Insecure Deserialization

Critical deserialization vulnerability in themeton FLAP - Business WordPress Theme (versions up to 1.5) that allows unauthenticated remote attackers to achieve arbitrary object injection without user interaction. The vulnerability has a near-perfect CVSS score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating complete compromise of confidentiality, integrity, and availability is possible. Given the network-accessible attack vector and low complexity, this represents a critical risk to all WordPress installations using vulnerable theme versions.

Critical deserialization of untrusted data vulnerability in themeton's 'The Fashion - Model Agency One Page Beauty Theme' WordPress theme (versions up to 1.4.4) that enables object injection attacks. An unauthenticated, remote attacker can exploit this with no user interaction required to achieve complete system compromise including confidentiality, integrity, and availability breaches. The CVSS 9.8 score reflects the critical nature (network-accessible, low complexity, no privileges needed, high impact across all security properties), though real-world exploitation likelihood depends on whether public POCs exist and if the vulnerability is actively being weaponized in the wild.

Kafbat UI version 1.0.0 contains an unsafe deserialization vulnerability (CWE-502) that allows unauthenticated remote attackers to execute arbitrary code on affected servers with no user interaction required. This is a critical pre-authentication RCE affecting Kafka cluster management infrastructure. The vulnerability has a CVSS score of 8.9 with high impact across confidentiality, integrity, and availability; patch is available in version 1.1.0.

Critical deserialization of untrusted data vulnerability in Apache InLong versions 1.13.0 through 2.0.x that allows authenticated attackers to read arbitrary files through parameter manipulation ('double writing' the param). With a CVSS 9.8 score and network-based attack vector requiring no user interaction, this represents a high-severity information disclosure risk affecting data ingestion pipeline deployments.

Critical deserialization of untrusted data vulnerability in Axiomthemes Sweet Dessert that enables object injection attacks. The vulnerability affects Sweet Dessert versions before 1.1.13 and allows remote attackers to inject malicious serialized objects without authentication, potentially achieving remote code execution with complete system compromise. With a CVSS score of 9.8 and network-based attack vector requiring no user interaction or privileges, this represents a critical internet-exposed risk.

Critical deserialization vulnerability in AncoraThemes Mr. Murphy WordPress theme that allows unauthenticated remote attackers to inject arbitrary objects and achieve complete system compromise (confidentiality, integrity, and availability impact). All versions before 1.2.12.1 are vulnerable. With a CVSS score of 9.8 and network-accessible attack vector requiring no authentication or user interaction, this vulnerability presents an immediate, high-priority threat to affected WordPress installations.

A deserialization vulnerability in ThemeGoods Photography (CVSS 8.5). High severity vulnerability requiring prompt remediation.

A deserialization vulnerability in Teastudio (CVSS 8.8). High severity vulnerability requiring prompt remediation.

Critical remote code execution vulnerability in Soar Cloud HRD Human Resource Management System (versions through 7.3.2025.0408) caused by unsafe deserialization of untrusted data in the download file function. An unauthenticated remote attacker can exploit this to execute arbitrary system commands with no user interaction required, achieving complete compromise of confidentiality, integrity, and availability. The CVSS 9.8 severity and network-accessible attack vector indicate this is a high-priority threat requiring immediate patching.

Deserialization vulnerability in the IPC module Impact: Successful exploitation of this vulnerability may affect availability.

A vulnerability classified as critical was found in Shenzhen Dashi Tongzhou Information Technology AgileBPM up to 2.5.0. Affected by this vulnerability is the function executeScript of the file /src/main/java/com/dstz/sys/rest/controller/SysScriptController.java of the component Groovy Script Handler. The manipulation of the argument script leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

A vulnerability classified as critical has been found in Shenzhen Dashi Tongzhou Information Technology AgileBPM up to 2.5.0. Affected is the function parseStrByFreeMarker of the file /src/main/java/com/dstz/sys/rest/controller/SysToolsController.java. The manipulation of the argument str leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

A vulnerability in the web-based management interface of Cisco Unified CCX could allow an authenticated, remote attacker to execute arbitrary code on an affected device. To exploit this vulnerability, the attacker must have valid administrative credentials.  This vulnerability is due to insecure deserialization of Java objects by the affected software. An attacker could exploit this vulnerability by sending a crafted Java object to an affected device. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system of an affected device as a low-privilege user. A successful exploit could also allow the attacker to undertake further actions to elevate their privileges to root.

A vulnerability in the file opening process of Cisco Unified Contact Center Express (Unified CCX) Editor could allow an unauthenticated attacker to execute arbitrary code on an affected device.  This vulnerability is due to insecure deserialization of Java objects by the affected software. An attacker could exploit this vulnerability by persuading an authenticated, local user to open a crafted .aef file. A successful exploit could allow the attacker to execute arbitrary code on the host that is running the editor application with the privileges of the user who launched it.

A vulnerability was found in ChestnutCMS up to 15.1. It has been declared as critical. This vulnerability affects unknown code of the file /dev-api/groovy/exec of the component API Endpoint. The manipulation leads to deserialization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Insecure deserialization in Auth0-PHP SDK 8.0.0-BETA3 to before 8.3.1.

Critical remote code execution vulnerability in slackero phpwcms affecting versions up to 1.9.45 and 1.10.8. The vulnerability exists in the image_resized.php file where unsanitized input to the 'imgfile' parameter is passed to PHP's is_file() and getimagesize() functions, leading to unsafe deserialization. An unauthenticated remote attacker can exploit this to achieve arbitrary code execution with a CVSS score of 7.3; the vulnerability has been publicly disclosed with working exploits available, making active exploitation highly probable.

A vulnerability was found in slackero phpwcms up to 1.9.45/1.10.8. It has been rated as critical. This issue affects the function file_get_contents/is_file of the file include/inc_lib/content/cnt21.readform.inc.php of the component Custom Source Tab. The manipulation of the argument cpage_custom leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.9.46 and 1.10.9 is able to address this issue. It is recommended to upgrade the affected component.

A vulnerability was detected in slackero phpwcms up to 1.9.45/1.10.8. The impacted element is an unknown function of the file include/inc_module/mod_feedimport/inc/processing.inc.php of the component Feedimport Module. Performing manipulation of the argument cnt_text results in deserialization. The attack can be initiated remotely. The exploit is now public and may be used. Upgrading to version 1.9.46 and 1.10.9 is sufficient to resolve this issue. The patch is named 41a72eca0baa9d9d0214fec97db2400bc082d2a9. It is recommended to upgrade the affected component.

The Ninja Tables - Easy Data Table Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.0.18 via deserialization of untrusted input from the args[callback] parameter . This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute arbitrary functions, though it does not allow user supplied parameters only single functions can be called so the impact is limited.

Dassault Systemes DELMIA Apriso (releases 2020-2025) contains an unauthenticated deserialization vulnerability (CVE-2025-5086, CVSS 9.0) that enables remote code execution on manufacturing execution systems. KEV-listed with EPSS 39.2% and public PoC, this vulnerability threatens industrial manufacturing operations by targeting the MES (Manufacturing Execution System) layer that controls production processes.

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows authenticated users to achieve remote code execution through a crafted upload URL. With EPSS 90.4% and KEV listing, this vulnerability in one of the most widely deployed open-source webmail platforms enables any email user to compromise the mail server, accessing all hosted mailboxes.

A vulnerability was found in zhilink 智互联(深圳)科技有限公司 ADP Application Developer Platform 应用开发者平台 1.0.0 and classified as critical. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization of Untrusted Data vulnerability in ThimPress Course Builder allows Object Injection.6.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Deserialization of Untrusted Data vulnerability in Apache InLong.13.0 through 2.1.0. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization of Untrusted Data vulnerability in Apache InLong.13.0 through 2.1.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization of Untrusted Data vulnerability in Apache InLong.13.0 through 2.1.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

A vulnerability was found in erdogant pypickle up to 1.1.5 and classified as problematic. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available.

A vulnerability has been found in HumanSignal label-studio-ml-backend up to 9fb7f4aa186612806af2becfb621f6ed8d9fdbaf and classified as problematic. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.

A vulnerability was found in FunAudioLLM InspireMusic up to bf32364bcb0d136497ca69f9db622e9216b029dd. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.

A vulnerability has been found in easysoft zentaopms 21.5_20250307 and classified as critical. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization of Untrusted Data vulnerability in AncoraThemes Kids Planet allows Object Injection.2.14. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization of Untrusted Data vulnerability in Pagaleve Pix 4x sem juros - Pagaleve allows Object Injection.6.9. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization of Untrusted Data vulnerability in Codexpert, Inc WC Affiliate allows Object Injection.9.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization of Untrusted Data vulnerability in ZoomIt ZoomSounds allows Object Injection.91. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization of Untrusted Data vulnerability in CoinPayments CoinPayments.net Payment Gateway for WooCommerce allows Object Injection.net Payment Gateway for WooCommerce: from n/a through 1.0.17. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization of Untrusted Data vulnerability in WPFunnels WPFunnels allows Object Injection.5.18. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization of Untrusted Data vulnerability in GoodLayers Goodlayers Hotel allows Object Injection.1.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization of Untrusted Data vulnerability in GoodLayers Goodlayers Hostel allows Object Injection.1.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization of Untrusted Data vulnerability in BoldThemes Medicare allows Object Injection.1.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization of Untrusted Data vulnerability in BoldThemes Avantage allows Object Injection.4.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Tour | Travel Agency WordPress allows Object Injection.5.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

A critical deserialization vulnerability in the ThemeMakers Car Dealer WordPress theme allows remote attackers to perform PHP object injection attacks without authentication. The vulnerability affects all versions of Car Dealer prior to 1.6.7 and enables complete system compromise with the ability to execute arbitrary code, steal data, or take over the website. With an EPSS score of 0.15% (35th percentile), while not currently in CISA KEV, the vulnerability presents moderate real-world exploitation risk given its network-accessible attack vector and lack of required authentication.

Deserialization of Untrusted Data vulnerability in designthemes Finance Consultant allows Object Injection.8. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization of Untrusted Data vulnerability in AncoraThemes Jarvis - Night Club, Concert, Festival WordPress allows Object Injection.8.11. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization of Untrusted Data vulnerability in designthemes Pet World allows Object Injection.8. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization of Untrusted Data vulnerability in themeton Acerola allows Object Injection.6.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization of Untrusted Data vulnerability in designthemes Crafts & Arts allows Object Injection.5. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization of Untrusted Data vulnerability in AncoraThemes Fish House allows Object Injection.2.7. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization of Untrusted Data vulnerability in themeton The Business allows Object Injection.6.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization of Untrusted Data vulnerability in AncoraThemes Umberto allows Object Injection.2.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization of Untrusted Data vulnerability in themeton HotStar - Multi-Purpose Business Theme allows Object Injection.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization of Untrusted Data vulnerability in themeton Dash allows Object Injection.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

The sr_feuser_register extension through 12.4.8 for TYPO3 allows Remote Code Execution. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

The Glossary by WPPedia - Best Glossary plugin for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.0 via deserialization of untrusted. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

vLLM, an inference and serving engine for large language models (LLMs), has an issue in versions 0.6.5 through 0.8.4 that ONLY impacts environments using the `PyNcclPipe` KV cache transfer. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

An authenticated user can modify application state data. Rated high severity (CVSS 7.5). No vendor patch available.

Deserialization of Untrusted Data vulnerability in Chimpstudio Foodbakery Sticky Cart allows Object Injection.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Conference allows Object Injection.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization of Untrusted Data vulnerability in Potenzaglobalsolutions CiyaShop allows Object Injection.18.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Restaurant WordPress allows Object Injection.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization of Untrusted Data vulnerability in ThemeGoods Altair allows Object Injection.2.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization of Untrusted Data vulnerability in Chimpstudio FoodBakery allows Object Injection.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization of Untrusted Data vulnerability in Elbisnero WordPress Events Calendar Registration & Tickets allows Object Injection.6.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization of Untrusted Data vulnerability in themegusta Smart Sections Theme Builder - WPBakery Page Builder Addon.7.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization of Untrusted Data vulnerability in QuantumCloud WPBot Pro Wordpress Chatbot allows Object Injection.7.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

A vulnerability was found in iop-apl-uw basestation3 up to 3.0.4 and classified as problematic.py. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Deserialization of Untrusted Data vulnerability in ShapedPlugin LLC WP Tabs allows Object Injection.2.11. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

A vulnerability classified as problematic has been found in XU-YIJIE grpo-flat up to 9024b43f091e2eb9bac65802b120c0b35f9ba856. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.

A vulnerability was found in BeamCtrl Airiana up to 11.0. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.

Emlog is an open source website building system. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

A vulnerability, which was classified as problematic, has been found in VITA-MLLM Freeze-Omni up to 20250421.load of the file models/utils.py. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.

mediDOK before 2.5.18.43 allows remote attackers to achieve remote code execution on a target system via deserialization of untrusted data. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cap Collectif is an online decision making platform that integrates several tools. Rated critical severity (CVSS 9.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.4.0.1 via deserialization of untrusted input in the. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code locally. Rated high severity (CVSS 7.4), this vulnerability is no authentication required. No vendor patch available.

Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code locally. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code locally. Rated high severity (CVSS 7.0), this vulnerability is no authentication required. No vendor patch available.

SAP NetWeaver Visual Composer allows privileged users to upload untrusted content that is deserialized on the server, enabling remote code execution. Companion to CVE-2025-31324.

The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component, which allows an unauthenticated attacker to send malicious payload request in a. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

An authenticated attacker can maliciously modify layout data files in the SEL-5033 installation directory to execute arbitrary code. Rated medium severity (CVSS 6.6). No vendor patch available.

Deserialization of untrusted data in Microsoft Dataverse allows an authorized attacker to execute code over a network. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization of Untrusted Data vulnerability in Florent Maillefaud WP Maintenance allows Object Injection.1.9.7. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization of Untrusted Data vulnerability in Mario Peshev WP-CRM System allows Object Injection.4.1. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

The PGS Core plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.8.0 via deserialization of untrusted input in the 'import_header' function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

vLLM is an inference and serving engine for large language models. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.