Total
2136 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-50223 | 1 Inductiveautomation | 1 Ignition | 2025-03-12 | N/A | 8.8 HIGH |
| Inductive Automation Ignition ExtendedDocumentCodec Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability. The specific flaw exists within the ExtendedDocumentCodec class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-22127. | |||||
| CVE-2024-1859 | 1 Awplife | 1 Slider Responsive Slideshow | 2025-03-12 | N/A | 8.8 HIGH |
| The Slider Responsive Slideshow – Image slider, Gallery slideshow plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8 via deserialization of untrusted input to the awl_slider_responsive_shortcode function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | |||||
| CVE-2024-0825 | 1 Davekiss | 1 Vimeography | 2025-03-11 | N/A | 8.8 HIGH |
| The Vimeography: Vimeo Video Gallery WordPress Plugin plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.3.2 via deserialization of untrusted input via the vimeography_duplicate_gallery_serialized in the duplicate_gallery function. This makes it possible for authenticated attackers attackers, with contributor access or higher, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | |||||
| CVE-2023-27372 | 2 Debian, Spip | 2 Debian Linux, Spip | 2025-03-11 | N/A | 9.8 CRITICAL |
| SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1. | |||||
| CVE-2024-13899 | 1 Misterpah | 1 Mambo Joomla Importer | 2025-03-11 | N/A | 7.2 HIGH |
| The Mambo Importer plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0 via deserialization of untrusted input via the $data parameter in the fImportMenu function. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | |||||
| CVE-2025-27925 | 2025-03-10 | N/A | 8.5 HIGH | ||
| Nintex Automation 5.6 and 5.7 before 5.8 has insecure deserialization of user input. | |||||
| CVE-2025-27816 | 2025-03-07 | N/A | 9.8 CRITICAL | ||
| A vulnerability was discovered in the Arctera InfoScale 7.0 through 8.0.2 where a .NET remoting endpoint can be exploited due to the insecure deserialization of potentially untrusted messages. The vulnerability is present in the Windows Plugin_Host service, which runs on all the servers where InfoScale is installed. The service is used only when applications are configured for Disaster Recovery (DR) using the DR wizard. Disabling the Plugin_Host service manually will eliminate the vulnerability. | |||||
| CVE-2024-36984 | 1 Splunk | 1 Splunk | 2025-03-07 | N/A | 8.8 HIGH |
| In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 on Windows, an authenticated user could execute a specially crafted query that they could then use to serialize untrusted data. The attacker could use the query to execute arbitrary code. | |||||
| CVE-2024-13906 | 2025-03-07 | N/A | 7.2 HIGH | ||
| The Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.7.3 via deserialization of untrusted input in the 'import_gallery_from_csv' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | |||||
| CVE-2023-26779 | 1 Yf-exam Project | 1 Yf-exam | 2025-03-06 | N/A | 9.8 CRITICAL |
| CleverStupidDog yf-exam v 1.8.0 is vulnerable to Deserialization which can lead to remote code execution (RCE). | |||||
| CVE-2024-12742 | 2025-03-06 | N/A | 7.8 HIGH | ||
| A deserialization of untrusted data vulnerability exists in NI G Web Development Software that may result in arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted project file. This vulnerability affects G Web Development Software 2022 Q3 and prior versions. | |||||
| CVE-2021-28254 | 1 Laravel | 1 Laravel | 2025-03-05 | N/A | 9.8 CRITICAL |
| A deserialization vulnerability in the destruct() function of Laravel v8.5.9 allows attackers to execute arbitrary commands. | |||||
| CVE-2024-31903 | 1 Ibm | 1 Sterling B2b Integrator | 2025-03-05 | N/A | 8.8 HIGH |
| IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.2 allow an attacker on the local network to execute arbitrary code on the system, caused by the deserialization of untrusted data. | |||||
| CVE-2024-13787 | 2025-03-05 | N/A | 9.8 CRITICAL | ||
| The VEDA - MultiPurpose WordPress Theme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.2 via deserialization of untrusted input in the 'veda_backup_and_restore_action' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | |||||
| CVE-2025-0912 | 2025-03-04 | N/A | 9.8 CRITICAL | ||
| The Donations Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.4 via deserialization of untrusted input from the Donation Form through the 'card_address' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution. | |||||
| CVE-2025-26999 | 2025-03-03 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in Metagauss ProfileGrid allows Object Injection. This issue affects ProfileGrid : from n/a through 5.9.4.3. | |||||
| CVE-2025-26967 | 2025-03-03 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in Stiofan Events Calendar for GeoDirectory allows Object Injection. This issue affects Events Calendar for GeoDirectory: from n/a through 2.3.14. | |||||
| CVE-2025-26885 | 2025-03-03 | N/A | 7.2 HIGH | ||
| Deserialization of Untrusted Data vulnerability in Brent Jett Assistant allows Object Injection. This issue affects Assistant: from n/a through 1.5.1. | |||||
| CVE-2024-13833 | 2025-03-01 | N/A | 7.2 HIGH | ||
| The Album Gallery – WordPress Gallery plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.6.3 via deserialization of untrusted input from gallery meta. This makes it possible for authenticated attackers, with Editor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | |||||
| CVE-2024-5352 | 1 Anji-plus | 1 Aj-report | 2025-03-01 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in anji-plus AJ-Report up to 1.4.1. It has been rated as critical. Affected by this issue is the function validationRules of the component com.anjiplus.template.gaea.business.modules.datasetparam.controller.DataSetParamController#verification. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-266264. | |||||