Total
1768 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2010-3258 | 1 Google | 1 Chrome | 2025-04-11 | 9.3 HIGH | N/A |
| The sandbox implementation in Google Chrome before 6.0.472.53 does not properly deserialize parameters, which has unspecified impact and remote attack vectors. | |||||
| CVE-2012-3527 | 2 Debian, Typo3 | 2 Debian Linux, Typo3 | 2025-04-11 | 4.6 MEDIUM | N/A |
| view_help.php in the backend help system in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote authenticated backend users to unserialize arbitrary objects and possibly execute arbitrary PHP code via an unspecified parameter, related to a "missing signature (HMAC)." | |||||
| CVE-2011-2894 | 1 Vmware | 2 Spring Framework, Spring Security | 2025-04-11 | 6.8 MEDIUM | N/A |
| Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class. | |||||
| CVE-2012-0911 | 1 Tiki | 1 Tikiwiki Cms\/groupware | 2025-04-11 | 7.5 HIGH | 9.8 CRITICAL |
| TikiWiki CMS/Groupware before 6.7 LTS and before 8.4 allows remote attackers to execute arbitrary PHP code via a crafted serialized object in the (1) cookieName to lib/banners/bannerlib.php; (2) printpages or (3) printstructures parameter to (a) tiki-print_multi_pages.php or (b) tiki-print_pages.php; or (4) sendpages, (5) sendstructures, or (6) sendarticles parameter to tiki-send_objects.php, which is not properly handled when processed by the unserialize function. | |||||
| CVE-2013-4271 | 1 Restlet | 1 Restlet | 2025-04-11 | 7.5 HIGH | N/A |
| The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources, which allows remote attackers to execute arbitrary Java code via a serialized object, a different vulnerability than CVE-2013-4221. | |||||
| CVE-2025-3425 | 2025-04-10 | N/A | N/A | ||
| The IntelliSpace portal application utilizes .NET Remoting for its functionality. The vulnerability arises from the exploitation of port 755 through the deserialization vulnerability. After analyzing the configuration files, we observed that the server had set the TypeFilterLevel to Full which is dangerous as it can potentially lead to remote code execution using deserialization. This issue affects IntelliSpace Portal: 12 and prior. | |||||
| CVE-2024-57762 | 1 Wangl1989 | 1 Mysiteforme | 2025-04-10 | N/A | 7.5 HIGH |
| MSFM before v2025.01.01 was discovered to contain a deserialization vulnerability via the pom.xml configuration file. | |||||
| CVE-2024-57763 | 1 Wangl1989 | 1 Mysiteforme | 2025-04-10 | N/A | 9.1 CRITICAL |
| MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/addField. | |||||
| CVE-2024-57764 | 1 Wangl1989 | 1 Mysiteforme | 2025-04-10 | N/A | 9.1 CRITICAL |
| MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/add. | |||||
| CVE-2024-57766 | 1 Wangl1989 | 1 Mysiteforme | 2025-04-10 | N/A | 9.1 CRITICAL |
| MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/editField. | |||||
| CVE-2025-29793 | 2025-04-09 | N/A | 7.2 HIGH | ||
| Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | |||||
| CVE-2024-1950 | 1 Wpwax | 1 Product Carousel Slider \& Grid Ultimate For Woocommerce | 2025-04-09 | N/A | 7.5 HIGH |
| The Product Carousel Slider & Grid Ultimate for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.7 via deserialization of untrusted input via shortcode. This makes it possible for authenticated attackers, with contributor access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | |||||
| CVE-2007-1701 | 1 Php | 1 Php | 2025-04-09 | 6.8 MEDIUM | N/A |
| PHP 4 before 4.4.5, and PHP 5 before 5.2.1, when register_globals is enabled, allows context-dependent attackers to execute arbitrary code via deserialization of session data, which overwrites arbitrary global variables, as demonstrated by calling session_decode on a string beginning with "_SESSION|s:39:". | |||||
| CVE-2025-3413 | 2025-04-08 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability has been found in opplus springboot-admin up to a2d5310f44fd46780a8686456cf2f9001ab8f024 and classified as critical. Affected by this vulnerability is the function code of the file SysGeneratorController.java. The manipulation of the argument Tables leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-30221 | 1 Sunshinephotocart | 1 Sunshine Photo Cart | 2025-04-08 | N/A | 5.4 MEDIUM |
| Deserialization of Untrusted Data vulnerability in WP Sunshine Sunshine Photo Cart.This issue affects Sunshine Photo Cart: from n/a through 3.1.1. | |||||
| CVE-2024-30224 | 1 Wpxpo | 1 Wholesalex | 2025-04-08 | N/A | 10.0 CRITICAL |
| Deserialization of Untrusted Data vulnerability in Wholesale Team WholesaleX.This issue affects WholesaleX: from n/a through 1.3.2. | |||||
| CVE-2024-30230 | 1 Acowebs | 1 Pdf Invoices And Packing Slips For Woocommerce | 2025-04-08 | N/A | 8.2 HIGH |
| Deserialization of Untrusted Data vulnerability in Acowebs PDF Invoices and Packing Slips For WooCommerce.This issue affects PDF Invoices and Packing Slips For WooCommerce: from n/a through 1.3.7. | |||||
| CVE-2023-22850 | 1 Tiki | 1 Tiki | 2025-04-07 | N/A | 8.8 HIGH |
| Tiki before 24.1, when the Spreadsheets feature is enabled, allows lib/sheet/grid.php PHP Object Injection because of an unserialize call. | |||||
| CVE-2022-46478 | 1 Datax-web Project | 1 Datax-web | 2025-04-07 | N/A | 9.8 CRITICAL |
| The RPC interface in datax-web v1.0.0 and v2.0.0 to v2.1.2 contains no permission checks by default which allows attackers to execute arbitrary commands via crafted Hessian serialized data. | |||||
| CVE-2025-3165 | 2025-04-07 | 4.3 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability classified as critical has been found in thu-pacman chitu 0.1.0. This affects the function torch.load of the file chitu/chitu/backend.py. The manipulation of the argument ckpt_path/quant_ckpt_dir leads to deserialization. An attack has to be approached locally. | |||||