Total
1958 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-49455 | 2025-06-12 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in LoftOcean TinySalt allows Object Injection.This issue affects TinySalt: from n/a before 3.10.0. | |||||
| CVE-2025-24016 | 1 Wazuh | 1 Wazuh | 2025-06-11 | N/A | 9.9 CRITICAL |
| Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are a serialized as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent. Version 4.9.1 contains a fix. | |||||
| CVE-2023-5235 | 1 Kutethemes | 1 Ovic Responsive Wpbakery | 2025-06-11 | N/A | 8.8 HIGH |
| The Ovic Responsive WPBakery WordPress plugin before 1.2.9 does not limit which options can be updated via some of its AJAX actions, which may allow attackers with a subscriber+ account to update blog options, such as 'users_can_register' and 'default_role'. It also unserializes user input in the process, which may lead to Object Injection attacks. | |||||
| CVE-2023-1405 | 1 Strategy11 | 1 Formidable Forms | 2025-06-11 | N/A | 7.5 HIGH |
| The Formidable Forms WordPress plugin before 6.2 unserializes user input, which could allow anonymous users to perform PHP Object Injection when a suitable gadget is present. | |||||
| CVE-2024-36528 | 1 Nukeviet | 1 Nukeviet | 2025-06-10 | N/A | 8.8 HIGH |
| nukeviet v.4.5 and before and nukeviet-egov v.1.2.02 and before have a Deserialization vulnerability which results in code execution via /admin/extensions/download.php and /admin/extensions/upload.php. | |||||
| CVE-2025-49127 | 2025-06-09 | N/A | N/A | ||
| Kafbat UI is a web user interface for managing Apache Kafka clusters. An unsafe deserialization vulnerability in version 1.0.0 allows any unauthenticated user to execute arbitrary code on the server. Version 1.1.0 fixes the issue. | |||||
| CVE-2018-15686 | 4 Canonical, Debian, Oracle and 1 more | 4 Ubuntu Linux, Debian Linux, Communications Cloud Native Core Network Function Cloud Native Environment and 1 more | 2025-06-09 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239. | |||||
| CVE-2025-26873 | 2025-06-09 | N/A | 9.0 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Shine theme Traveler.This issue affects Traveler: from n/a before 3.2.1. | |||||
| CVE-2025-48780 | 2025-06-06 | N/A | N/A | ||
| A deserialization of untrusted data vulnerability in the download file function of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to execute arbitrary system commands via a crafted serialized object. | |||||
| CVE-2025-5680 | 2025-06-06 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability classified as critical was found in Shenzhen Dashi Tongzhou Information Technology AgileBPM up to 2.5.0. Affected by this vulnerability is the function executeScript of the file /src/main/java/com/dstz/sys/rest/controller/SysScriptController.java of the component Groovy Script Handler. The manipulation of the argument script leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-39358 | 2025-06-06 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in Teastudio.Pl WP Posts Carousel allows Object Injection.This issue affects WP Posts Carousel: from n/a through 1.3.12. | |||||
| CVE-2025-49072 | 2025-06-06 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in AncoraThemes Mr. Murphy allows Object Injection.This issue affects Mr. Murphy: from n/a before 1.2.12.1. | |||||
| CVE-2025-47584 | 2025-06-06 | N/A | 8.5 HIGH | ||
| Deserialization of Untrusted Data vulnerability in ThemeGoods Photography.This issue affects Photography: from n/a through 7.5.2. | |||||
| CVE-2025-49073 | 2025-06-06 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Axiomthemes Sweet Dessert allows Object Injection.This issue affects Sweet Dessert: from n/a before 1.1.13. | |||||
| CVE-2024-1895 | 1 Awplife | 1 Event Monster | 2025-06-05 | N/A | 7.5 HIGH |
| The Event Monster – Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.4 via deserialization via shortcode of untrusted input from a custom meta value. This makes it possible for authenticated attackers, with contributor access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | |||||
| CVE-2025-5679 | 2025-06-05 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability classified as critical has been found in Shenzhen Dashi Tongzhou Information Technology AgileBPM up to 2.5.0. Affected is the function parseStrByFreeMarker of the file /src/main/java/com/dstz/sys/rest/controller/SysToolsController.java. The manipulation of the argument str leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-3431 | 1 Eyoucms | 1 Eyoucms | 2025-06-05 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was found in EyouCMS 1.6.5. It has been declared as critical. This vulnerability affects unknown code of the file /login.php?m=admin&c=Field&a=channel_edit of the component Backend. The manipulation of the argument channel_id leads to deserialization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259612. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-35815 | 1 Devexpress | 1 Devexpress | 2025-06-05 | N/A | 3.5 LOW |
| DevExpress before 23.1.3 has a data-source protection mechanism bypass during deserialization on XML data. | |||||
| CVE-2023-35814 | 1 Devexpress | 1 Devexpress | 2025-06-05 | N/A | 3.5 LOW |
| DevExpress before 23.1.3 does not properly protect XtraReport serialized data in ASP.NET web forms. | |||||
| CVE-2025-48951 | 2025-06-04 | N/A | N/A | ||
| Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. Versions 8.0.0-BETA3 prior to 8.3.1 contain a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. Applications using the Auth0-PHP SDK are affected, as are applications using the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs, because those SDKsrely on the Auth0-PHP SDK versions from 8.0.0-BETA3 until 8.14.0. Version 8.3.1 contains a patch for the issue. | |||||