Total
1958 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-42323 | 1 Apache | 1 Hertzbeat | 2025-07-01 | N/A | 8.8 HIGH |
| SnakeYaml Deser Load Malicious xml rce vulnerability in Apache HertzBeat (incubating). This vulnerability can only be exploited by authorized attackers. This issue affects Apache HertzBeat (incubating): before 1.6.0. Users are recommended to upgrade to version 1.6.0, which fixes the issue. | |||||
| CVE-2025-21364 | 1 Microsoft | 2 365 Apps, Office Long Term Servicing Channel | 2025-07-01 | N/A | 7.8 HIGH |
| Microsoft Excel Security Feature Bypass Vulnerability | |||||
| CVE-2025-53415 | 2025-07-01 | N/A | 7.8 HIGH | ||
| Delta Electronics DTM Soft Project File Parsing Deserialization of Untrusted Data Remote Code Execution | |||||
| CVE-2025-52724 | 2025-06-30 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in BoldThemes Amwerk allows Object Injection. This issue affects Amwerk: from n/a through 1.2.0. | |||||
| CVE-2025-52826 | 2025-06-30 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in uxper Sala allows Object Injection. This issue affects Sala: from n/a through 1.1.3. | |||||
| CVE-2025-52725 | 2025-06-30 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in pebas CouponXxL allows Object Injection. This issue affects CouponXxL: from n/a through 3.0.0. | |||||
| CVE-2025-52827 | 2025-06-30 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in uxper Nuss allows Object Injection. This issue affects Nuss: from n/a through 1.3.3. | |||||
| CVE-2025-28970 | 2025-06-30 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in pep.vn WP Optimize By xTraffic allows Object Injection. This issue affects WP Optimize By xTraffic: from n/a through 5.1.6. | |||||
| CVE-2025-52709 | 2025-06-30 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in wpeverest Everest Forms allows Object Injection. This issue affects Everest Forms: from n/a through 3.2.2. | |||||
| CVE-2025-53393 | 2025-06-30 | N/A | 6.0 MEDIUM | ||
| In Akka through 2.10.6, akka-cluster-metrics uses Java serialization for cluster metrics. | |||||
| CVE-2024-29212 | 1 Veeam | 1 Veeam Service Provider Console | 2025-06-30 | N/A | 9.9 CRITICAL |
| Due to an unsafe de-serialization method used by the Veeam Service Provider Console(VSPC) server in communication between the management agent and its components, under certain conditions, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine. | |||||
| CVE-2025-24357 | 1 Vllm | 1 Vllm | 2025-06-27 | N/A | 7.5 HIGH |
| vLLM is a library for LLM inference and serving. vllm/model_executor/weight_utils.py implements hf_model_weights_iterator to load the model checkpoint, which is downloaded from huggingface. It uses the torch.load function and the weights_only parameter defaults to False. When torch.load loads malicious pickle data, it will execute arbitrary code during unpickling. This vulnerability is fixed in v0.7.0. | |||||
| CVE-2025-27520 | 1 Bentoml | 1 Bentoml | 2025-06-27 | N/A | 9.8 CRITICAL |
| BentoML is a Python library for building online serving systems optimized for AI apps and model inference. A Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version (v1.4.2) of BentoML. It allows any unauthenticated user to execute arbitrary code on the server. It exists an unsafe code segment in serde.py. This vulnerability is fixed in 1.4.3. | |||||
| CVE-2025-2566 | 2025-06-26 | N/A | N/A | ||
| Kaleris NAVIS N4 ULC (Ultra Light Client) contains an unsafe Java deserialization vulnerability. An unauthenticated attacker can make specially crafted requests to execute arbitrary code on the server. | |||||
| CVE-2025-53002 | 2025-06-26 | N/A | 8.3 HIGH | ||
| LLaMA-Factory is a tuning library for large language models. A remote code execution vulnerability was discovered in LLaMA-Factory versions up to and including 0.9.3 during the LLaMA-Factory training process. This vulnerability arises because the `vhead_file` is loaded without proper safeguards, allowing malicious attackers to execute arbitrary malicious code on the host system simply by passing a malicious `Checkpoint path` parameter through the `WebUI` interface. The attack is stealthy, as the victim remains unaware of the exploitation. The root cause is that the `vhead_file` argument is loaded without the secure parameter `weights_only=True`. Version 0.9.4 contains a fix for the issue. | |||||
| CVE-2023-26512 | 4 Apache, Apple, Linux and 1 more | 4 Eventmesh-connector-rabbitmq, Macos, Linux Kernel and 1 more | 2025-06-25 | N/A | 9.8 CRITICAL |
| CWE-502 Deserialization of Untrusted Data at the rabbitmq-connector plugin module in Apache EventMesh (incubating) V1.7.0\V1.8.0 on windows\linux\mac os e.g. platforms allows attackers to send controlled message and remote code execute via rabbitmq messages. Users can use the code under the master branch in project repo to fix this issue, we will release the new version as soon as possible. | |||||
| CVE-2024-41151 | 1 Apache | 1 Hertzbeat | 2025-06-24 | N/A | 8.8 HIGH |
| Deserialization of Untrusted Data vulnerability in Apache HertzBeat. This vulnerability can only be exploited by authorized attackers. This issue affects Apache HertzBeat: before 1.6.1. Users are recommended to upgrade to version 1.6.1, which fixes the issue. | |||||
| CVE-2025-47771 | 2025-06-23 | N/A | N/A | ||
| PowSyBl (Power System Blocks) is a framework to build power system oriented software. In versions 6.3.0 to 6.7.1, there is a deserialization issue in the read method of the SparseMatrix class that can lead to a wide range of privilege escalations depending on the circumstances. This method takes in an InputStream and returns a SparseMatrix object. This issue has been patched in com.powsybl:powsybl-math: 6.7.2. A workaround for this issue involves not using SparseMatrix deserialization (SparseMatrix.read(...) methods). | |||||
| CVE-2025-25940 | 1 Visicut | 1 Visicut | 2025-06-23 | N/A | 9.8 CRITICAL |
| VisiCut 2.1 allows code execution via Insecure XML Deserialization in the loadPlfFile method of VisicutModel.java. | |||||
| CVE-2025-27531 | 1 Apache | 1 Inlong | 2025-06-23 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 before 2.1.0, this issue would allow an authenticated attacker to read arbitrary files by double writing the param. Users are recommended to upgrade to version 2.1.0, which fixes the issue. | |||||