Search Results (2499 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2017-1000148 1 Mahara 1 Mahara 2025-04-20 N/A
Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before 16.04.2 are vulnerable to PHP code execution as Mahara would pass portions of the XML through the PHP "unserialize()" function when importing a skin from an XML file.
CVE-2017-1000053 1 Plug Project 1 Plug 2025-04-20 8.1 High
Elixir Plug before v1.0.4, v1.1.7, v1.2.3 and v1.3.2 is vulnerable to arbitrary code execution in the deserialization functions of Plug.Session.
CVE-2017-1000034 1 Akka 1 Akka 2025-04-20 N/A
Akka versions <=2.4.16 and 2.5-M1 are vulnerable to a java deserialization attack in its Remoting component resulting in remote code execution in the context of the ActorSystem.
CVE-2017-0903 4 Canonical, Debian, Redhat and 1 more 11 Ubuntu Linux, Debian Linux, Enterprise Linux and 8 more 2025-04-20 N/A
RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.
CVE-2016-9299 2 Fedoraproject, Jenkins 2 Fedora, Jenkins 2025-04-20 N/A
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.
CVE-2016-8749 2 Apache, Redhat 3 Camel, Jboss Amq, Jboss Fuse 2025-04-20 N/A
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks.
CVE-2016-8744 1 Apache 1 Brooklyn 2025-04-20 N/A
Apache Brooklyn uses the SnakeYAML library for parsing YAML inputs. SnakeYAML allows the use of YAML tags to indicate that SnakeYAML should unmarshal data to a Java type. In the default configuration in Brooklyn before 0.10.0, SnakeYAML will allow unmarshalling to any Java type available on the classpath. This could provide an authenticated user with a means to cause the JVM running Brooklyn to load and run Java code without detection by Brooklyn. Such code would have the privileges of the Java process running Brooklyn, including the ability to open files and network connections, and execute system commands. There is known to be a proof-of-concept exploit using this vulnerability.
CVE-2016-8736 1 Apache 1 Openmeetings 2025-04-20 N/A
Apache OpenMeetings before 3.1.2 is vulnerable to Remote Code Execution via RMI deserialization attack.
CVE-2016-10304 1 Sap 1 Netweaver Application Server Java 2025-04-20 6.5 Medium
The SAP EP-RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to cause a denial of service (out-of-memory error and service instability) via a crafted serialized Java object, as demonstrated by serial.cc3, aka SAP Security Note 2315788.
CVE-2016-7050 1 Redhat 5 Enterprise Linux, Enterprise Linux Desktop, Enterprise Linux Hpc Node and 2 more 2025-04-20 N/A
SerializableProvider in RESTEasy in Red Hat Enterprise Linux Desktop 7, Red Hat Enterprise Linux HPC Node 7, Red Hat Enterprise Linux Server 7, and Red Hat Enterprise Linux Workstation 7 allows remote attackers to execute arbitrary code.
CVE-2016-3415 1 Synacor 1 Zimbra Collaboration Suite 2025-04-20 N/A
Zimbra Collaboration before 8.7.0 allows remote attackers to conduct deserialization attacks via unspecified vectors, aka bug 102276.
CVE-2016-4483 4 Debian, Oracle, Redhat and 1 more 4 Debian Linux, Solaris, Jboss Core Services and 1 more 2025-04-20 7.5 High
The xmlBufAttrSerializeTxtContent function in xmlsave.c in libxml2 allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a non-UTF-8 attribute value, related to serialization. NOTE: this vulnerability may be a duplicate of CVE-2016-3627.
CVE-2024-1685 1 Sygnoos 1 Social Media Share Buttons 2025-04-18 8.8 High
The Social Media Share Buttons plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.1.0 via deserialization of untrusted input through the attachmentUrl parameter. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
CVE-2023-32795 1 Woocommerce 1 Product Addons 2025-04-17 8.2 High
Deserialization of Untrusted Data vulnerability in WooCommerce Product Add-Ons.This issue affects Product Add-Ons: from n/a through 6.1.3.
CVE-2025-32572 2025-04-17 9.8 Critical
Deserialization of Untrusted Data vulnerability in Climax Themes Kata Plus allows Object Injection. This issue affects Kata Plus: from n/a through 1.5.2.
CVE-2025-32662 2025-04-17 8.8 High
Deserialization of Untrusted Data vulnerability in Stylemix uListing allows Object Injection. This issue affects uListing: from n/a through 2.2.0.
CVE-2025-39588 2025-04-17 9.8 Critical
Deserialization of Untrusted Data vulnerability in bdthemes Ultimate Store Kit Elementor Addons allows Object Injection. This issue affects Ultimate Store Kit Elementor Addons: from n/a through 2.4.0.
CVE-2025-32686 2025-04-17 8.8 High
Deserialization of Untrusted Data vulnerability in WP Speedo Team Members allows Object Injection. This issue affects Team Members: from n/a through 3.4.0.
CVE-2025-39527 2025-04-17 8.8 High
Deserialization of Untrusted Data vulnerability in bestwebsoft Rating by BestWebSoft allows Object Injection. This issue affects Rating by BestWebSoft: from n/a through 1.7.
CVE-2025-32658 2025-04-17 9.8 Critical
Deserialization of Untrusted Data vulnerability in wpWax HelpGent allows Object Injection. This issue affects HelpGent: from n/a through 2.2.4.