Insecure Deserialization

A vulnerability, which was classified as critical, has been found in MaxD Lightning Module 4.43 on OpenCart. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable. No vendor patch available.

The iControlWP - Multiple WordPress Site Manager plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.5 via deserialization of untrusted input from the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

A vulnerability has been found in Aridius XYZ up to 20240927 on OpenCart and classified as critical. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

NVIDIA RAPIDS contains a vulnerability in cuDF and cuML, where a user could cause a deserialization of untrusted data issue. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.

A vulnerability has been found in y_project RuoYi up to 4.8.0 and classified as critical. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

vLLM is a library for LLM inference and serving. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization of Untrusted Data vulnerability in Pdfcrowd Save as PDF plugin by Pdfcrowd allows Object Injection.4.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization of Untrusted Data vulnerability in ThimPress FundPress allows Object Injection.0.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

The Custom Product Tabs Lite for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.0 via deserialization of untrusted input from the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SonicWall SMA1000 AMC and CMC contain a pre-authentication deserialization vulnerability allowing unauthenticated remote attackers to execute arbitrary OS commands on the management appliance.

Deserialization of Untrusted Data vulnerability in NotFound Muzaara Google Ads Report allows Object Injection.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.2 allow an attacker on the local network to execute arbitrary code on the system, caused by the. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Epss exploitation probability 18.2% and no vendor patch available.

Deserialization of Untrusted Data vulnerability in WOOEXIM.COM WOOEXIM allows Object Injection.0.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization of Untrusted Data vulnerability in NotFound Quick Count allows Object Injection.00. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

The "AI Power: Complete AI Pack" plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.8.96 via deserialization of untrusted input from the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

The "AI Power: Complete AI Pack" plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.8.96 via deserialization of untrusted input from the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

In checkKeyIntentParceledCorrectly of AccountManagerService.java, there is a possible way to bypass parcel mismatch mitigation due to unsafe deserialization. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Deserialization of Untrusted Data vulnerability in NotFound ARPrice allows Object Injection.0.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization of Untrusted Data vulnerability in NotFound ARPrice allows Object Injection.0.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

The String locator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.6 via deserialization of untrusted input in the 'recursive_unserialize_replace'. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 16.5%.

The a+HRD from aEnrich Technology has an Insecure Deserialization vulnerability, allowing remote attackers with database modification privileges and regular system privileges to perform arbitrary. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

and potential remote code execution on workstation when a non-admin authenticated user opens a malicious project file. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/editField. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/add. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/addField. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

MSFM before v2025.01.01 was discovered to contain a deserialization vulnerability via the pom.xml configuration file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Microsoft Excel Security Feature Bypass Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

A vulnerability was found in AquilaCMS 1.412.13. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization of untrusted data in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Epss exploitation probability 26.5% and no vendor patch available.

Deserialization of Untrusted Data vulnerability in GiveWP GiveWP allows Object Injection.19.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.2 via deserialization of untrusted input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 27.5%.

The Coupon X: Discount Pop Up, Promo Code Pop Ups, Announcement Pop Up, WooCommerce Popups plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.5 via. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization of Untrusted Data vulnerability in Drupal Eloqua allows Object Injection.X-* before 7.X-1.15. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization of Untrusted Data vulnerability in Drupal Mailjet allows Object Injection.0.0 before 4.0.1. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization of Untrusted Data vulnerability in Drupal Node export allows Object Injection.X-* before 7.X-3.3. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization of Untrusted Data vulnerability in Drupal Monster Menus allows Object Injection.0.0 before 9.3.4, from 9.4.0 before 9.4.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization of Untrusted Data vulnerability in Konrad Karpieszuk WC Price History for Omnibus allows Object Injection.1.4. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 14.8% and no vendor patch available.

Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0 Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Invoice Ninja before 5.10.43 allows remote code execution from a pre-authenticated route when an attacker knows the APP_KEY. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 39.4% and no vendor patch available.

Crater Invoice application allows unauthenticated remote command execution through Laravel session cookie deserialization when the APP_KEY is known. Attackers who obtain the application key can forge session cookies containing serialized PHP objects that execute arbitrary commands on the server.

Deserialization of Untrusted Data vulnerability in plainware.com PlainInventory allows Object Injection.1.6. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization of Untrusted Data vulnerability in plainware.com Locatoraid Store Locator allows Object Injection.9.50. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization of Untrusted Data vulnerability in Amento Tech Pvt ltd WPGuppy allows Object Injection.1.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

The Compare Products for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.1 via deserialization of untrusted input from the. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

The Custom Product Tabs for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.8.5 via deserialization of untrusted input in the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

In Modem, there is a possible system crash due to a logic error. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

A vulnerability was found in wangl1989 mysiteforme 1.0 and classified as critical. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to PHP Object Injection in all versions from 1.23.8 to 1.24.11 via deserialization of untrusted input in the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

The Backup Migration plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.6 via deserialization of untrusted input in the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Unsafe PHP object deserialization in the VRPConnector WordPress plugin (versions up to and including 2.0.1) by denniskravetstns enables remote code execution through PHP Object Injection. Remote attackers can submit crafted serialized payloads that, when unserialized, instantiate attacker-controlled objects and trigger magic methods leading to arbitrary code execution; no public exploit identified at time of analysis, but EPSS places this in the 97th percentile (36.92%) indicating elevated exploitation likelihood.

Unauthenticated PHP object injection in the Mindstien Technologies 'My Geo Posts Free' WordPress plugin (versions up to and including 1.2) allows remote attackers to deserialize attacker-controlled data, potentially leading to full site compromise. The flaw is rated CVSS 9.8 and carries an EPSS of 80.62% (99th percentile), indicating very high probability of near-term exploitation, though no public exploit identified at time of analysis.

Untrusted data deserialization in the Lis Video Gallery WordPress plugin (versions through 0.2.1) by bublick allows remote attackers to perform PHP object injection, potentially leading to arbitrary code execution depending on gadget chains available in the WordPress instance. The CVSS 9.8 score and EPSS of 31.81% (97th percentile) signal elevated exploitation likelihood, though no public exploit identified at time of analysis. The flaw was disclosed via Patchstack and affects WordPress sites running this plugin.

Deserialization of untrusted data in the Vollstart Event Tickets with Ticket Scanner WordPress plugin (versions up to and including 2.3.11) enables Server-Side Include (SSI) Injection, allowing authenticated low-privilege attackers to execute arbitrary code with scope-changing impact across the affected WordPress instance. With an EPSS score of 12.22% (94th percentile) and CVSS 9.9, this represents a high-priority issue, though no public exploit identified at time of analysis. The vulnerability was disclosed by Patchstack and impacts WordPress sites running this plugin.

Remote code execution in the dmcwebzone Airin Blog WordPress plugin (versions up to and including 1.6.1) is possible through PHP Object Injection via deserialization of untrusted data. Unauthenticated network attackers can exploit this CWE-502 weakness to compromise affected WordPress sites with no user interaction, and while no public exploit identified at time of analysis, the EPSS score of 2.82% (86th percentile) indicates above-average exploitation interest.

Remote code execution in the DS.DownloadList WordPress plugin (versions through 1.3) allows unauthenticated attackers to trigger PHP object injection via untrusted deserialization, leading to full site compromise. EPSS scores this at the 96th percentile (22.05%) for exploitation probability, indicating elevated likelihood of opportunistic attacks against unpatched WordPress installations, though no public exploit identified at time of analysis and it is not currently listed in CISA KEV.

Unauthenticated PHP object injection in the WP Swings Coupon Referral Program plugin for WordPress (versions up to and including 1.8.4) allows remote attackers to deliver crafted serialized payloads that the plugin deserializes, leading to full compromise with changed scope (CVSS 10.0). No public exploit has been identified at time of analysis, and EPSS sits at 0.83% (75th percentile) - moderate exploitation likelihood despite the maximum severity score. The vulnerability is not currently listed in CISA KEV.

PHP Object Injection in the Better Search Replace WordPress plugin (versions up to and including 1.4.4) allows remote unauthenticated attackers to inject arbitrary PHP objects through deserialization of untrusted input. While the plugin itself contains no POP chain, the presence of any additional plugin or theme on the same WordPress instance that introduces a usable POP gadget can escalate the bug to arbitrary file deletion, sensitive data disclosure, or remote code execution. Publicly available exploit code exists and the EPSS score of 93.40% (100th percentile) signals very high real-world exploitation probability.

Microsoft SharePoint Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization in HTML5 MP3 Player with Folder Feedburner Playlist Free WordPress plugin.

Deserialization in Live Composer page builder WordPress plugin.

Insecure deserialization in HTML5 SoundCloud Player with Playlist Free WordPress plugin.

CSRF + deserialization chain in ARMember WordPress membership plugin.

Insecure deserialization in HTML5 MP3 Player with Playlist Free WordPress plugin by SVNLabs.

Insecure deserialization in Tagbox UGC Galleries WordPress plugin. CVSS 10.0.

Insecure deserialization in Gecka Terms Thumbnails WordPress plugin through 1.1.

Insecure deserialization in WooCommerce Tranzila Payment Gateway plugin. CVSS 10.0.

A vulnerability, which was classified as critical, has been found in fhs-opensource iparking 1.5.22.RELEASE. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Remote code execution in Microsoft Exchange Server 2013, 2016, and 2019 allows authenticated attackers to execute arbitrary code on the server via insecure deserialization of untrusted data (CWE-502). The vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code, and carries an EPSS score of 36.68% (97th percentile), placing it among the highest-risk vulnerabilities. Successful exploitation yields full compromise of confidentiality, integrity, and availability on the targeted Exchange Server.

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization flaws in the bundled Apache BlazeDS library. This critical vulnerability affects ColdFusion 10 (all updates through 22), ColdFusion 11 (through Update 11), and ColdFusion 2016 (through Update 3). CISA confirms active exploitation in the wild with publicly available exploit code (Exploit-DB 43993), and EPSS scoring at 93.36% (100th percentile) indicates extremely high real-world exploitation likelihood. The network-accessible attack vector requiring no authentication or user interaction makes this a top-priority remediation target for any organization running affected ColdFusion versions.

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenticated network attackers to execute arbitrary commands by sending malicious serialized Java objects exploiting the Apache Commons Collections InvokerTransformer class. This vulnerability is confirmed actively exploited in the wild per CISA KEV, with public exploit code available (Exploit-DB 41613) and an exceptionally high EPSS score of 93.49%, indicating near-certain exploitation probability. Affected products include Sterling B2B Integrator 5.2, Sterling Integrator 5.1, and Tivoli Common Reporting versions 2.1 through 3.1.2.1.