Total
2136 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-40195 | 1 Apache | 1 Airflow Spark Provider | 2025-04-23 | N/A | 8.8 HIGH |
| Deserialization of Untrusted Data, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Software Foundation Apache Airflow Spark Provider. When the Apache Spark provider is installed on an Airflow deployment, an Airflow user that is authorized to configure Spark hooks can effectively run arbitrary code on the Airflow node by pointing it at a malicious Spark server. Prior to version 4.1.3, this was not called out in the documentation explicitly, so it is possible that administrators provided authorizations to configure Spark hooks without taking this into account. We recommend administrators to review their configurations to make sure the authorization to configure Spark hooks is only provided to fully trusted users. To view the warning in the docs please visit https://airflow.apache.org/docs/apache-airflow-providers-apache-spark/4.1.3/connections/spark.html | |||||
| CVE-2025-3439 | 1 Wpeverest | 1 Everest Forms | 2025-04-23 | N/A | 9.8 CRITICAL |
| The Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.1.1 via deserialization of untrusted input from the 'field_value' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | |||||
| CVE-2025-24447 | 1 Adobe | 1 Coldfusion | 2025-04-23 | N/A | 9.1 CRITICAL |
| ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user resulting in a High impact to Confidentiality and Integrity. Exploitation of this issue does not require user interaction. | |||||
| CVE-2022-44351 | 1 Skycaiji | 1 Skycaiji | 2025-04-23 | N/A | 9.8 CRITICAL |
| Skycaiji v2.5.1 was discovered to contain a deserialization vulnerability via /SkycaijiApp/admin/controller/Mystore.php. | |||||
| CVE-2022-44371 | 1 Hope-boot Project | 1 Hope-boot | 2025-04-23 | N/A | 9.8 CRITICAL |
| hope-boot 1.0.0 has a deserialization vulnerability that can cause Remote Code Execution (RCE). | |||||
| CVE-2025-32375 | 1 Bentoml | 1 Bentoml | 2025-04-22 | N/A | 9.8 CRITICAL |
| BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.8, there was an insecure deserialization in BentoML's runner server. By setting specific headers and parameters in the POST request, it is possible to execute any unauthorized arbitrary code on the server, which will grant the attackers to have the initial access and information disclosure on the server. This vulnerability is fixed in 1.4.8. | |||||
| CVE-2024-20150 | 1 Mediatek | 80 Lr12a, Lr13, Mt2735 and 77 more | 2025-04-22 | N/A | 7.5 HIGH |
| In Modem, there is a possible system crash due to a logic error. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01412526; Issue ID: MSV-2018. | |||||
| CVE-2021-33420 | 1 Replicator Project | 1 Replicator | 2025-04-21 | N/A | 9.8 CRITICAL |
| A deserialization issue discovered in inikulin replicator before 1.0.4 allows remote attackers to run arbitrary code via the fromSerializable function in TypedArray object. | |||||
| CVE-2025-30284 | 1 Adobe | 1 Coldfusion | 2025-04-21 | N/A | 8.4 HIGH |
| ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could leverage this vulnerability to bypass security protections and execute code. Exploitation of this issue requires user interaction and scope is changed. | |||||
| CVE-2025-30285 | 1 Adobe | 1 Coldfusion | 2025-04-21 | N/A | 8.4 HIGH |
| ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could leverage this vulnerability to bypass security protections and execute code. Exploitation of this issue requires user interaction and scope is changed. | |||||
| CVE-2021-38241 | 1 Ruoyi | 1 Ruoyi | 2025-04-21 | N/A | 9.8 CRITICAL |
| Deserialization issue discovered in Ruoyi before 4.6.1 allows remote attackers to run arbitrary code via weak cipher in Shiro framework. | |||||
| CVE-2016-4000 | 2 Debian, Jython Project | 2 Debian Linux, Jython | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Jython before 2.7.1rc1 allows attackers to execute arbitrary code via a crafted serialized PyFunction object. | |||||
| CVE-2017-10803 | 1 Odoo | 1 Odoo | 2025-04-20 | 8.5 HIGH | 6.5 MEDIUM |
| In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, insecure handling of anonymization data in the Database Anonymization module allows remote authenticated privileged users to execute arbitrary Python code, because unpickle is used. | |||||
| CVE-2017-5878 | 1 Red5 | 1 Media Server | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| The AMF unmarshallers in Red5 Media Server before 1.0.8 do not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized Java data. | |||||
| CVE-2016-6793 | 1 Apache | 1 Wicket | 2025-04-20 | 6.4 MEDIUM | 9.1 CRITICAL |
| The DiskFileItem class in Apache Wicket 6.x before 6.25.0 and 1.5.x before 1.5.17 allows remote attackers to cause a denial of service (infinite loop) and write to, move, and delete files with the permissions of DiskFileItem, and if running on a Java VM before 1.3.1, execute arbitrary code via a crafted serialized Java object. | |||||
| CVE-2014-9515 | 1 Dozer Project | 1 Dozer | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Dozer improperly uses a reflection-based approach to type conversion, which might allow remote attackers to execute arbitrary code via a crafted serialized object. | |||||
| CVE-2017-5954 | 1 Serialize-to-js Project | 1 Serialize-to-js | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in the serialize-to-js package 0.5.0 for Node.js. Untrusted data passed into the deserialize() function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE). | |||||
| CVE-2017-12628 | 1 Apache | 1 James Server | 2025-04-20 | 7.2 HIGH | 7.8 HIGH |
| The JMX server embedded in Apache James, also used by the command line client is exposed to a java de-serialization issue, and thus can be used to execute arbitrary commands. As James exposes JMX socket by default only on local-host, this vulnerability can only be used for privilege escalation. Release 3.0.1 upgrades the incriminated library. | |||||
| CVE-2016-0360 | 1 Ibm | 1 Websphere Mq Jms | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| IBM Websphere MQ JMS 7.0.1, 7.1, 7.5, 8.0, and 9.0 client provides classes that deserialize objects from untrusted sources which could allow a malicious user to execute arbitrary Java code by adding vulnerable classes to the classpath. IBM Reference #: 1983457. | |||||
| CVE-2016-5003 | 1 Apache | 1 Ws-xmlrpc | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an <ex:serializable> element. | |||||