Total
1958 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-5086 | 2025-06-04 | N/A | 9.0 CRITICAL | ||
| A deserialization of untrusted data vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could lead to a remote code execution. | |||||
| CVE-2025-5552 | 2025-06-04 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was found in ChestnutCMS up to 15.1. It has been declared as critical. This vulnerability affects unknown code of the file /dev-api/groovy/exec of the component API Endpoint. The manipulation leads to deserialization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-5498 | 2025-06-04 | 6.5 MEDIUM | 5.5 MEDIUM | ||
| A vulnerability was found in slackero phpwcms up to 1.9.45/1.10.8. It has been rated as critical. This issue affects the function file_get_contents/is_file of the file include/inc_lib/content/cnt21.readform.inc.php of the component Custom Source Tab. The manipulation of the argument cpage_custom leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.9.46 and 1.10.9 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2025-5499 | 2025-06-04 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability classified as critical has been found in slackero phpwcms up to 1.9.45/1.10.8. Affected is the function is_file/getimagesize of the file image_resized.php. The manipulation of the argument imgfile leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.9.46 and 1.10.9 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2025-22777 | 1 Givewp | 1 Givewp | 2025-06-04 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in GiveWP GiveWP allows Object Injection.This issue affects GiveWP: from n/a through 3.19.3. | |||||
| CVE-2022-39008 | 1 Huawei | 2 Emui, Harmonyos | 2025-06-03 | N/A | 9.1 CRITICAL |
| The NFC module has bundle serialization/deserialization vulnerabilities. Successful exploitation of this vulnerability may cause third-party apps to read and write files that are accessible only to system apps. | |||||
| CVE-2025-5174 | 1 Erdogant | 1 Pypickle | 2025-06-03 | 4.3 MEDIUM | 5.3 MEDIUM |
| A vulnerability was found in erdogant pypickle up to 1.1.5 and classified as problematic. Affected by this issue is the function load of the file pypickle/pypickle.py. The manipulation leads to deserialization. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.0 is able to address this issue. The patch is identified as 14b4cae704a0bb4eb6723e238f25382d847a1917. It is recommended to upgrade the affected component. | |||||
| CVE-2025-5173 | 1 Humansignal | 1 Label Studio Ml Backend | 2025-06-03 | 4.3 MEDIUM | 5.3 MEDIUM |
| A vulnerability has been found in HumanSignal label-studio-ml-backend up to 9fb7f4aa186612806af2becfb621f6ed8d9fdbaf and classified as problematic. Affected by this vulnerability is the function load of the file label-studio-ml-backend/label_studio_ml/examples/yolo/utils/neural_nets.py of the component PT File Handler. The manipulation of the argument path leads to deserialization. An attack has to be approached locally. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. | |||||
| CVE-2025-27526 | 1 Apache | 1 Inlong | 2025-06-03 | N/A | 6.5 MEDIUM |
| Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 through 2.1.0. This vulnerability which can lead to JDBC Vulnerability URLEncdoe and backspace bypass. Users are advised to upgrade to Apache InLong's 2.2.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/11747 | |||||
| CVE-2025-27528 | 1 Apache | 1 Inlong | 2025-06-03 | N/A | 9.1 CRITICAL |
| Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 through 2.1.0. This vulnerability allows attackers to bypass the security mechanisms of InLong JDBC and leads to arbitrary file reading. Users are advised to upgrade to Apache InLong's 2.2.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/11747 | |||||
| CVE-2023-6528 | 1 Themepunch | 1 Slider Revolution | 2025-06-03 | N/A | 8.8 HIGH |
| The Slider Revolution WordPress plugin before 6.6.19 does not prevent users with at least the Author role from unserializing arbitrary content when importing sliders, potentially leading to Remote Code Execution. | |||||
| CVE-2023-6049 | 1 Estatik | 1 Estatik | 2025-06-03 | N/A | 9.8 CRITICAL |
| The Estatik Real Estate Plugin WordPress plugin before 4.1.1 unserializes user input via some of its cookies, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget chain is present on the blog | |||||
| CVE-2025-27522 | 1 Apache | 1 Inlong | 2025-06-03 | N/A | 6.5 MEDIUM |
| Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 through 2.1.0. This vulnerability is a secondary mining bypass for CVE-2024-26579. Users are advised to upgrade to Apache InLong's 2.2.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/11732 | |||||
| CVE-2024-55638 | 1 Drupal | 1 Drupal | 2025-06-02 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9. Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called gadget chain presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability. | |||||
| CVE-2024-55637 | 1 Drupal | 1 Drupal | 2025-06-02 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called gadget chain presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability. | |||||
| CVE-2024-55636 | 1 Drupal | 1 Drupal | 2025-06-02 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so called gadget chain presents no direct threat, but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability. | |||||
| CVE-2025-5326 | 2025-05-30 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was found in zhilink 智互联(深圳)科技有限公司 ADP Application Developer Platform 应用开发者平台 1.0.0 and classified as critical. Affected by this issue is some unknown functionality of the file /adpweb/wechat/verifyToken/. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-48336 | 2025-05-30 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in ThimPress Course Builder allows Object Injection.This issue affects Course Builder: from n/a before 3.6.6. | |||||
| CVE-2023-50943 | 1 Apache | 1 Airflow | 2025-05-30 | N/A | 7.5 HIGH |
| Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of "enable_xcom_pickling=False" configuration setting resulting in poisoned data after XCom deserialization. This vulnerability is considered low since it requires a DAG author to exploit it. Users are recommended to upgrade to version 2.8.1 or later, which fixes this issue. | |||||
| CVE-2017-20189 | 1 Clojure | 1 Clojure | 2025-05-30 | N/A | 9.8 CRITICAL |
| In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server deserializes untrusted objects. | |||||