve arbitrary code execution via deserialization of untrusted data. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms network-accessible exploitation without authentication or user interaction. Reported by Patchstack audit team, this represents a critical pre-authentication vulnerability in WordPress e-commerce environments. EPSS data unavailable; not currently listed in CISA KEV, suggesting limited widespread exploitation at time of disclosure.

WordPress Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-11938 LOW POC Monitor

Unsafe deserialization in ChurchCRM setup/routes/setup.php allows remote attackers to manipulate DB_PASSWORD, ROOT_PATH, or URL parameters, leading to arbitrary code execution with limited impact. The vulnerability affects versions up to 5.18.0 and has publicly available exploit code, though EPSS exploitation probability remains low at 0.10% percentile, suggesting real-world exploitation is constrained by high attack complexity and difficult exploitability factors.

PHP Deserialization Churchcrm
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.1%
CVE-2025-60641 MEDIUM This Month

PHP object injection in Vfront 0.99.52's mexcel.php endpoint exposes an unauthenticated POST parameter directly to unserialize() without class restrictions, enabling remote attackers to instantiate arbitrary PHP objects. Depending on exploitable gadget chains present in the Vfront codebase or its PHP dependencies, this can escalate to remote code execution, SQL injection, path traversal, or denial of service. No public exploit has been identified at time of analysis, and EPSS places exploitation probability at 0.40% (32nd percentile), consistent with the absence of a CISA KEV listing.

Deserialization Path Traversal SQLi Denial Of Service RCE +1
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2025-60828 MEDIUM POC This Month

Unauthenticated fastjson deserialization in WukongCRM 9.0 (Java edition) via the /OaExamine/setOaExamine HTTP endpoint allows remote attackers to supply attacker-controlled class references that the Alibaba fastjson library instantiates at runtime, enabling arbitrary Java gadget-chain execution. A public proof-of-concept is available on GitHub, lowering the exploitation bar considerably. While the assigned CVSS scores impact conservatively at I:L/A:L with no confidentiality loss, this is inconsistent with the well-documented RCE potential of fastjson deserialization gadget chains - the actual impact may be understated. No public exploit has been confirmed as actively exploited (not in CISA KEV).

Java Deserialization Wukong Crm
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2025-11273 LOW Monitor

A vulnerability was found in LaChatterie Verger up to 1.2.10. This impacts the function redirectToAuthorization of the file /src/main/services/mcp/oauth/provider.ts. The manipulation of the argument URL results in deserialization. The attack can be executed remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Deserialization
NVD VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-61677 PyPI LOW PATCH Monitor

DataChain is a Python-based AI-data warehouse for transforming and analyzing unstructured data. Versions 0.34.1 and below allow for deseriaization of untrusted data because of the way the DataChain library reads serialized objects from environment variables (such as DATACHAIN__METASTORE and DATACHAIN__WAREHOUSE) in the loader.py module. An attacker with the ability to set these environment variables can trigger code execution when the application loads. This issue is fixed in version 0.34.2.

RCE Python Deserialization
NVD GitHub
CVSS 3.1
2.5
EPSS
0.1%
CVE-2025-7825 MEDIUM This Month

The Schema Plugin For Divi, Gutenberg & Shortcodes plugin for WordPress is vulnerable to Object Instantiation in all versions up to, and including, 4.3.2 via deserialization of untrusted input via the wpt_schema_breadcrumbs shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.

Deserialization Information Disclosure PHP WordPress
NVD
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-61622 PyPI CRITICAL PATCH Act Now

Pickle deserialization RCE in pyfory 0.12.0-0.12.2 and pyfury 0.1.0-0.10.3.

RCE Deserialization Python Fory
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-11135 MEDIUM This Month

A vulnerability was detected in pmTicket Project-Management-Software up to 2ef379da2075f4761a2c9029cf91d073474e7486. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP Deserialization
NVD VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-58384 CRITICAL Act Now

In DOXENSE WATCHDOC before 6.1.1.5332, Deserialization of Untrusted Data can lead to remote code execution through the .NET Remoting library in the Watchdoc administration interface. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization
NVD
CVSS 3.1
10.0
EPSS
1.3%
CVE-2025-10975 LOW Monitor

A vulnerability was found in GuanxingLu vlarl up to 31abc0baf53ef8f5db666a1c882e1ea64def2997. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-10974 LOW Monitor

A vulnerability has been found in giantspatula SewKinect up to 7fd963ceb3385af3706af02b8a128a13399dffb1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-10965 LOW Monitor

A security vulnerability has been detected in LazyAGI LazyLLM up to 0.6.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-10950 PyPI LOW Monitor

A vulnerability was determined in geyang ml-logger up to acf255bade5be6ad88d90735c8367b28cbe3a743. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-56816 HIGH POC This Week

Datart 1.0.0-rc.3 is vulnerable to Directory Traversal. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Path Traversal Datart
NVD GitHub
CVSS 3.1
8.8
EPSS
1.5%
CVE-2025-48459 LIB MEDIUM PATCH GHSA This Month

Deserialization of Untrusted Data vulnerability in Apache IoTDB.0.0 before 2.0.5. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Apache Iotdb
NVD
CVSS 3.1
5.3
EPSS
0.6%
CVE-2025-26399 CRITICAL KEV PATCH THREAT CERT-EU Act Now

SolarWinds Web Help Desk contains an unauthenticated deserialization RCE via AjaxProxy, a patch bypass of both CVE-2024-28988 and CVE-2024-28986, the third iteration of this vulnerability.

RCE Deserialization Web Help Desk
NVD
CVSS 3.1
9.8
EPSS
28.2%
CVE-2025-58662 HIGH This Week

Deserialization of Untrusted Data vulnerability in awesomesupport Awesome Support allows Object Injection.3.4. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-57919 HIGH This Week

Deserialization of Untrusted Data vulnerability in ConveyThis Language Translate Widget for WordPress - ConveyThis allows Object Injection. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-53465 HIGH This Week

Deserialization of Untrusted Data vulnerability in raoinfotech GSheets Connector allows Object Injection.1.1. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-10771 LOW POC Monitor

A vulnerability was determined in jeecgboot JimuReport up to 2.1.2. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-10770 LOW POC Monitor

A vulnerability was found in jeecgboot JimuReport up to 2.1.2. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-10769 LOW POC Monitor

A vulnerability has been found in h2oai h2o-3 up to 3.46.08. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-10768 LOW POC Monitor

A flaw has been found in h2oai h2o-3 up to 3.46.08. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-6544 LIB CRITICAL POC PATCH Act Now

A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.8, allowing attackers to read arbitrary system files and execute arbitrary code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Deserialization H2O
NVD GitHub
CVSS 3.0
9.8
EPSS
0.4%
CVE-2025-34205 CRITICAL POC Act Now

Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.843 and Application prior to 20.0.1923 (VA and SaaS deployments) contains dangerous PHP dead code present in. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Docker PHP Deserialization RCE Virtual Appliance Application +1
NVD
CVSS 4.0
9.3
EPSS
4.3%
CVE-2025-9906 PyPI HIGH PATCH GHSA This Month

The Keras Model.load_model method can be exploited to achieve arbitrary code execution, even with safe_mode=True. Rated high severity (CVSS 8.6), this vulnerability is low attack complexity. No vendor patch available.

Python RCE Deserialization Keras Red Hat
NVD GitHub
CVSS 4.0
8.6
EPSS
0.1%
CVE-2025-59713 PHP MEDIUM PATCH This Month

Snipe-IT before 8.1.18 allows unsafe deserialization. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization Snipe It
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2025-10035 CRITICAL POC KEV THREAT Emergency

Fortra GoAnywhere MFT contains a deserialization vulnerability in the License Servlet allowing command injection through crafted license response signatures.

Command Injection Deserialization Goanywhere Managed File Transfer
NVD
CVSS 3.1
10.0
EPSS
58.8%
Threat
6.8
CVE-2025-9083 CRITICAL POC Act Now

The Ninja Forms WordPress plugin before 3.11.1 unserializes user input via form field, which could allow Unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP Deserialization Ninja Forms
NVD WPScan
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-59050 HIGH POC PATCH This Week

Greenshot is an open source Windows screenshot utility. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

RCE Deserialization Microsoft Greenshot Windows
NVD GitHub
CVSS 3.1
8.4
EPSS
0.3%
CVE-2025-10492 Maven HIGH PATCH CISA This Month

A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Deserialization Java Jasperreports Io Jasperreports Library +3
NVD
CVSS 4.0
8.7
EPSS
0.4%
CVE-2025-59328 Maven MEDIUM PATCH This Month

A vulnerability in Apache Fory allows a remote attacker to cause a Denial of Service (DoS). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Deserialization Apache Fory
NVD
CVSS 3.1
6.5
EPSS
3.1%
CVE-2025-58748 HIGH POC PATCH This Week

Dataease is an open source data analytics and visualization platform. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Deserialization Dataease
NVD GitHub
CVSS 4.0
8.7
EPSS
1.0%
CVE-2025-58046 HIGH POC PATCH This Week

Dataease is an open-source data visualization and analysis platform. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Deserialization Dataease
NVD GitHub
CVSS 4.0
8.7
EPSS
1.1%
CVE-2025-58045 HIGH POC PATCH This Week

Dataease is an open source data analytics and visualization platform. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Deserialization SSRF Dataease
NVD GitHub
CVSS 4.0
7.1
EPSS
1.1%
CVE-2025-10433 LOW Monitor

A vulnerability was determined in 1Panel-dev MaxKB up to 2.0.2/2.1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-58364 MEDIUM POC PATCH This Month

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Deserialization Cups Red Hat Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-10252 LOW Monitor

A flaw has been found in SEAT Queue Ticket Kiosk up to 20250827. Rated low severity (CVSS 2.3), this vulnerability is no authentication required. No vendor patch available.

Deserialization Java
NVD VulDB
CVSS 4.0
1.3
EPSS
0.0%
CVE-2025-10164 PyPI MEDIUM PATCH This Month

A security flaw has been discovered in lmsys sglang 0.4.6. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-55232 CRITICAL This Week

Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an unauthorized attacker to execute code over a network. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Microsoft Hpc Pack
NVD
CVSS 3.1
9.8
EPSS
1.2%
EPSS 0% CVSS 8.8
HIGH POC This Week

HummerRisk thru v1.5.0 is using a vulnerable Snakeyaml component, allowing attackers with normal user privileges to hit the /rule/add API and thereby achieve RCE and take over the server.

Deserialization Hummerrisk
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

UNA CMS versions 9.0.0-RC1 - 14.0.0-RC4 contain a PHP object injection vulnerability in BxBaseMenuSetAclLevel.php where the profile_id POST parameter is passed to PHP unserialize() without proper handling, allowing remote, unauthenticated attackers to inject arbitrary PHP objects and potentially write and execute arbitrary PHP code.

PHP Deserialization
NVD GitHub Exploit-DB
EPSS 71% 9.1 CVSS 10.0
CRITICAL POC KEV EUVD KEV PATCH THREAT Act Now

React Server Components in React 19.x contain a critical pre-authentication remote code execution vulnerability (CVE-2025-55182, CVSS 10.0) through unsafe deserialization of HTTP request payloads. With EPSS 71.1% and KEV listing, this vulnerability affects any application using React Server Components with react-server-dom-webpack, react-server-dom-turbopack, or react-server-dom-parcel — enabling complete server compromise through a single HTTP request.

Deserialization RCE React +3
NVD GitHub Exploit-DB VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

An unauthenticated attacker can trick a local user into executing arbitrary code by opening a deliberately manipulated CODESYS project file with a CODESYS development system. This arbitrary code is executed in the user context.

RCE Deserialization Codesys
NVD
EPSS 0% CVSS 2.9
LOW POC Monitor

A weakness has been identified in nutzam NutzBoot up to 2.6.0-SNAPSHOT. This affects the function getInputStream of the file nutzcloud/nutzcloud-literpc/src/main/java/org/nutz/boot/starter/literpc/impl/endpoint/http/HttpServletRpcEndpoint.java of the component LiteRpc-Serializer. Executing a manipulation can lead to deserialization. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit has been made available to the public and could be used for attacks.

Deserialization Java
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM This Month

The Houzez theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.1.6 via deserialization of untrusted input in saved-search-item.php. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization PHP Information Disclosure +1
NVD
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

Fugue is a unified interface for distributed computing that lets users execute Python, Pandas, and SQL code on Spark, Dask, and Ray with minimal rewrites. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Deserialization RCE Python +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

An issue was discovered in jishenghua JSH_ERP 2.3.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Jsherp
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

An issue was discovered in jishenghua JSH_ERP 2.3.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Jsherp
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

An issue was discovered in jishenghua JSH_ERP 2.3.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Jsherp
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

An issue was discovered in jishenghua JSH_ERP 2.3.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Jsherp
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

An issue was discovered in jishenghua JSH_ERP 2.3.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Jsherp
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

An issue in the cms_rest.php component of SIGB PMB v8.0.1.14 allows attackers to execute arbitrary code via unserializing an arbitrary file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization PHP RCE +1
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A flaw was found in the Keycloak LDAP User Federation provider. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Java Red Hat
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

PHP object injection in WP Webhooks plugin versions through 3.3.8 allows authenticated administrators to execute arbitrary code through unsafe deserialization of untrusted data. Exploitation requires high-privilege WordPress admin access but achieves complete system compromise once triggered. EPSS score of 0.09% indicates low observed exploitation despite network-reachable attack vector, likely due to the elevated privilege requirement limiting real-world opportunities.

Deserialization
NVD
EPSS 0% CVSS 7.2
HIGH This Month

Deserialization of Untrusted Data vulnerability in Icegram Email Subscribers & Newsletters email-subscribers allows Object Injection.9.10. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 1% CVSS 9.8
CRITICAL This Week

Microsoft SharePoint Online Elevation of Privilege Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Microsoft Sharepoint Online
NVD
EPSS 1% CVSS 8.8
HIGH This Month

IBM webMethods Integration 10.11 through 10.11_Core_Fix22, 10.15 through 10.15_Core_Fix22, and 11.1 through 11.1_Core_Fix6 IBM webMethods Integration allow an authenticated user to execute arbitrary. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE IBM +1
NVD
EPSS 1% CVSS 6.3
MEDIUM PATCH This Month

Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through user-controllable URL parameters. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Apache +2
NVD
EPSS 0% CVSS 7.2
HIGH This Month

The WP Import - Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.33.1. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization PHP Information Disclosure +1
NVD
EPSS 0% CVSS 8.4
HIGH POC PATCH This Week

Unsafe Deserialization vulnerability in Modular Max Serve before 25.6, specifically when the "--experimental-enable-kvcache-agent" feature is used allowing attackers to execute arbitrary code. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Deserialization RCE Max
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Month

The AI Engine plugin for WordPress is vulnerable to PHP Object Injection via PHAR Deserialization in all versions up to, and including, 3.1.8 via deserialization of untrusted input in the. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization PHP Information Disclosure +1
NVD GitHub
EPSS 1% CVSS 10.0
CRITICAL This Week

The N-central Software Probe < 2025.4 is vulnerable to Remote Code Execution via deserialization. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE N Central
NVD
EPSS 3% CVSS 8.0
HIGH This Month

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Microsoft Sharepoint Server
NVD
EPSS 0% CVSS 8.6
HIGH POC PATCH This Week

Pdfminer.six is a community maintained fork of the original PDFMiner, a tool for extracting information from PDF documents. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Deserialization RCE Pdfminer Six +2
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC This Week

ktg-mes before commit a484f96 (2025-07-03) has a fastjson deserialization vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Ktg Mes
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Month

The Academy LMS - WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.3.8 via deserialization of. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization PHP Information Disclosure +1
NVD
EPSS 1% CVSS 7.4
HIGH PATCH This Month

LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Month

An issue was discovered in AnyDesk for Windows before 9.0.5, AnyDesk for macOS before 9.0.1, AnyDesk for Linux before 7.0.0, AnyDesk for iOS before 7.1.2, and AnyDesk for Android before 8.0.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Google Apple +8
NVD
EPSS 0% CVSS 8.8
HIGH This Month

Deserialization of Untrusted Data vulnerability in uxper Togo togo.0.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL This Week

Deserialization of Untrusted Data vulnerability in WP User Manager WP User Manager wp-user-manager allows Object Injection.9.12. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL This Week

Deserialization of Untrusted Data vulnerability in Cristián Lávaque s2Member s2member allows Object Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL This Week

Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Keap/Infusionsoft gf-infusionsoft allows Object Injection.2.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Month

Deserialization of Untrusted Data vulnerability in sbouey Falang multilanguage falang allows Object Injection.3.65. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 8.1
HIGH This Month

Deserialization of Untrusted Data vulnerability in Cozmoslabs TranslatePress translatepress-multilingual allows Object Injection.10.2. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Month

Deserialization of Untrusted Data vulnerability in NooTheme Yogi - Health Beauty & Yoga noo-yogi allows Object Injection.9.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

PHP object injection in NooTheme WeMusic WordPress theme version ≤1.9.1 allows authenticated attackers with low privileges to execute arbitrary code or manipulate application logic through unsafe deserialization of untrusted data. Reported by Patchstack audit team. EPSS exploitation probability is low (0.10%, 27th percentile), indicating limited observed attacker interest despite the critical CVSS 8.8 rating. No active exploitation confirmed by CISA KEV at time of analysis.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL This Week

Deserialization of Untrusted Data vulnerability in VictorThemes Seil seil allows Object Injection.7.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL This Week

Deserialization of Untrusted Data vulnerability in Fetch Designs Sign-up Sheets sign-up-sheets allows Object Injection.3.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

PHP object injection in WordPress plugin Preserve Code Formatting 4.0.1 and earlier enables authenticated attackers to execute arbitrary code or manipulate application state. Remote attackers with low-privilege WordPress accounts (Contributor-level or above) can inject malicious serialized objects through unsafe deserialization, achieving high impact to confidentiality, integrity, and availability. EPSS score of 0.10% indicates minimal widespread exploitation activity, though the vulnerability requires only low-complexity exploitation with no user interaction once authenticated access is obtained.

Deserialization
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Deserialization of Untrusted Data vulnerability in wpdreams Ajax Search Lite ajax-search-lite allows Object Injection.13.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 8.9
HIGH POC PATCH This Week

Dataease is an open source data visualization analysis tool. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Oracle Java +1
NVD GitHub
EPSS 0% CVSS 5.6
MEDIUM This Month

The Everest Forms (Pro) plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.7 via deserialization of untrusted input in the mime_content_type(). Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization PHP Information Disclosure +1
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

Remote code execution in Shiyi Blog up to version 1.2.1 allows authenticated remote attackers to execute arbitrary code via unsafe deserialization in the Job Handler component (SysJobController.java). The CVSS score of 2.1 reflects required authenticated access and limited scope, but the combination of public exploit availability, demonstrated deserialization flaw, and network accessibility creates moderate operational risk despite the low severity rating.

Java Deserialization Shiyi Blog
NVD GitHub VulDB
EPSS 1% CVSS 9.4
CRITICAL Act Now

Remote code execution in Rox, the PHP platform powering the BeWelcome hospitality-exchange community, arises from unsafe unserialize() calls on attacker-controllable input: the POST parameter `formkit_memory_recovery` handled by RoxPostHandler::getCallbackAction and the `bwRemember` 'memory cookie' read by RoxModelBase::getMemoryCookie. Because usable PHP gadget chains ship in Rox and its bundled libraries, an attacker with low-level access can trigger PHP object injection to write arbitrary files or execute code, resulting in full site compromise. The issue carries a CVSS 4.0 base score of 9.4 and was fixed in commit c60bf04 (2025-06-16); no public exploit identified at time of analysis, though a referenced technical gist may contain exploitation detail.

PHP RCE Deserialization
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

PHP object injection in UNIVERSAM WordPress plugin through deserialization of untrusted data allows remote unauthenticated attackers to achieve critical impact including remote code execution, complete data compromise, and denial of service. Affects all versions up to and including 9.03. EPSS exploitation probability is relatively low at 0.10% (28th percentile), with no public exploit identified at time of analysis, suggesting a lower immediate real-world risk despite the critical CVSS 9.8 score.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

PHP object injection in BoldThemes Addison WordPress theme versions prior to 1.4.8 enables unauthenticated remote attackers to execute arbitrary code through unsafe deserialization. The vulnerability carries a critical CVSS 9.8 score with network-accessible attack vector requiring no privileges or user interaction. No public exploit identified at time of analysis, with EPSS indicating 10th percentile exploitation probability (0.10%), suggesting low observed exploitation likelihood despite high theoretical severity.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

PHP object injection in BoldThemes Goldenblatt WordPress theme versions prior to 1.3.0 enables unauthenticated remote attackers to execute arbitrary code through deserialization of untrusted data. The vulnerability scores 9.8 (Critical) with network-exploitable attack vector requiring no privileges or user interaction. EPSS indicates low probability (0.10%, 28th percentile) of active exploitation, and no public exploit or KEV listing identified at time of analysis, suggesting theoretical high severity but currently limited real-world exploitation activity.

WordPress Deserialization Code Injection
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in themesflat TF Woo Product Grid Addon For Elementor tf-woo-product-grid allows Object Injection.This issue affects TF Woo Product Grid Addon For Elementor: from n/a through <= 1.0.1.

Deserialization
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

PHP object injection in WooCommerce Vehicle Parts Finder plugin versions up to 3.7 enables remote unauthenticated attackers to achieve arbitrary code execution via deserialization of untrusted data. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms network-accessible exploitation without authentication or user interaction. Reported by Patchstack audit team, this represents a critical pre-authentication vulnerability in WordPress e-commerce environments. EPSS data unavailable; not currently listed in CISA KEV, suggesting limited widespread exploitation at time of disclosure.

WordPress Deserialization
NVD
EPSS 0% CVSS 2.9
LOW POC Monitor

Unsafe deserialization in ChurchCRM setup/routes/setup.php allows remote attackers to manipulate DB_PASSWORD, ROOT_PATH, or URL parameters, leading to arbitrary code execution with limited impact. The vulnerability affects versions up to 5.18.0 and has publicly available exploit code, though EPSS exploitation probability remains low at 0.10% percentile, suggesting real-world exploitation is constrained by high attack complexity and difficult exploitability factors.

PHP Deserialization Churchcrm
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

PHP object injection in Vfront 0.99.52's mexcel.php endpoint exposes an unauthenticated POST parameter directly to unserialize() without class restrictions, enabling remote attackers to instantiate arbitrary PHP objects. Depending on exploitable gadget chains present in the Vfront codebase or its PHP dependencies, this can escalate to remote code execution, SQL injection, path traversal, or denial of service. No public exploit has been identified at time of analysis, and EPSS places exploitation probability at 0.40% (32nd percentile), consistent with the absence of a CISA KEV listing.

Deserialization Path Traversal SQLi +3
NVD
EPSS 0% CVSS 6.5
MEDIUM POC This Month

Unauthenticated fastjson deserialization in WukongCRM 9.0 (Java edition) via the /OaExamine/setOaExamine HTTP endpoint allows remote attackers to supply attacker-controlled class references that the Alibaba fastjson library instantiates at runtime, enabling arbitrary Java gadget-chain execution. A public proof-of-concept is available on GitHub, lowering the exploitation bar considerably. While the assigned CVSS scores impact conservatively at I:L/A:L with no confidentiality loss, this is inconsistent with the well-documented RCE potential of fastjson deserialization gadget chains - the actual impact may be understated. No public exploit has been confirmed as actively exploited (not in CISA KEV).

Java Deserialization Wukong Crm
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

A vulnerability was found in LaChatterie Verger up to 1.2.10. This impacts the function redirectToAuthorization of the file /src/main/services/mcp/oauth/provider.ts. The manipulation of the argument URL results in deserialization. The attack can be executed remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Deserialization
NVD VulDB
EPSS 0% CVSS 2.5
LOW PATCH Monitor

DataChain is a Python-based AI-data warehouse for transforming and analyzing unstructured data. Versions 0.34.1 and below allow for deseriaization of untrusted data because of the way the DataChain library reads serialized objects from environment variables (such as DATACHAIN__METASTORE and DATACHAIN__WAREHOUSE) in the loader.py module. An attacker with the ability to set these environment variables can trigger code execution when the application loads. This issue is fixed in version 0.34.2.

RCE Python Deserialization
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM This Month

The Schema Plugin For Divi, Gutenberg & Shortcodes plugin for WordPress is vulnerable to Object Instantiation in all versions up to, and including, 4.3.2 via deserialization of untrusted input via the wpt_schema_breadcrumbs shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.

Deserialization Information Disclosure PHP +1
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Pickle deserialization RCE in pyfory 0.12.0-0.12.2 and pyfury 0.1.0-0.10.3.

RCE Deserialization Python +1
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

A vulnerability was detected in pmTicket Project-Management-Software up to 2ef379da2075f4761a2c9029cf91d073474e7486. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP Deserialization
NVD VulDB
EPSS 1% CVSS 10.0
CRITICAL Act Now

In DOXENSE WATCHDOC before 6.1.1.5332, Deserialization of Untrusted Data can lead to remote code execution through the .NET Remoting library in the Watchdoc administration interface. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization
NVD
EPSS 0% CVSS 2.1
LOW Monitor

A vulnerability was found in GuanxingLu vlarl up to 31abc0baf53ef8f5db666a1c882e1ea64def2997. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

A vulnerability has been found in giantspatula SewKinect up to 7fd963ceb3385af3706af02b8a128a13399dffb1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

A security vulnerability has been detected in LazyAGI LazyLLM up to 0.6.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

A vulnerability was determined in geyang ml-logger up to acf255bade5be6ad88d90735c8367b28cbe3a743. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD GitHub VulDB
EPSS 1% CVSS 8.8
HIGH POC This Week

Datart 1.0.0-rc.3 is vulnerable to Directory Traversal. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Path Traversal +1
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Deserialization of Untrusted Data vulnerability in Apache IoTDB.0.0 before 2.0.5. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Apache Iotdb
NVD
EPSS 28% CVSS 9.8
CRITICAL KEV PATCH THREAT Act Now

SolarWinds Web Help Desk contains an unauthenticated deserialization RCE via AjaxProxy, a patch bypass of both CVE-2024-28988 and CVE-2024-28986, the third iteration of this vulnerability.

RCE Deserialization Web Help Desk
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Deserialization of Untrusted Data vulnerability in awesomesupport Awesome Support allows Object Injection.3.4. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Deserialization of Untrusted Data vulnerability in ConveyThis Language Translate Widget for WordPress - ConveyThis allows Object Injection. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Deserialization
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Deserialization of Untrusted Data vulnerability in raoinfotech GSheets Connector allows Object Injection.1.1. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

A vulnerability was determined in jeecgboot JimuReport up to 2.1.2. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

A vulnerability was found in jeecgboot JimuReport up to 2.1.2. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

A vulnerability has been found in h2oai h2o-3 up to 3.46.08. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

A flaw has been found in h2oai h2o-3 up to 3.46.08. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.8, allowing attackers to read arbitrary system files and execute arbitrary code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Deserialization H2O
NVD GitHub
EPSS 4% CVSS 9.3
CRITICAL POC Act Now

Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.843 and Application prior to 20.0.1923 (VA and SaaS deployments) contains dangerous PHP dead code present in. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Docker PHP Deserialization +3
NVD
EPSS 0% CVSS 8.6
HIGH PATCH This Month

The Keras Model.load_model method can be exploited to achieve arbitrary code execution, even with safe_mode=True. Rated high severity (CVSS 8.6), this vulnerability is low attack complexity. No vendor patch available.

Python RCE Deserialization +2
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Snipe-IT before 8.1.18 allows unsafe deserialization. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization Snipe It
NVD GitHub
EPSS 59% 6.8 CVSS 10.0
CRITICAL POC KEV THREAT Emergency

Fortra GoAnywhere MFT contains a deserialization vulnerability in the License Servlet allowing command injection through crafted license response signatures.

Command Injection Deserialization Goanywhere Managed File Transfer
NVD
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

The Ninja Forms WordPress plugin before 3.11.1 unserializes user input via form field, which could allow Unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP Deserialization +1
NVD WPScan
EPSS 0% CVSS 8.4
HIGH POC PATCH This Week

Greenshot is an open source Windows screenshot utility. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

RCE Deserialization Microsoft +2
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Month

A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Deserialization Java +5
NVD
EPSS 3% CVSS 6.5
MEDIUM PATCH This Month

A vulnerability in Apache Fory allows a remote attacker to cause a Denial of Service (DoS). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Deserialization Apache +1
NVD
EPSS 1% CVSS 8.7
HIGH POC PATCH This Week

Dataease is an open source data analytics and visualization platform. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Deserialization Dataease
NVD GitHub
EPSS 1% CVSS 8.7
HIGH POC PATCH This Week

Dataease is an open-source data visualization and analysis platform. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Deserialization Dataease
NVD GitHub
EPSS 1% CVSS 7.1
HIGH POC PATCH This Week

Dataease is an open source data analytics and visualization platform. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Deserialization SSRF +1
NVD GitHub
EPSS 0% CVSS 2.1
LOW Monitor

A vulnerability was determined in 1Panel-dev MaxKB up to 2.0.2/2.1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Deserialization Cups Red Hat +1
NVD GitHub
EPSS 0% CVSS 1.3
LOW Monitor

A flaw has been found in SEAT Queue Ticket Kiosk up to 20250827. Rated low severity (CVSS 2.3), this vulnerability is no authentication required. No vendor patch available.

Deserialization Java
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A security flaw has been discovered in lmsys sglang 0.4.6. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL This Week

Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an unauthorized attacker to execute code over a network. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Microsoft Hpc Pack
NVD
Prev Page 9 of 30 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy