Total
2129 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-49220 | 2 Microsoft, Trendmicro | 2 Windows, Apex Central | 2025-09-08 | N/A | 9.8 CRITICAL |
| An insecure deserialization operation in Trend Micro Apex Central below version 8.0.7007 could lead to a pre-authentication remote code execution on affected installations. Note that this vulnerability is similar to CVE-2025-49219 but is in a different method. | |||||
| CVE-2025-53691 | 1 Sitecore | 4 Experience Commerce, Experience Manager, Experience Platform and 1 more | 2025-09-08 | N/A | 8.8 HIGH |
| Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Remote Code Execution (RCE).This issue affects Experience Manager (XM): from 9.0 through 9.3, from 10.0 through 10.4; Experience Platform (XP): from 9.0 through 9.3, from 10.0 through 10.4. | |||||
| CVE-2022-45134 | 1 Mahara | 1 Mahara | 2025-09-08 | N/A | 9.8 CRITICAL |
| Mahara 21.10 before 21.10.6, 22.04 before 22.04.4, and 22.10 before 22.10.1 deserializes user input unsafely during skin import. A particularly structured XML file could cause code execution when being processed. | |||||
| CVE-2025-58163 | 1 Freescout | 1 Freescout | 2025-09-08 | N/A | 8.8 HIGH |
| FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Versions 1.8.185 and earlier contain a deserialization of untrusted data vulnerability that allows authenticated attackers with knowledge of the application's APP_KEY to achieve remote code execution. The vulnerability is exploited via endpoint, e.g.: `/help/{mailbox_id}/auth/{customer_id}/{hash}/{timestamp}` where the `customer_id` and `timestamp` parameters are processed through the decrypt function in `app/Helper.php` without proper validation. The code decrypts using Laravel's built-in encryption functions, which subsequently deserialize the decrypted payload without sanitization, allowing attackers to craft malicious serialized PHP objects using classes to trigger arbitrary command execution. This is fixed in version 1.8.186. | |||||
| CVE-2025-32312 | 1 Google | 1 Android | 2025-09-05 | N/A | 7.8 HIGH |
| In createIntentsList of PackageParser.java , there is a possible way to bypass lazy bundle hardening, allowing modified data to be passed to the next process due to unsafe deserialization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2025-48535 | 1 Google | 1 Android | 2025-09-05 | N/A | 7.8 HIGH |
| In assertSafeToStartCustomActivity of AppRestrictionsFragment.java , there is a possible way to exploit a parcel mismatch resulting in a launch anywhere vulnerability due to unsafe deserialization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2025-58839 | 2025-09-05 | N/A | 7.2 HIGH | ||
| Deserialization of Untrusted Data vulnerability in aThemeArt Translations eDS Responsive Menu allows Object Injection. This issue affects eDS Responsive Menu: from n/a through 1.2. | |||||
| CVE-2025-58815 | 2025-09-05 | N/A | 7.2 HIGH | ||
| Deserialization of Untrusted Data vulnerability in Rubel Miah Aitasi Coming Soon allows Object Injection. This issue affects Aitasi Coming Soon: from n/a through 2.0.2. | |||||
| CVE-2025-49401 | 2025-09-05 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in ExpressTech Systems Quiz And Survey Master allows Object Injection. This issue affects Quiz And Survey Master: from n/a through 10.2.5. | |||||
| CVE-2025-9260 | 2025-09-04 | N/A | 6.5 MEDIUM | ||
| The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to PHP Object Injection in versions 5.1.16 to 6.1.1 via deserialization of untrusted input in the parseUserProperties function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to read arbitrary files. If allow_url_include is enabled on the server, remote code execution is possible. While the vendor patched this issue in version 6.1.0, the patch caused a fatal error in the vulnerable code, due to a missing class import, so we consider 6.1.2 to be the most complete and best patched version | |||||
| CVE-2025-58643 | 2025-09-04 | N/A | 7.2 HIGH | ||
| Deserialization of Untrusted Data vulnerability in enituretechnology LTL Freight Quotes – Daylight Edition allows Object Injection. This issue affects LTL Freight Quotes – Daylight Edition: from n/a through 2.2.7. | |||||
| CVE-2025-58642 | 2025-09-04 | N/A | 7.2 HIGH | ||
| Deserialization of Untrusted Data vulnerability in enituretechnology LTL Freight Quotes – Day & Ross Edition allows Object Injection. This issue affects LTL Freight Quotes – Day & Ross Edition: from n/a through 2.1.11. | |||||
| CVE-2025-9365 | 2025-09-04 | N/A | 7.8 HIGH | ||
| Fuji Electric FRENIC-Loader 4 is vulnerable to a deserialization of untrusted data when importing a file through a specified window, which may allow an attacker to execute arbitrary code. | |||||
| CVE-2025-58644 | 2025-09-04 | N/A | 7.2 HIGH | ||
| Deserialization of Untrusted Data vulnerability in enituretechnology LTL Freight Quotes - TQL Edition allows Object Injection. This issue affects LTL Freight Quotes - TQL Edition: from n/a through 1.2.6. | |||||
| CVE-2024-13297 | 1 Eloqua Project | 1 Eloqua | 2025-09-03 | N/A | 6.6 MEDIUM |
| Deserialization of Untrusted Data vulnerability in Drupal Eloqua allows Object Injection.This issue affects Eloqua: from 7.X-* before 7.X-1.15. | |||||
| CVE-2024-13296 | 1 Mailjet | 1 Mailjet | 2025-09-03 | N/A | 6.6 MEDIUM |
| Deserialization of Untrusted Data vulnerability in Drupal Mailjet allows Object Injection.This issue affects Mailjet: from 0.0.0 before 4.0.1. | |||||
| CVE-2025-57773 | 1 Dataease | 1 Dataease | 2025-09-03 | N/A | 9.8 CRITICAL |
| DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.12, because DB2 parameters are not filtered, a JNDI injection attack can be directly launched. JNDI triggers an AspectJWeaver deserialization attack, writing to various files. This vulnerability requires commons-collections 4.x and aspectjweaver-1.9.22.jar. The vulnerability has been fixed in version 2.10.12. | |||||
| CVE-2024-47092 | 1 Heinlein-support | 1 Check Mk Python Api | 2025-09-02 | N/A | 9.8 CRITICAL |
| Insecure deserialization and improper certificate validation in Checkmk Exchange plugin check-mk-api prior to 5.8.1 | |||||
| CVE-2024-13295 | 1 Node Export Project | 1 Node Export | 2025-09-02 | N/A | 6.6 MEDIUM |
| Deserialization of Untrusted Data vulnerability in Drupal Node export allows Object Injection.This issue affects Node export: from 7.X-* before 7.X-3.3. | |||||
| CVE-2024-13288 | 1 Monster Menus Project | 1 Monster Menus | 2025-09-02 | N/A | 4.3 MEDIUM |
| Deserialization of Untrusted Data vulnerability in Drupal Monster Menus allows Object Injection.This issue affects Monster Menus: from 0.0.0 before 9.3.4, from 9.4.0 before 9.4.2. | |||||