Total
1768 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-27779 | 2025-03-19 | N/A | N/A | ||
| Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in `model_blender.py` lines 20 and 21. `model_fusion_a` and `model_fusion_b` from voice_blender.py take user-supplied input (e.g. a path to a model) and pass that value to the `run_model_blender_script` and later to `model_blender` function, which loads these two models with `torch.load` in `model_blender.py (on lines 20-21 in 3.2.8-bugfix), which is vulnerable to unsafe deserialization. The issue can lead to remote code execution. A patch is available on the `main` branch of the Applio repository. | |||||
| CVE-2025-27778 | 2025-03-19 | N/A | N/A | ||
| Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in `infer.py`. The issue can lead to remote code execution. As of time of publication, a fix is available on the `main` branch of the Applio repository but not attached to a numbered release. | |||||
| CVE-2020-5741 | 2 Microsoft, Plex | 2 Windows, Media Server | 2025-03-19 | 6.5 MEDIUM | 7.2 HIGH |
| Deserialization of Untrusted Data in Plex Media Server on Windows allows a remote, authenticated attacker to execute arbitrary Python code. | |||||
| CVE-2018-15133 | 1 Laravel | 1 Laravel | 2025-03-19 | 6.8 MEDIUM | 8.1 HIGH |
| In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack. | |||||
| CVE-2024-13410 | 2025-03-19 | N/A | 9.8 CRITICAL | ||
| The CozyStay and TinySalt plugins for WordPress are vulnerable to PHP Object Injection in all versions up to, and including, 1.7.0, and in all versions up to, and including 3.9.0, respectively, via deserialization of untrusted input in the 'ajax_handler' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | |||||
| CVE-2023-26234 | 1 Jd-gui Project | 1 Jd-gui | 2025-03-17 | N/A | 6.6 MEDIUM |
| JD-GUI 1.6.6 allows deserialization via UIMainWindowPreferencesProvider.singleInstance. | |||||
| CVE-2022-37936 | 1 Hpe | 1 Serviceguard For Linux | 2025-03-17 | N/A | 9.8 CRITICAL |
| Unauthenticated Java deserialization vulnerability in Serviceguard Manager | |||||
| CVE-2025-2376 | 2025-03-17 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability has been found in viames Pair Framework up to 1.9.11 and classified as critical. Affected by this vulnerability is the function getCookieContent of the file /src/UserRemember.php of the component PHP Object Handler. The manipulation of the argument cookieName leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-26921 | 2025-03-15 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in magepeopleteam Booking and Rental Manager allows Object Injection. This issue affects Booking and Rental Manager: from n/a through 2.2.6. | |||||
| CVE-2022-31199 | 1 Netwrix | 1 Auditor | 2025-03-14 | N/A | 9.8 CRITICAL |
| Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents installed on monitored systems. The remote code execution vulnerabilities exist within the underlying protocol used by the component, and potentially allow an unauthenticated remote attacker to execute arbitrary code as the NT AUTHORITY\SYSTEM user on affected systems, including on systems Netwrix Auditor monitors. | |||||
| CVE-2020-7961 | 1 Liferay | 1 Liferay Portal | 2025-03-14 | 7.5 HIGH | 9.8 CRITICAL |
| Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS). | |||||
| CVE-2018-1000861 | 2 Jenkins, Redhat | 2 Jenkins, Openshift Container Platform | 2025-03-14 | 10.0 HIGH | 9.8 CRITICAL |
| A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way. | |||||
| CVE-2019-10068 | 1 Kentico | 1 Kentico | 2025-03-14 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Kentico 12.0.x before 12.0.15, 11.0.x before 11.0.48, 10.0.x before 10.0.52, and 9.x versions. Due to a failure to validate security headers, it was possible for a specially crafted request to the staging service to bypass the initial authentication and proceed to deserialize user-controlled .NET object input. This deserialization then led to unauthenticated remote code execution on the server where the Kentico instance was hosted. | |||||
| CVE-2020-10189 | 1 Zohocorp | 1 Manageengine Desktop Central | 2025-03-14 | 10.0 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets. | |||||
| CVE-2019-18935 | 1 Telerik | 1 Ui For Asp.net Ajax | 2025-03-14 | 7.5 HIGH | 9.8 CRITICAL |
| Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.) | |||||
| CVE-2021-35464 | 1 Forgerock | 2 Access Management, Openam | 2025-03-14 | 10.0 HIGH | 9.8 CRITICAL |
| ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier | |||||
| CVE-2025-2000 | 2025-03-14 | N/A | 9.8 CRITICAL | ||
| A maliciously crafted QPY file can potential execute arbitrary-code embedded in the payload without privilege escalation when deserialising QPY formats < 13. A python process calling Qiskit 0.18.0 through 1.4.1's `qiskit.qpy.load()` function could potentially execute any arbitrary Python code embedded in the correct place in the binary file as part of specially constructed payload. | |||||
| CVE-2023-39475 | 1 Inductiveautomation | 1 Ignition | 2025-03-13 | N/A | 9.8 CRITICAL |
| Inductive Automation Ignition ParameterVersionJavaSerializationCodec Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ParameterVersionJavaSerializationCodec class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-20290. | |||||
| CVE-2023-39473 | 1 Inductiveautomation | 1 Ignition | 2025-03-13 | N/A | 8.8 HIGH |
| Inductive Automation Ignition AbstractGatewayFunction Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability. The specific flaw exists within the AbstractGatewayFunction class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. . Was ZDI-CAN-17587. | |||||
| CVE-2023-21839 | 1 Oracle | 1 Weblogic Server | 2025-03-13 | N/A | 7.5 HIGH |
| Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). | |||||