Insecure Deserialization

Remote code execution in Red Hat Apache Camel Infinispan component allows low-privileged attackers to execute arbitrary code via unsafe deserialization in ProtoStream remote aggregation repository. Exploiting this vulnerability requires network access and low-privilege credentials but grants full system compromise affecting confidentiality, integrity, and availability. The attack complexity is rated high (AC:H), suggesting specific configuration or timing requirements. No active exploitation confirmed at time of analysis (not in CISA KEV), and public exploit code status is unknown.

Remote code execution in Progress Telerik UI for ASP.NET AJAX via insecure deserialization in the RadFilter control allows unauthenticated remote attackers to execute arbitrary code on the server by tampering with exposed client-side filter state. Affected versions span 2024.4.1114 through 2026.1.421. EPSS data not available; no public exploit or CISA KEV listing identified at time of analysis. The CVSS 8.1 (High) reflects network accessibility but 'High' attack complexity (AC:H), indicating successful exploitation requires specific conditions beyond simple network access.

Improper error handling in free5GC AMF prior to version 1.4.3 allows remote attackers to invoke the HTTPUEContextTransfer handler with uninitialized request objects by sending requests with unsupported Content-Type headers. The missing default case in the Content-Type switch statement silently skips deserialization without raising an error, resulting in integrity loss when malformed or crafted payloads reach the processor with null/uninitialized state. CVSS score of 5.5 reflects low integrity impact; publicly available exploit code exists (E:P).

Fail-open request handling in free5GC UDR's POST /nudr-dr/v2/policy-data/subs-to-notify endpoint allows Policy Data notification subscriptions to be created with invalid, empty, or partially processed input after HTTP body read or deserialization failures. The handler fails to return after sending error responses (HTTP 500 for body read failure, HTTP 400 for deserialization failure), causing execution to continue and invoke the subscription processor with an uninitialized or malformed PolicyDataSubscription object. This is a logic flaw rather than memory corruption or remote code execution, but it violates fail-secure design principles for a write-capable API and may result in inconsistent subscription state or unintended database entries depending on downstream validation behavior.

PHP object injection in MetaSlider Responsive Slider plugin (WordPress) through version 3.106.0 allows authenticated administrators with high privileges to execute arbitrary code by deserializing untrusted data. The vulnerability requires authenticated high-privilege access (PR:H), limiting exploitation to compromised admin accounts or malicious insiders. EPSS data not available; no confirmed active exploitation or public POC identified at time of analysis.

Remote code execution in OpenMage Magento LTS versions prior to 20.17.0 allows unauthenticated attackers to execute arbitrary code by uploading malicious phar archives disguised as images and triggering PHP deserialization via phar:// stream wrappers. The attack requires high complexity (AC:H) to exploit successfully. EPSS data not available, but exploitation requires specific conditions around file upload and path manipulation. Vendor patch available in version 20.17.0, confirmed by GitHub security advisory GHSA-fg79-cr9c-7369.

Deserialization vulnerability in Apache Airflow webserver (all versions before 3.2.0) allows network-accessible attackers to execute arbitrary code by injecting malicious XCom payloads, despite vendor-assigned Low severity due to the trusted Dag Author threat model. CVSS 9.8 Critical rating reflects unauthenticated network-based RCE capability (AV:N/PR:N), contradicting the description's trust assumption. EPSS 0.07% (22nd percentile) suggests low immediate exploitation likelihood. No active exploitation confirmed; vendor patch available in version 3.2.0 with public GitHub PR.

Zebra cryptocurrency node prior to version 4.3.1 allocates excessive memory (up to 233,016 addresses) when deserializing addr/addrv2 protocol messages, even though the specification limits messages to 1,000 addresses. An attacker can trigger out-of-memory crashes by sending multiple oversized address messages over different connections. This is a network-accessible denial of service vulnerability affecting all Zebra versions before 4.3.1, with no public exploit code identified but straightforward to execute given the protocol specification.

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the InvokerTransformer deserialization gadget chain. Quartz 2.3.2, also bundled in the application, deserializes job data BLOBs from the qrtz_job_details table using ObjectInputStream with no deserialization filter or class allowlist. An authenticated attacker who can write to the Quartz job table, such as through the previously described SQL injection in previewSql, can replace a scheduled job's JOB_DATA with a malicious CommonsCollections6 gadget chain payload. When the Quartz cron trigger fires, the payload is deserialized and executes arbitrary commands as root inside the container, achieving full remote code execution. This issue has been fixed in version 2.10.21.

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a JDBC parameter blocklist bypass vulnerability in the MySQL datasource configuration. The Mysql class uses Lombok's @Data annotation, which auto-generates a public setter for the illegalParameters field that contains the JDBC security blocklist. When a datasource configuration is submitted as JSON, Jackson deserialization calls setIllegalParameters with an attacker-supplied empty list, replacing the blocklist before getJdbc() validation runs. This allows an authenticated attacker to include dangerous JDBC parameters such as allowLoadLocalInfile=true, and by pointing the datasource at a rogue MySQL server, exploit the LOAD DATA LOCAL INFILE protocol feature to read arbitrary files from the DataEase server filesystem, including sensitive environment variables and database credentials. This issue has been fixed in version 2.10.21.

Remote code execution in Digital Knowledge KnowledgeDeliver (all versions prior to February 24, 2026) via malicious ViewState deserialization. A hard-coded ASP.NET machineKey allows unauthenticated remote attackers to bypass ViewState validation and execute arbitrary code on the server. Mandiant reported this critical deserialization vulnerability. EPSS score of 0.08% (24th percentile) suggests low observed exploitation activity, though no public exploit is confirmed at time of analysis. CVSS vector indicates network-accessible attack requiring no privileges or user interaction, but the 7.5 score reflects only Confidentiality impact-real-world RCE capability makes this significantly more severe than the partial CVSS rating suggests.

Deserialization of untrusted data vulnerability in OpenText, Inc RightFax on Windows, 64 bit, 32 bit allows Object Injection.This issue affects RightFax: through 25.4.

Remote code execution as root in OpenRemote IoT platform's rules engine (versions prior to 1.20.3) allows authenticated non-superuser attackers with write:rules role to execute arbitrary Java code via unsandboxed JavaScript rulesets. The vulnerability stems from Nashorn ScriptEngine.eval() executing user-supplied JavaScript without ClassFilter restrictions, enabling Java.type() access to any JVM class including java.lang.Runtime. Attackers can compromise the entire multi-tenant platform, steal c

Free5GC UDR service fails to terminate request processing after HTTP body retrieval or JSON deserialization errors in the PUT /nudr-dr/v2/policy-data/subs-to-notify/{subsId} endpoint, allowing unintended modification of Policy Data notification subscriptions with invalid or partially processed input. The handler lacks return statements following error responses, causing execution to continue to the downstream processor with uninitialized or empty subscription objects. No public exploit code or active exploitation has been confirmed; this is a robustness and input validation flaw affecting write operations on a core 5G network function.

Unauthenticated access to free5GC UDR subscriber identifiers exposes SUPI/IMSI values via unprotected 5G Service Based Interface endpoint. Missing return statements in free5GC UDR versions prior to 4.2.1 allow attackers to retrieve complete subscriber databases with a single parameterless HTTP GET request, undermining 3GPP SUCI privacy mechanisms. Public exploit code exists. EPSS score is low (0.10%) indicating limited observed exploitation, but impact is severe for exposed deployments with misconfigured network segmentation.

Remote code execution in Adobe Connect versions 12.10 and earlier allows unauthenticated attackers to execute arbitrary code through deserialization of untrusted data. The vulnerability achieves scope change, enabling attackers to break out of the application's security context and impact resources beyond the vulnerable component. Despite the 9.6 CVSS score and total technical impact classification, no active exploitation has been confirmed (SSVC: exploitation=none), and CISA has not added this to the KEV catalog. The attack requires low complexity but does require user interaction (CVSS UI:R), constraining automatic exploitation scenarios.

Arbitrary code execution affects Adobe Connect through version 12.10 and 2025.3 via deserialization of untrusted data. Remote attackers can execute code in the victim's security context without authentication but require user interaction (UI:R), with scope change enabling cross-boundary impacts. No active exploitation confirmed (SSVC: exploitation=none), though the CVSS score of 9.3 reflects critical severity due to network attack vector, low complexity, and high confidentiality/integrity impact. Adobe has released security bulletin APSB26-37 addressing this vulnerability.

Privilege escalation in Azure Monitor Agent versions prior to 1.41.0 exploits insecure deserialization of untrusted data, allowing authenticated local attackers with low privileges to achieve full system compromise (high confidentiality, integrity, and availability impact). CVSS 7.8 severity reflects local attack vector with low complexity and no user interaction required. No public exploit identified at time of analysis, though the vulnerability class (CWE-502) is well-understood and frequently targeted. Microsoft has released patch version 1.41.0 to address this flaw.

Deserialization of untrusted data in Microsoft HPC Pack 2019 enables authenticated local attackers to escalate privileges to SYSTEM level. Affects all versions below 6.3.8355. Vendor-released patch available via Microsoft Security Response Center. CVSS 7.8 reflects high impact (complete system compromise) with low attack complexity requiring only low-level authenticated access. No public exploit identified at time of analysis, though CWE-502 deserialization flaws are well-understood and commonly weaponized once technical details emerge.

PHP object injection in Smart Post Show WordPress plugin versions ≤3.0.12 allows administrators to deserialize untrusted input via the import_shortcodes() function. While no POP chain exists in the plugin itself (making direct exploitation impossible), the vulnerability becomes critical if paired with another plugin/theme containing exploitable gadget chains, potentially enabling file deletion, data exfiltration, or remote code execution. CVSS 7.2 (High) reflects theoretical maximum impact. No public exploit identified at time of analysis, with EPSS data unavailable for this recent CVE identifier.

Remote code execution via SQL injection in Craft Commerce 4.x (4.0.0-4.10.2) and 5.x (5.0.0-5.5.4) allows authenticated control panel users to write PHP webshells through a four-step exploitation chain. Attack exploits unsanitized TotalRevenue widget settings interpolated into SQL, PDO multi-statement support, and unsafe PHP deserialization in yii2-queue to instantiate a GuzzleHttp FileCookieJar gadget chain. Complete exploitation requires only three HTTP requests and low-privileged authenticati

Remote code execution in Pachno 1.0.6 allows unauthenticated attackers to achieve arbitrary code execution by exploiting unsafe deserialization of PHP objects. Attackers write malicious serialized payloads to world-writable cache files with predictable names, which are automatically unserialized during framework bootstrap before authentication occurs. EPSS indicates 0.14% probability of exploitation (33rd percentile), no active exploitation confirmed per CISA KEV, and SSVC classifies this as automatable with total technical impact.

Remote code execution in Keras 3.13.0 allows unauthenticated attackers to execute arbitrary code by crafting malicious .keras model files that load attacker-controlled TensorFlow SavedModels during deserialization, bypassing safe_mode protections. Exploitation requires user interaction (victim must load the malicious model), but no authentication is required to deliver the payload. EPSS data not available; no public exploit code or active exploitation confirmed at time of analysis, but the technical barrier is low given the detailed vulnerability disclosure.

Remote code execution in Apache Airflow 3.1.x allows authenticated DAG Authors to execute arbitrary code in the webserver context through crafted XCom payloads exploiting insecure deserialization (CWE-502). Affects Apache Airflow versions 3.1.8 through <3.2.0. Despite CVSS 8.8, vendor rates severity as Low due to DAG Authors being highly trusted roles. No public exploit identified at time of analysis, with EPSS exploitation probability at 0.07% (21st percentile), indicating minimal real-world risk. Vendor-released patch: Apache Airflow 3.2.0.

Remote code execution in Apache Storm before 2.8.6 allows authenticated users with topology submission rights to execute arbitrary code on Nimbus and Worker JVMs via crafted serialized objects in Kerberos TGT credentials. The vulnerability exploits unsafe deserialization in the Nimbus Thrift API (CWE-502) with CVSS 8.8. No active exploitation confirmed (EPSS 0.30%, SSVC exploitation status: none), but the low attack complexity and network attack vector make this a critical patch priority for Storm deployments with authenticated users.

Deserialization of untrusted data in Samsung Open Source Escargot JavaScript engine prior to commit 97e8115ab1110bc502b4b5e4a0c689a71520d335 allows local attackers without privileges to trigger a denial of service condition via process abort. The vulnerability exploits unsafe deserialization of Java objects, resulting in application termination rather than code execution. No public exploit code or active exploitation has been identified at the time of analysis.

wolfSSL versions up to 5.9.0 allow arbitrary memory deallocation via unsafe deserialization of poisoned session cache data. An attacker with high privileges who can inject a crafted session into the cache and trigger specific session restore API calls can cause memory corruption with availability impact. No public exploit code or active exploitation has been confirmed; the vulnerability requires precise conditions including local access, high privileges, and user interaction.

Remote code execution in Sonatype Nexus Repository 3.22.1-3.90.2 allows authenticated attackers with task creation permissions to execute arbitrary code via unsafe deserialization in the task management component. Exploitation bypasses the nexus.scripts.allowCreation security control, granting unauthorized code execution on the server. CVSS 9.4 (Critical). No public exploit identified at time of analysis. Attack requires low-privileged authentication (PR:L) and network access but no user interaction.

LangChain's f-string prompt-template validation allows information disclosure through attribute access and nested format-specifier injection in DictPromptTemplate and ImagePromptTemplate classes. Unauthenticated remote attackers can craft malicious template strings to expose internal object state, model context, or logs when templates are formatted with rich Python objects. Practical impact is limited to applications that accept untrusted template strings (not just variable values) and pass complex objects into template formatting; hardcoded templates and value-only user input are unaffected. Vendor-released patch available in langchain-core 0.3.84 and 1.2.28.

Unsafe YAML deserialization in PraisonAI allows remote code execution through malicious agent definition files. The AgentService.loadAgentFromFile method uses js-yaml.load without safe schema restrictions, permitting dangerous tags like !!js/function that execute arbitrary JavaScript. Unauthenticated attackers can upload crafted YAML files via API endpoints to achieve complete server compromise. Affects PraisonAI prior to v4.5.115. Publicly available exploit code exists via proof-of-concept demonstrating command execution.

Arbitrary code execution in Red Hat Quay via unsafe deserialization during resumable container image uploads affects multiple Quay 3.x deployments and Mirror Registry instances. An authenticated attacker with low privileges can tamper with intermediate upload data stored in the database to execute code on the Quay server, though exploitation requires high attack complexity and user interaction (CVSS 7.1). EPSS data not available; no public exploit identified at time of analysis, but the deserialization vulnerability class (CWE-502) is well-understood and frequently targeted.

PHP object injection in Everest Forms for WordPress (all versions ≤3.4.3) allows unauthenticated remote attackers to achieve critical system compromise. Attackers submit malicious serialized payloads through any public form field, which persist through sanitization into the wp_evf_entrymeta database table. When administrators view form entries, unsafe unserialize() without class restrictions processes the payload, enabling arbitrary code execution. CVSS 9.8 (Critical) reflects network-accessible

Remote code execution in IBM Langflow Desktop versions 1.6.0 through 1.8.2 allows authenticated attackers to execute arbitrary code via unsafe deserialization in the FAISS component. The vulnerability stems from an insecure default configuration that permits deserialization of untrusted data. With CVSS 8.8 (High) reflecting network accessibility, low complexity, and full impact on confidentiality, integrity, and availability, this represents a critical risk for organizations running affected versions. Vendor-released patch available through IBM security advisory. No public exploit identified at time of analysis, though the attack path is well-understood given the CWE-502 deserialization vulnerability class.

Arbitrary code execution in NVIDIA DALI (all versions prior to 2.0) allows local authenticated attackers with low privileges to execute malicious code by exploiting insecure deserialization of untrusted data, requiring user interaction. EPSS exploitation probability and KEV status data not available; no public exploit identified at time of analysis. The vulnerability affects NVIDIA's Data Loading Library, a critical component in AI/ML data preprocessing pipelines.

Remote code execution in OpenIdentityPlatform OpenAM 16.0.5 and earlier allows unauthenticated attackers to execute arbitrary OS commands via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypass exploits an unpatched deserialization sink in JATO's ClientSession.deserializeAttributes() that was overlooked when CVE-2021-35464 was mitigated. Attackers can target any JATO ViewBean endpoint with <jato:form> tags (commonly found in password reset pages) using a PriorityQue

Buffer use-after-free in Apache Kafka Java producer client (versions ≤3.9.1, ≤4.0.1, ≤4.1.1) can silently route messages to incorrect topics when batch expiration races with in-flight network requests. CVSS 8.7 (High) with network-accessible attack vector and high complexity. CISA SSVC indicates no active exploitation, non-automatable attack, and partial technical impact. No public exploit identified at time of analysis. EPSS data not provided, but the combination of high CVSS, cross-scope impact (S:C), and dual confidentiality/integrity impact warrants prioritization for environments processing sensitive message streams.

Unsafe deserialization in pytries datrie through version 0.8.3 enables remote code execution when loading untrusted trie files via Trie.load(), Trie.read(), or Trie.__setstate__(). Unauthenticated remote attackers can exploit this vulnerability by crafting malicious serialized trie objects; publicly available exploit code exists, and the maintainers have not yet addressed the issue despite early notification.

Unsafe deserialization in FedML-AI FedML's gRPC server allows unauthenticated remote attackers to achieve confidentiality, integrity, and availability compromise through malicious payloads sent to the sendMessage function in versions up to 0.8.9. EPSS data not available; no CISA KEV listing indicates no confirmed active exploitation at time of analysis. Vendor unresponsive to coordinated disclosure attempts, raising concerns about patch availability and ongoing risk for production deployments of this federated machine learning framework.

Arbitrary code execution in pyload-ng via pickle deserialization allows non-admin users with SETTINGS and ADD permissions to write malicious session files and trigger unauthenticated RCE. Attackers redirect the download directory to Flask's session store (/tmp/pyLoad/flask), plant a crafted pickle payload as a predictable session filename, then trigger deserialization by sending any HTTP request with the corresponding session cookie. This bypasses CVE-2026-33509 fix controls because storage_folder was not added to ADMIN_ONLY_OPTIONS. No public exploit identified at time of analysis, though detailed proof-of-concept methodology is documented in the advisory. EPSS data not available for this recent CVE.

Unsafe deserialization in NASA cFS Pickle Module (versions up to 7.0.0) allows authenticated local attackers with low privileges to trigger remote code execution or information disclosure through the pickle.load() function. The vulnerability requires high attack complexity and local access, limiting its practical exploitation scope. Public exploit code is available, but the issue remains unpatched as of the last vendor update.

Unsafe deserialization in Roundcube Webmail's Redis/Memcache session handler allows unauthenticated remote attackers to write arbitrary files by crafting malicious session data. Affected versions include all 1.6.x before 1.6.14 and all 1.5.x before 1.5.14. While the CVSS score of 3.7 is low and attack complexity is high, the integrity impact (arbitrary file write) poses a real risk to instances using Redis or Memcache for session storage.

Remote Code Execution in Group-Office enterprise CRM via insecure deserialization allows authenticated attackers to write arbitrary files and execute code on the server. Affects all versions prior to 6.8.156, 25.0.90, and 26.0.12 across multiple product branches. CVSS 9.9 (Critical) with network-based attack vector requiring only low-privileged authentication. No public exploit identified at time of analysis, though the technical details in the GitHub Security Advisory provide sufficient impleme

Remote code execution in OpenSTAManager v2.10.1 and earlier allows authenticated attackers to achieve unauthenticated RCE via chained exploitation of arbitrary SQL injection (GHSA-2fr7-cc4f-wh98) and insecure PHP deserialization in the oauth2.php endpoint. The unauthenticated oauth2.php file calls unserialize() on attacker-controlled database content without class restrictions, enabling gadget chain exploitation (Laravel/RCE22) to execute arbitrary system commands as www-data. Attack requires in

Deserialization of untrusted data in NVIDIA BioNeMo Framework enables local attackers to execute arbitrary code, cause denial of service, disclose sensitive information, or tamper with data when users open malicious files. CVSS 7.8 (High) reflects local attack vector requiring user interaction. EPSS data not available; no public exploit identified at time of analysis. Affects NVIDIA BioNeMo Framework, a platform for AI-driven drug discovery and biomolecular research.

Insecure deserialization in NVIDIA BioNeMo Framework enables remote code execution when attackers can induce users to process malicious serialized data. This vulnerability (CWE-502) affects the BioNeMo Framework with network-reachable attack surface (AV:N) and low complexity (AC:L), requiring only user interaction (UI:R) but no authentication (PR:N). The CVSS 8.8 rating reflects critical impacts across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though the deserialization vulnerability class is well-understood and commonly exploited. EPSS data not available for this CVE.

Insecure deserialization in WatchGuard Fireware OS enables local code execution as the portald user when combined with a filesystem write primitive. Affects Fireware OS versions 12.1 through 12.11.8 and 2025.1 through 2026.1.2 on platforms supporting Access Portal (excludes T-15/T-35 models). CVSS 8.4 severity reflects high impact but requires prior high-privilege local access and an existing write vulnerability to exploit. No public exploit identified at time of analysis, with EPSS data unavailable for risk probability assessment.

Insecure deserialization in Gigabyte Control Center's Performance Library component allows authenticated local users to escalate privileges to SYSTEM by sending crafted serialized payloads to the EasyTune Engine service. Affecting Gigabyte Performance Library across versions, this CWE-502 flaw enables low-privileged users to gain complete control of the Windows system. EPSS data not available; no public exploit identified at time of analysis, though the local attack vector and low complexity (CVSS:3.1/AV:L/AC:L/PR:L) suggest exploitation is technically straightforward for attackers with initial local access.

Arbitrary Perl code execution in GRID::Machine through version 0.127 occurs when clients connect to remote hosts via RPC over SSH, as the client-side deserializer uses eval() on untrusted data from the remote peer without validation. A compromised or malicious remote host can inject arbitrary Perl code into Dumper-formatted responses that executes silently on the client during RPC calls, while maintaining correct return values to avoid detection. The vulnerability is design-inherent but the trust requirement for remote hosts is not documented, creating a security expectation mismatch for users.

Remote attackers can crash Zebra cryptocurrency nodes (versions <4.3.0) by sending malformed V5 transactions that pass initial deserialization but trigger panics during transaction ID calculation. The vulnerability requires no authentication and can be exploited via a single crafted network message to the P2P port (8233) or through the sendrawtransaction RPC method. No public exploit code has been identified at time of analysis, though the attack mechanism is well-documented in the vendor advisory. EPSS data not available for this CVE.

The serialize-javascript npm library versions prior to 7.0.5 contain a CPU exhaustion denial-of-service vulnerability triggered when processing specially crafted array-like objects with artificially large length properties, causing the serialization process to hang indefinitely and consume 100% CPU. The vulnerability affects npm package serialize-javascript (pkg:npm/serialize-javascript) and impacts applications that serialize untrusted or user-controlled objects, particularly those also vulnerable to prototype pollution or YAML deserialization attacks that could inject malicious payloads. No public exploit code has been identified, but the attack vector is network-accessible with high complexity, posing a moderate real-world threat in supply-chain and backend service contexts.

Prototype pollution in the locutus npm package's unserialize() function allows remote attackers to inject arbitrary properties into deserialized objects by crafting malicious PHP-serialized payloads containing __proto__ keys, enabling authorization bypass, property propagation attacks, and denial of service via method override. The vulnerability affects locutus versions prior to 3.0.25; publicly available exploit code exists demonstrating property injection, for-in propagation to real own properties, and built-in method disruption.

Remote Code Execution and Arbitrary File Read in Metabase Enterprise Edition allows authenticated administrators to execute arbitrary code and read sensitive files via malicious serialization archives. Affected versions span at least 1.47 through 1.59.3, with patches released in versions 1.54.22, 1.55.22, 1.56.22, 1.57.16, 1.58.10, and 1.59.4. The vulnerability exploits the POST /api/ee/serialization/import endpoint by injecting INIT properties into H2 JDBC specifications within crafted serialization archives, triggering arbitrary SQL execution during database synchronization. Authentication as an admin is required (CVSS PR:H), and the vulnerability has been confirmed exploitable on Metabase Cloud infrastructure.

Remote code execution is possible in DataDog's dd-trace-java agent versions prior to 1.60.3 when running on JDK 16 or earlier with exposed JMX/RMI ports. The vulnerability stems from unsafe deserialization in the RMI instrumentation's custom endpoint, allowing network-accessible attackers to execute arbitrary code if gadget-chain libraries exist on the classpath. Vendor-released patch: version 1.60.3. No public exploit identified at time of analysis, though the issue was responsibly disclosed through DataDog's bug bounty program by Mohamed Amine ait Ouchebou.

A deserialization vulnerability exists in the wvp-GB28181-pro project (a video streaming platform using GB28181 protocol) through version 2.7.4, specifically in the GenericFastJsonRedisSerializer implementation within the Redis configuration. The flaw allows unauthenticated remote attackers to exploit insecure deserialization through the API endpoint, potentially achieving code execution or data manipulation with low complexity. A public proof-of-concept exploit has been released on GitHub, significantly increasing the risk of active exploitation, and the vendor has not responded to disclosure attempts.

The Frontend Admin by DynamiApps plugin for WordPress contains a PHP Object Injection vulnerability affecting all versions up to and including 3.28.31. Authenticated attackers with Editor-level privileges or higher can exploit unsafe deserialization of the 'post_content' field in admin_form posts to inject malicious PHP objects and achieve remote code execution through available POP chains. This represents a critical risk for WordPress sites using this plugin with elevated user accounts.

Saloon PHP library versions prior to 4.0.0 contain a PHP object injection vulnerability in the AccessTokenAuthenticator::unserialize() method, which unsafely deserializes OAuth token state using unserialize() with allowed_classes set to true. An attacker who can control the serialized token string-such as by overwriting a cached token file or injecting malicious data-can supply a crafted serialized gadget object that executes arbitrary code through PHP magic methods during deserialization. In environments with common dependencies like Monolog present, this vulnerability can be reliably chained to achieve remote code execution (RCE), making it a critical threat to any API integration or SDK built on vulnerable Saloon versions.

A deserialization vulnerability in OpenTelemetry Java instrumentation versions prior to 2.26.1 allows remote code execution when the RMI instrumentation endpoint processes untrusted data without serialization filters. The vulnerability affects applications using the OpenTelemetry Java agent with network-reachable RMI/JMX endpoints and gadget-chain-compatible libraries on the classpath. This was responsibly disclosed in coordination with Datadog, and a patch is available in version 2.26.1.

A deserialization of untrusted data vulnerability in the JS Archive List jQuery widget (jquery-archive-list-widget) versions up to 6.1.7 allows remote attackers to inject malicious objects and achieve code execution or information disclosure. The vulnerability affects WordPress installations using the vulnerable plugin versions, and exploitation requires sending crafted serialized PHP objects to the affected endpoint. No CVSS vector or EPSS score has been assigned, and KEV status is unknown, though the vulnerability was reported by Patchstack security researchers.

A PHP object injection vulnerability exists in the Edge-Themes Pelicula video production and movie theme due to insecure deserialization of untrusted data, classified as CWE-502. The vulnerability affects Pelicula versions prior to 1.10, allowing attackers to inject arbitrary objects and potentially achieve remote code execution or other malicious outcomes. No CVSS score or EPSS data has been published, and no confirmed KEV or active exploitation in the wild has been reported, but the nature of object injection vulnerabilities typically enables high-impact attacks when paired with accessible gadget chains in the WordPress ecosystem.

A deserialization of untrusted data vulnerability exists in Mikado-Themes Stål (a WordPress theme) that allows arbitrary object injection through unsafe unserialize() operations. Versions prior to 1.7 are affected. An attacker can exploit this to instantiate arbitrary PHP objects, potentially leading to remote code execution, data exfiltration, or site compromise depending on available gadget chains in the WordPress environment.

A deserialization of untrusted data vulnerability exists in Edge-Themes Kamperen WordPress theme versions prior to 1.3, allowing attackers to perform arbitrary object instantiation through object injection attacks. This CWE-502 vulnerability enables remote code execution or information disclosure without requiring authentication in many scenarios. While no CVSS score is currently published and KEV/EPSS data are unavailable, the vulnerability has been reported by Patchstack and affects all installations of the Kamperen theme below version 1.3.

A deserialization of untrusted data vulnerability exists in Edge-Themes Gracey WordPress theme versions prior to 1.4, allowing attackers to perform arbitrary object instantiation through object injection attacks. This CWE-502 vulnerability affects all installations of Gracey below version 1.4 and could enable remote code execution or other malicious actions depending on available gadget chains in the WordPress environment. No CVSS score, EPSS risk metric, or KEV status has been publicly assigned, but the vulnerability is documented by Patchstack with a patch available in version 1.4.

This is a deserialization of untrusted data vulnerability in the Mikado-Themes Halstein WordPress theme (versions prior to 1.8) that allows arbitrary object injection via CWE-502. An attacker can exploit this flaw to instantiate arbitrary PHP objects, potentially leading to remote code execution or information disclosure depending on available gadget chains. The vulnerability was reported by Patchstack and affects all versions of Halstein below 1.8; no CVSS score, EPSS data, or KEV status is currently published, limiting immediate risk quantification but indicating this is a serious deserialization flaw that should be patched urgently.

A deserialization of untrusted data vulnerability exists in Elated-Themes Leroux WordPress theme versions prior to 1.4, allowing unauthenticated attackers to perform arbitrary object instantiation through object injection attacks. An attacker can exploit this vulnerability to instantiate arbitrary PHP objects, potentially leading to remote code execution or information disclosure depending on available gadget chains in the WordPress environment. While no CVSS score or active KEV status is currently available, the vulnerability has been documented by Patchstack and assigned ENISA EUVD ID EUVD-2026-15861, indicating it is a recognized threat affecting WordPress installations using the vulnerable Leroux theme.

A deserialization of untrusted data vulnerability exists in Edge-Themes Archicon WordPress theme versions prior to 1.7, allowing attackers to perform arbitrary object instantiation through object injection attacks. This vulnerability, tracked as CWE-502, enables attackers to instantiate arbitrary PHP objects during the deserialization process, potentially leading to remote code execution or other malicious outcomes depending on available gadget chains in the WordPress environment. The vulnerability was reported by Patchstack and affects all versions of Archicon below 1.7, with a patch available in version 1.7 and later.

A deserialization of untrusted data vulnerability exists in Select-Themes Borgholm marketing agency theme (WordPress) that allows object injection attacks. The vulnerability affects Borgholm versions prior to 1.6, and attackers can exploit this to inject malicious PHP objects that execute arbitrary code within the WordPress environment. While no CVSS score or EPSS data is currently available, the CWE-502 classification indicates this is a critical deserialization flaw with high exploitation potential; no active KEV or public POC status is documented, but the vulnerability was reported through Patchstack with full advisory details available.

A PHP object injection vulnerability exists in BoldGrid weForms plugin through version 1.6.26 due to unsafe deserialization of untrusted data, allowing attackers to instantiate arbitrary objects and potentially execute remote code or manipulate application state. This affects WordPress installations using the vulnerable weForms plugin versions, and exploitation requires no authentication based on the deserialization attack vector. While no CVSS score or EPSS data is currently available, the CWE-502 classification and object injection capability represent a critical-severity issue typical of deserialization flaws that often lead to remote code execution.

A deserialization of untrusted data vulnerability (CWE-502) exists in the magepeopleteam Bus Ticket Booking with Seat Reservation WordPress plugin through version 5.6.0, allowing object injection attacks. An attacker can inject malicious serialized PHP objects into the application, potentially leading to remote code execution or other critical impacts depending on available gadget chains in the WordPress environment. No CVSS score or EPSS data is currently available, and KEV status is unknown, but the vulnerability affects all installations running the vulnerable plugin versions.

A PHP Object Injection vulnerability exists in the ThemeREX Buisson WordPress theme through version 1.1.11, stemming from unsafe deserialization of untrusted data (CWE-502). This flaw allows attackers to inject malicious serialized objects that can lead to arbitrary code execution or other object manipulation attacks depending on available gadget chains in the WordPress environment. While no CVSS score or EPSS data is currently published and the vulnerability has not been listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, the public disclosure via Patchstack indicates active awareness in the security community.

A PHP Object Injection vulnerability exists in the ThemeREX Work & Travel Company WordPress theme through version 1.2, stemming from unsafe deserialization of untrusted data (CWE-502). An attacker can exploit this vulnerability to inject malicious objects into the application, potentially leading to remote code execution or arbitrary object manipulation depending on the gadget chains available in the WordPress environment. No CVSS score, EPSS data, or KEV status is currently available, and the vulnerability was identified and reported by Patchstack, though active exploitation status remains unclear.

A PHP Object Injection vulnerability exists in ThemeREX Love Story WordPress theme through version 1.3.12, stemming from unsafe deserialization of untrusted data. This vulnerability allows attackers to inject malicious serialized objects that can lead to remote code execution or other object-oriented attack chains. The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) and has been reported by Patchstack; no CVSS score or EPSS data is currently available, and KEV status is unknown.

A PHP object injection vulnerability exists in the sbthemes WooCommerce Infinite Scroll plugin (versions up to and including 1.6.2) due to unsafe deserialization of untrusted data. This vulnerability allows attackers to inject malicious serialized objects, potentially leading to remote code execution or arbitrary object instantiation depending on available gadget chains within the WordPress environment. The vulnerability affects all installations of this plugin through version 1.6.2 and has been documented by Patchstack, though CVSS scoring and exploitation metrics are currently unavailable.

A PHP Object Injection vulnerability exists in the Nexa Blocks WordPress plugin (versions up to and including 1.1.1) due to unsafe deserialization of untrusted data, allowing attackers to instantiate arbitrary PHP objects and potentially achieve remote code execution. The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) and affects all installations of the affected plugin versions. While no CVSS score or EPSS data are currently available, the nature of object injection vulnerabilities combined with PHP's magic methods provides significant exploitation potential for code execution or privilege escalation.

Apicona, a WordPress theme by thememount, contains a PHP object injection vulnerability stemming from unsafe deserialization of untrusted data (CWE-502). All versions through 24.1.0 are affected. An attacker can exploit this to inject arbitrary objects into the application, potentially leading to remote code execution or other malicious object manipulation depending on available gadget chains within the PHP environment.

A deserialization of untrusted data vulnerability exists in the Rascals Vex theme (CWE-502) that allows attackers to perform PHP object injection attacks. The vulnerability affects Vex versions prior to 1.2.9, as confirmed by Patchstack reporting and ENISA EUVD-2026-15684. An attacker exploiting this flaw can inject malicious serialized objects to achieve arbitrary code execution or other malicious outcomes depending on available PHP magic methods in the application environment.

A deserialization of untrusted data vulnerability exists in Pendulum (a PHP datetime library) versions prior to 3.1.5, allowing attackers to perform object injection attacks. The vulnerability affects the rascals Pendulum library through unvalidated deserialization of user-supplied data. An attacker can exploit this to instantiate arbitrary PHP objects, potentially leading to remote code execution or other malicious outcomes depending on the application's gadget chain availability.

A PHP Object Injection vulnerability exists in the Rascals Meloo WordPress theme due to unsafe deserialization of untrusted data, classified under CWE-502 (Deserialization of Untrusted Data). This vulnerability affects Meloo versions prior to 2.8.2 and allows attackers to inject malicious objects that could lead to remote code execution or other security compromises. While no CVSS score, EPSS probability, or KEV status has been publicly assigned, the vulnerability was reported by Patchstack and has been assigned ENISA EUVD tracking ID EUVD-2026-15679, indicating active monitoring by European vulnerability databases.

A deserialization of untrusted data vulnerability exists in the park_of_ideas Ricky theme (all versions prior to 2.31) that allows object injection attacks. An attacker can inject malicious serialized PHP objects to achieve arbitrary code execution or data manipulation. While no CVSS score or EPSS data is currently available and KEV status is unknown, the CWE-502 classification indicates a critical deserialization flaw that typically requires network access but no authentication.

A PHP Object Injection vulnerability exists in the Tasty Daily WordPress theme (park_of_ideas) through version 1.27, caused by unsafe deserialization of untrusted data (CWE-502). This vulnerability allows attackers to inject arbitrary PHP objects, potentially leading to remote code execution or other malicious actions depending on available gadget chains in the WordPress environment. While no CVSS score or EPSS data is currently published, the vulnerability affects an active WordPress theme distribution and has been documented by Patchstack security researchers.

A PHP Object Injection vulnerability exists in the park_of_ideas Goldish theme due to insecure deserialization of untrusted data, allowing attackers to inject arbitrary objects and potentially achieve remote code execution or other malicious outcomes. The vulnerability affects Goldish versions prior to 3.47. While no CVSS score or EPSS data is publicly available, the CWE-502 classification indicates a serious deserialization flaw that could be exploited if untrusted data is processed without validation.

A deserialization of untrusted data vulnerability exists in the park_of_ideas KIDZ theme that permits object injection attacks. All versions of KIDZ through 5.24 are affected, as confirmed via CPE cpe:2.3:a:park_of_ideas:kidz:*:*:*:*:*:*:*:*. An attacker can inject malicious serialized PHP objects to achieve arbitrary code execution or other unintended actions on affected WordPress installations running this theme.

A PHP object injection vulnerability exists in FantasticPlugins SUMO Affiliates Pro due to unsafe deserialization of untrusted data (CWE-502). This allows attackers to inject malicious serialized objects, potentially achieving remote code execution or other arbitrary actions depending on available gadget chains in the WordPress environment. All versions before 11.4.0 are affected, and a patch has been made available by the vendor.

A PHP Object Injection vulnerability exists in NooTheme Visionary Core plugin versions up to and including 1.4.9, stemming from unsafe deserialization of untrusted data. An attacker can inject malicious serialized objects to achieve arbitrary code execution or other critical impacts depending on available magic methods in the WordPress environment. No CVSS score, EPSS data, or KEV confirmation is currently available; however, the vulnerability is documented by Patchstack and assigned ENISA EUVD ID EUVD-2026-15602.

A PHP Object Injection vulnerability exists in NooTheme Jobica Core plugin through version 1.4.1, stemming from unsafe deserialization of untrusted data. This affects WordPress installations using the vulnerable Jobica Core plugin, allowing attackers to inject malicious serialized objects that can lead to arbitrary code execution or information disclosure depending on available gadget chains. The vulnerability has been identified by Patchstack but lacks public CVSS scoring and KEV confirmation at this time.

A PHP Object Injection vulnerability exists in NooTheme's Organici Library plugin through version 2.1.2, stemming from unsafe deserialization of untrusted data. This vulnerability allows attackers to inject arbitrary PHP objects into the application, potentially leading to remote code execution or other malicious actions depending on available gadget chains in the WordPress environment. No active exploitation in the wild (KEV status) or published proof-of-concept has been confirmed from available sources, but the vulnerability was reported by Patchstack and assigned EUVD-2026-15592, indicating it is tracked in official vulnerability databases.

A PHP Object Injection vulnerability exists in NooTheme CitiLights WordPress theme through version 3.7.1, stemming from unsafe deserialization of untrusted data (CWE-502). This allows attackers to inject arbitrary PHP objects, potentially leading to remote code execution or other malicious operations depending on available gadget chains in the WordPress environment. The vulnerability was reported by Patchstack and affects all versions up to and including 3.7.1; no CVSS score, EPSS data, or KEV status is currently available, though the nature of object injection vulnerabilities typically permits unauthenticated exploitation.

This is a PHP Object Injection vulnerability in the Metagauss EventPrime WordPress plugin (eventprime-event-calendar-management) caused by unsafe deserialization of untrusted data. All versions up to and including 4.2.8.0 are affected, allowing attackers to inject malicious serialized objects that can lead to remote code execution or arbitrary actions depending on available PHP gadget chains. The vulnerability has been publicly disclosed and documented by Patchstack; exploitation likelihood and real-world impact depend on the presence of exploitable gadget chains in the target WordPress environment.

A PHP object injection vulnerability exists in the xtemos WoodMart WordPress theme through version 8.3.8, stemming from insecure deserialization of untrusted data. This vulnerability allows attackers to inject malicious serialized objects that can be instantiated during deserialization, potentially leading to remote code execution or other malicious actions depending on available gadget chains in the WordPress environment. The vulnerability affects all versions of WoodMart up to and including 8.3.8, with no CVSS score or EPSS data currently published, though the underlying deserialization flaw (CWE-502) is a known vector for critical remote exploitation.

AncoraThemes Melody melodyschool theme versions up to 1.6.3 contain a PHP object injection vulnerability stemming from unsafe deserialization of untrusted data (CWE-502). This flaw allows attackers to inject malicious serialized objects that can lead to arbitrary code execution or other critical impacts depending on available PHP gadget chains in the WordPress environment. While no CVSS score or EPSS data is currently published and KEV status is unknown, the vulnerability affects a WordPress theme distributed through the Patchstack vulnerability database, indicating active tracking by the security community.

A PHP Object Injection vulnerability exists in AncoraThemes Beelove WordPress theme through version 1.2.6, allowing attackers to inject and deserialize untrusted objects. This insecure deserialization flaw (CWE-502) enables object injection attacks that could lead to remote code execution or other malicious actions depending on available gadget chains in the WordPress environment. No CVSS score, EPSS data, or KEV confirmation is currently available; however, the vulnerability has been documented by Patchstack and assigned ENISA EUVD ID EUVD-2026-15515, indicating it is tracked in official vulnerability databases.