Total
2129 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-23045 | 1 Cvat | 1 Computer Vision Annotation Tool | 2025-09-16 | N/A | 9.8 CRITICAL |
| Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. An attacker with an account on an affected CVAT instance is able to run arbitrary code in the context of the Nuclio function container. This vulnerability affects CVAT deployments that run any of the serverless functions of type tracker from the CVAT Git repository, namely TransT and SiamMask. Deployments with custom functions of type tracker may also be affected, depending on how they handle state serialization. If a function uses an unsafe serialization library such as pickle or jsonpickle, it's likely to be vulnerable. Upgrade to CVAT 2.26.0 or later. If you are unable to upgrade, shut down any instances of the TransT or SiamMask functions you're running. | |||||
| CVE-2025-7099 | 1 Boyuncms Project | 1 Boyuncms | 2025-09-15 | 5.1 MEDIUM | 5.6 MEDIUM |
| A vulnerability has been found in BoyunCMS up to 1.21 on PHP7 and classified as critical. Affected by this vulnerability is an unknown functionality of the file install/install2.php of the component Installation Handler. The manipulation of the argument db_host leads to deserialization. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-10433 | 2025-09-15 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was determined in 1Panel-dev MaxKB up to 2.0.2/2.1.0. This issue affects some unknown processing of the file /admin/api/workspace/default/tool/debug. Executing manipulation of the argument code can lead to deserialization. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.1.1 is capable of addressing this issue. It is suggested to upgrade the affected component. | |||||
| CVE-2024-36528 | 1 Nukeviet | 2 Egovernment, Nukeviet | 2025-09-15 | N/A | 8.8 HIGH |
| nukeviet v.4.5 and before and nukeviet-egov v.1.2.02 and before have a Deserialization vulnerability which results in code execution via /admin/extensions/download.php and /admin/extensions/upload.php. | |||||
| CVE-2025-43960 | 1 Adminer | 1 Adminer | 2025-09-12 | N/A | 8.6 HIGH |
| Adminer 4.8.1, when using Monolog for logging, allows a Denial of Service (memory consumption) via a crafted serialized payload (e.g., using s:1000000000), leading to a PHP Object Injection issue. Remote, unauthenticated attackers can trigger this by sending a malicious serialized object, which forces excessive memory usage, rendering Adminer’s interface unresponsive and causing a server-level DoS. While the server may recover after several minutes, multiple simultaneous requests can cause a complete crash requiring manual intervention. | |||||
| CVE-2025-52287 | 1 Elite Project | 1 Elite | 2025-09-12 | N/A | 8.8 HIGH |
| OperaMasks SDK ELite Script Engine v0.5.0 was discovered to contain a deserialization vulnerability. | |||||
| CVE-2025-54897 | 1 Microsoft | 1 Sharepoint Server | 2025-09-12 | N/A | 8.8 HIGH |
| Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | |||||
| CVE-2025-53303 | 2025-09-11 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in ThemeMove ThemeMove Core allows Object Injection. This issue affects ThemeMove Core: from n/a through 1.4.2. | |||||
| CVE-2025-48101 | 2025-09-11 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in webdevstudios Constant Contact for WordPress allows Object Injection. This issue affects Constant Contact for WordPress: from n/a through 4.1.1. | |||||
| CVE-2025-47579 | 2025-09-11 | N/A | 9.0 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in ThemeGoods Photography. This issue affects Photography: from n/a through 7.5.2. | |||||
| CVE-2025-10164 | 2025-09-11 | 7.5 HIGH | 7.3 HIGH | ||
| A security flaw has been discovered in lmsys sglang 0.4.6. Affected by this vulnerability is the function main of the file /update_weights_from_tensor. The manipulation of the argument serialized_named_tensors results in deserialization. The attack can be launched remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-55232 | 2025-09-11 | N/A | 9.8 CRITICAL | ||
| Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an unauthorized attacker to execute code over a network. | |||||
| CVE-2025-10252 | 2025-09-11 | 1.8 LOW | 3.1 LOW | ||
| A flaw has been found in SEAT Queue Ticket Kiosk up to 20250827. This affects an unknown part of the component Java RMI Registry Handler. This manipulation causes deserialization. The attack can only be done within the local network. The attack is considered to have high complexity. It is indicated that the exploitability is difficult. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-54366 | 1 Freescout | 1 Freescout | 2025-09-11 | N/A | 8.8 HIGH |
| FreeScout is a lightweight free open source help desk and shared inbox built with PHP (Laravel framework). In versions 1.8.185 and below, there is a critical deserialization vulnerability in the /conversation/ajax endpoint that allows authenticated users with knowledge of the APP_KEY to achieve remote code execution. The vulnerability occurs when the application processes the attachments_all and attachments POST parameters through the insecure Helper::decrypt() function, which performs unsafe deserialization of user-controlled data without proper validation. This flaw enables attackers to create arbitrary objects and manipulate their properties, leading to complete compromise of the web application. This is fixed in version 1.8.186. | |||||
| CVE-2025-41701 | 2025-09-09 | N/A | 7.8 HIGH | ||
| An unauthenticated attacker can trick a local user into executing arbitrary commands by opening a deliberately manipulated project file with an affected engineering tool. These arbitrary commands are executed in the user context. | |||||
| CVE-2025-49217 | 2 Microsoft, Trendmicro | 2 Windows, Trend Micro Endpoint Encryption | 2025-09-08 | N/A | 9.8 CRITICAL |
| An insecure deserialization operation in the Trend Micro Endpoint Encryption PolicyServer could lead to a pre-authentication remote code execution on affected installations. Note that this vulnerability is similar to CVE-2025-49213 but is in a different method. | |||||
| CVE-2025-49214 | 2 Microsoft, Trendmicro | 2 Windows, Trend Micro Endpoint Encryption | 2025-09-08 | N/A | 8.8 HIGH |
| An insecure deserialization operation in the Trend Micro Endpoint Encryption PolicyServer could lead to a post-authentication remote code execution on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system to exploit this vulnerability. | |||||
| CVE-2025-49213 | 2 Microsoft, Trendmicro | 2 Windows, Trend Micro Endpoint Encryption | 2025-09-08 | N/A | 9.8 CRITICAL |
| An insecure deserialization operation in the Trend Micro Endpoint Encryption PolicyServer could lead to a pre-authentication remote code execution on affected installations. Note that this vulnerability is similar to CVE-2025-49212 but is in a different method. | |||||
| CVE-2025-49212 | 2 Microsoft, Trendmicro | 2 Windows, Trend Micro Endpoint Encryption | 2025-09-08 | N/A | 9.8 CRITICAL |
| An insecure deserialization operation in the Trend Micro Endpoint Encryption PolicyServer could lead to a pre-authentication remote code execution on affected installations. Note that this vulnerability is similar to CVE-2025-49220 but is in a different method. | |||||
| CVE-2025-49219 | 2 Microsoft, Trendmicro | 2 Windows, Apex Central | 2025-09-08 | N/A | 9.8 CRITICAL |
| An insecure deserialization operation in Trend Micro Apex Central below versions 8.0.7007 could lead to a pre-authentication remote code execution on affected installations. Note that this vulnerability is similar to CVE-2025-49220 but is in a different method. | |||||