Insecure Deserialization

Unbounded memory allocation in Fiber v3 (prior to 3.1.0) allows unauthenticated remote attackers to trigger denial of service by sending a malicious fiber_flash cookie that forces deserialization of up to 85GB of memory. All v3 endpoints are vulnerable regardless of flash message usage, and public exploit code exists. No patch is currently available.

The Print Service component of Fiserv Originate Loans Peripherals (formerly Velocity Services) in unsupported version 2021.2.4 (build 4.7.3155.0011) uses deprecated .NET Remoting TCP channels that allow unsafe deserialization of untrusted data.

Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. [CVSS 8.8 HIGH]

Unsafe deserialization in the RedisCache component of datapizza-ai 0.0.2 allows authenticated local network attackers to achieve limited information disclosure and integrity compromise through manipulation of cache operations. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. Exploitation requires local network access and elevated privileges, making practical attacks difficult but feasible in trusted environments.

Funadmin up to version 7.1.0-rc4 contains an unsafe deserialization vulnerability in the AuthCloudService.php getMember function that allows authenticated remote attackers to manipulate the cloud_account parameter and execute arbitrary code. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.

Zumba Json Serializer versions 3.2.2 and below allow unrestricted PHP object instantiation during JSON deserialization, enabling attackers to trigger arbitrary class constructors and magic methods via malicious @type fields. When processing untrusted JSON input, this vulnerability can lead to PHP Object Injection and remote code execution if vulnerable gadget chains are present in the application or its dependencies. The vulnerability affects applications using affected PHP serialization libraries and currently lacks a patched version.

Unsafe deserialization in GFI Archiver's MArc.Core.Remoting service (port 8017) enables authenticated remote attackers to achieve unauthenticated remote code execution with SYSTEM privileges, despite the authentication requirement being bypassable. The vulnerability stems from insufficient validation of untrusted data during the deserialization process, allowing arbitrary code execution on affected systems. No patch is currently available.

Remote code execution in GFI Archiver's MArc.Store.Remoting.exe component stems from unsafe deserialization of untrusted data, allowing authenticated attackers to execute arbitrary code with SYSTEM privileges despite the authentication requirement being bypassable. The vulnerability affects the deserialization and archiver products due to insufficient validation of user-supplied input, enabling full system compromise. No patch is currently available.

Unsafe PHP deserialization in openITCOCKPIT Community Edition 5.3.1 and earlier allows authenticated attackers to inject malicious serialized objects through changelog entries, with public exploit code available. While no current attack path has been identified, an unrestricted unserialize() call creates a latent remote code execution vulnerability that could be exploited if future code changes introduce exploitable object types into the deserialization path. Authenticated access is required, but the HIGH severity rating reflects the potential for complete system compromise if this latent flaw is activated.

Remote code execution in openITCOCKPIT 5.3.1 and earlier via unsafe deserialization in the Gearman worker component, which calls unserialize() on untrusted job payloads without validation or class restrictions. Attackers can exploit this by submitting crafted serialized objects to trigger PHP Object Injection when Gearman is exposed to untrusted networks. Public exploit code exists for this vulnerability, and no patch is currently available.

leafcolor Applay - Shortcodes applay-shortcodes is affected by deserialization of untrusted data (CVSS 8.8).

Dotstore Woocommerce Category Banner Management banner-management-for-woocommerce is affected by deserialization of untrusted data (CVSS 8.8).

The Slider Responsive Slideshow WordPress plugin through version 1.5.4 contains an unsafe deserialization flaw that enables authenticated attackers to inject arbitrary objects and achieve remote code execution. An attacker with user-level access can exploit this vulnerability to compromise the affected website with high impact to confidentiality, integrity, and availability. No patch is currently available for this vulnerability.

Object injection in WP Life Image Gallery plugin versions 1.6.0 and earlier exploits unsafe deserialization to allow authenticated attackers to execute arbitrary code with high impact on confidentiality, integrity, and availability. The vulnerability requires valid user credentials but no user interaction, making it exploitable by low-privileged accounts. No patch is currently available for this HIGH severity vulnerability affecting popular WordPress gallery functionality.

Deserialization of untrusted data in Lorem Ipsum Books & Media (lorem-ipsum-books-media-store) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization of untrusted data in Extreme Store (extremestore) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization of untrusted data in Themesflat Elementor (themesflat-elementor) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization of untrusted data in SevenHills (sevenhills) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization of untrusted data in KindlyCare (kindlycare) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization of untrusted data in Capella (capella) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization of untrusted data in Prestige (prestige) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce is affected by deserialization of untrusted data (CVSS 8.8).

Deserialization of untrusted data in PhotoMe (photome) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization of Untrusted Data vulnerability in fuelthemes PeakShops peakshops allows Object Injection.This issue affects PeakShops: from n/a through <= 1.5.9. [CVSS 8.8 HIGH]

Deserialization of Untrusted Data vulnerability in Kleor Contact Manager contact-manager allows Object Injection.This issue affects Contact Manager: from n/a through <= 9.1.1. [CVSS 8.8 HIGH]

Deserialization of untrusted data in Ippsum (ippsum) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

modeltheme ModelTheme Addons for WPBakery and Elementor modeltheme-addons-for-wpbakery is affected by deserialization of untrusted data (CVSS 8.8).

A WP Life Modal Popup Box modal-popup-box is affected by deserialization of untrusted data (CVSS 8.8).

Deserialization of untrusted data in Travelicious (travelicious) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization of untrusted data in Nestin (nestin) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization of untrusted data in PatioTime (patiotime) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Arbitrary code execution in SPIP before 4.4.9 through insecure deserialization of untrusted serialized objects in the table_valeur filter and DATA iterator. An attacker with prior access or leveraging a separate vulnerability to inject malicious serialized data can trigger arbitrary object instantiation and achieve remote code execution. No patch is currently available, and the vulnerability persists despite SPIP's standard security protections.

CartFlows through version 2.1.19 contains an unsafe deserialization vulnerability that enables object injection attacks against WordPress installations using the plugin. An authenticated attacker with high privileges can exploit this flaw to achieve arbitrary code execution with full system access. No patch is currently available for this vulnerability.

PHP Object Injection in WpEvently (mage-eventpress) WordPress plugin.

Unsafe deserialization in Codetipi Valenti through version 5.6.3.5 enables authenticated attackers to inject arbitrary objects and achieve remote code execution. An attacker with valid credentials can exploit this vulnerability to execute malicious commands with the privileges of the affected application. No patch is currently available.

PHP Object Injection in Grand Restaurant WordPress theme.

YITHEMES YITH WooCommerce Compare yith-woocommerce-compare is affected by deserialization of untrusted data (CVSS 7.2).

Deserialization of Untrusted Data vulnerability in OpenText™ Directory Services allows Object Injection. The vulnerability could lead to remote code execution, denial of service, or privilege escalation.

PHP Object Injection in the Advanced AJAX Product Filters plugin for WordPress (versions up to 3.1.9.6) allows authenticated authors and above to deserialize malicious objects through the Live Composer compatibility layer. While the plugin itself lacks a gadget chain for exploitation, the vulnerability can enable arbitrary file deletion, data theft, or remote code execution if a POP chain exists in installed themes or plugins. No patch is currently available, and exploitation requires valid WordPress user credentials.

A vulnerability has been identified in Rexroth IndraWorks. This flaw allows an attacker to execute arbitrary code on the user's system by parsing a manipulated file containing malicious serialized data. [CVSS 7.8 HIGH]

A vulnerability has been identified in Rexroth IndraWorks. This flaw allows an attacker to execute arbitrary code on the user's system by parsing a manipulated file containing malicious serialized data. [CVSS 7.8 HIGH]

A vulnerability has been identified in the UA.Testclient utility, which is included in Rexroth IndraWorks. All versions prior to 15V24 are affected. [CVSS 7.8 HIGH]

A vulnerability has been identified in the OPC.Testclient utility, which is included in Rexroth IndraWorks. All versions prior to 15V24 are affected. [CVSS 7.8 HIGH]

LightLLM version 1.1.0 and prior contain an unauthenticated remote code execution vulnerability in PD (prefill-decode) disaggregation mode. The PD master node exposes WebSocket endpoints that receive binary frames and pass the data directly to pickle.loads() without authentication or validation.

JeecgBoot 3.9.1's RAG knowledge controller fails to properly validate ZIP file imports, allowing authenticated remote attackers to trigger unsafe deserialization with public exploit code available. The vulnerability requires authentication and complex attack execution but could enable information disclosure or integrity compromise. No patch is currently available from the vendor.

Static ASP.NET machineKey in Calero VeraSMART before 2022 R1. Hardcoded key enables ViewState deserialization attacks and cookie forgery.

ADB Explorer on Windows versions prior to Beta 0.9.26020 allows local attackers to achieve remote code execution by crafting a malicious App.txt settings file that exploits insecure JSON deserialization with enabled type name handling. An attacker can inject a gadget chain payload into the configuration file that executes arbitrary code when the application launches and processes settings. No patch is currently available for affected versions.

Hyland OnBase contains an unauthenticated .NET Remoting exposure in the OnBase Workflow Timer Service (Hyland.Core.Workflow.NTService.exe).

In Infoblox NIOS through 9.0.7, insecure deserialization can result in remote code execution. [CVSS 8.8 HIGH]

manga-image-translator version beta-0.3 and prior in shared API mode contains an unsafe deserialization vulnerability that can lead to unauthenticated remote code execution.

Unsafe deserialization in DiskCache Python library through 5.6.3. Uses pickle by default, allowing attackers with cache directory write access to execute arbitrary code.

PHP object injection in wpForo Forum plugin versions up to 2.4.13 allows authenticated subscribers and above to deserialize untrusted data, potentially enabling arbitrary file deletion, data theft, or code execution if a POP chain exists in installed plugins or themes. The vulnerability requires an additional gadget chain to be exploitable, making its impact dependent on the broader plugin ecosystem of the target WordPress installation.

WP eCommerce WordPre versions up to 3.15.1 is affected by deserialization of untrusted data (CVSS 6.5).

Deserialization of untrusted data in Azure SDK allows unauthorized code execution over a network. EPSS 0.32%.

Microsoft Outlook's unsafe deserialization of untrusted data enables remote attackers to spoof messages and identities without authentication over the network. This vulnerability affects Outlook, Word, and Microsoft 365 Apps, allowing attackers to impersonate legitimate senders and deceive users. No patch is currently available, making this a high-risk threat requiring immediate defensive measures.

Denial of service in SAP NetWeaver's JMS service stems from unsafe deserialization of malicious objects, allowing authenticated administrators with local access to crash the application. The vulnerability requires high privileges and local access but carries no risk to confidentiality or integrity. No patch is currently available.

my little forum PHP forum software has an unrestricted file upload allowing authenticated users to upload dangerous file types.

Unsafe deserialization in yuan1994 tpadmin versions up to 1.3.12 allows remote attackers to execute arbitrary code via the WebUploader preview.php component without authentication. Public exploit code exists for this vulnerability, and affected installations running unsupported versions face immediate risk. The flaw enables complete system compromise with no patch available from the maintainer.

EPyT-Flow hydraulic simulation package has a CVSS 10.0 insecure deserialization enabling code execution when loading simulation scenario files.

CraftCMS 3 vCard Plugin 1.0.0 has an insecure deserialization vulnerability allowing unauthenticated remote code execution through crafted vCard data.

Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5668. [CVSS 7.2 HIGH]

Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5680. [CVSS 7.5 HIGH]

Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). [CVSS 7.5 HIGH]

Boltz 2.0.0 contains an insecure deserialization vulnerability in its molecule loading functionality. The application uses Python pickle to deserialize molecule data files without validation. [CVSS 8.4 HIGH]

pdfminer.six before 20251230 contains an insecure deserialization vulnerability in the CMap loading mechanism. The library uses Python pickle to deserialize CMap cache files without validation. [CVSS 6.5 MEDIUM]

magepeopleteam WpEvently mage-eventpress is affected by deserialization of untrusted data (CVSS 8.8).

Salt's junos execution module contained an unsafe YAML decode/load usage. A specially crafted YAML payload processed by the junos module could lead to unintended code execution under the context of the Salt process. [CVSS 7.8 HIGH]

Unsafe deserialization in Bolo Solo up to version 2.6.4 through the SnakeYAML component allows authenticated attackers to execute arbitrary code remotely via the importMarkdownsSync function. Public exploit code exists for this vulnerability and no patch is currently available. Authenticated users with access to the backup functionality can trigger this flaw to compromise affected systems.

SolarWinds Web Help Desk has a second deserialization vulnerability (EPSS 11.9%) providing another unauthenticated RCE path alongside CVE-2025-40551.

SolarWinds Web Help Desk contains an unauthenticated Java deserialization vulnerability (CVE-2025-40551, CVSS 9.8) that enables remote code execution. With EPSS 80.6% and KEV listing, this is the more severe of two concurrent WHD vulnerabilities, allowing attackers to execute arbitrary commands on the host server without any credentials.

Unsafe deserialization in PHPUnit versions before 8.5.52, 9.6.33, 10.5.62, 11.5.50, and 12.5.8 allows local attackers to execute arbitrary code by placing malicious serialized objects in `.coverage` files that are deserialized without validation during PHPT test execution. An attacker with file write access can exploit the `cleanupForCoverage()` method's lack of object class restrictions to trigger gadget chains through `__wakeup()` methods. This high-severity vulnerability (CVSS 7.8) affects developers and CI/CD systems running PHPUnit on Linux systems.

PyTorch is a Python package that provides tensor computation. [CVSS 8.8 HIGH]

Unrestricted Upload of File with Dangerous Type, Deserialization of Untrusted Data vulnerability in datavane tis (tis-plugin/src/main/java/com/qlangtech/tis/extension/impl modules). This vulnerability is associated with program files XmlFile.Java.

Deserialization of Untrusted Data vulnerability in Apache Karaf Decanter. The Decanter log socket collector exposes the port 4560, without authentication. [CVSS 3.7 LOW]

Upsonic has an insecure deserialization via cloudpickle (EPSS 1.3%) enabling remote code execution through crafted serialized AI agent data.

Remote code execution in Langflow's disk cache service allows authenticated attackers to execute arbitrary code by exploiting improper deserialization of untrusted data. The vulnerability affects Langflow installations and requires valid authentication credentials to exploit, enabling attackers to gain code execution within the service account context. No patch is currently available.

GPT Academic has a second insecure deserialization vulnerability in the upload function (EPSS 1.5%) allowing remote code execution through crafted file uploads.

GPT Academic has an insecure deserialization in run_in_subprocess_wrapper_func (EPSS 1.7%) enabling remote code execution through crafted subprocess data.

Remote code execution in GPT Academic's stream_daas function results from improper deserialization of untrusted data when communicating with external servers, allowing unauthenticated attackers to execute arbitrary code with root privileges. The vulnerability requires interaction with a malicious DAAS server and currently has no available patch. Organizations using GPT Academic should implement network controls to restrict connections to untrusted DAAS services until patching is available.

MetaGPT by Foundation Agents has an insecure deserialization in deserialize_message (EPSS 1.7%) enabling remote code execution through crafted serialized data in AI agent communications.

Anritsu VectorStar CHX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Anritsu VectorStar. [CVSS 7.8 HIGH]

Anritsu VectorStar CHX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Anritsu VectorStar. [CVSS 7.8 HIGH]

Anritsu ShockLine CHX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Anritsu ShockLine. [CVSS 7.8 HIGH]

Deserialization of Untrusted Data vulnerability in fuelthemes North north-wp allows Object Injection.This issue affects North: from n/a through <= 5.7.5. [CVSS 8.8 HIGH]

ThemeREX Sound/musicplace WordPress theme has an insecure deserialization vulnerability enabling PHP object injection and potential remote code execution.

strongholdthemes Tech Life CPT techlife-cpt is affected by deserialization of untrusted data (CVSS 8.8).

strongholdthemes Dental Care CPT dentalcare-cpt is affected by deserialization of untrusted data (CVSS 8.8).

Deserialization of Untrusted Data vulnerability in designthemes OneLife onelife allows Object Injection.This issue affects OneLife: from n/a through <= 3.9. [CVSS 8.8 HIGH]

Deserialization of Untrusted Data vulnerability in AivahThemes Anona anona allows Object Injection.This issue affects Anona: from n/a through <= 8.0. [CVSS 8.8 HIGH]

Deserialization of Untrusted Data vulnerability in designthemes Vivagh vivagh allows Object Injection.This issue affects Vivagh: from n/a through <= 2.4. [CVSS 8.8 HIGH]