Total
2015 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-2939 | 1 Wpmanageninja | 1 Ninja Tables | 2025-07-10 | N/A | 5.6 MEDIUM |
| The Ninja Tables – Easy Data Table Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.0.18 via deserialization of untrusted input from the args[callback] parameter . This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute arbitrary functions, though it does not allow user supplied parameters only single functions can be called so the impact is limited. | |||||
| CVE-2025-7216 | 2025-07-10 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability, which was classified as critical, was found in lty628 Aidigu up to 1.8.2. This affects the function checkUserCookie of the file /application/common.php of the component PHP Object Handler. The manipulation of the argument rememberMe leads to deserialization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-1971 | 1 Webtoffee | 1 Import Export Wordpress Users | 2025-07-09 | N/A | 7.2 HIGH |
| The Export and Import Users and Customers plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.2 via deserialization of untrusted input from the 'form_data' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | |||||
| CVE-2025-29953 | 1 Apache | 1 Activemq Nms Openwire | 2025-07-09 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in Apache ActiveMQ NMS OpenWire Client. This issue affects Apache ActiveMQ NMS OpenWire Client before 2.1.1 when performing connections to untrusted servers. Such servers could abuse the unbounded deserialization in the client to provide malicious responses that may eventually cause arbitrary code execution on the client. Version 2.1.0 introduced a allow/denylist feature to restrict deserialization, but this feature could be bypassed. The .NET team has deprecated the built-in .NET binary serialization feature starting with .NET 9 and suggests migrating away from binary serialization. The project is considering to follow suit and drop this part of the NMS API altogether. Users are recommended to upgrade to version 2.1.1, which fixes the issue. We also recommend to migrate away from relying on .NET binary serialization as a hardening method for the future. | |||||
| CVE-2023-51576 | 1 Voltronicpower | 1 Viewpower | 2025-07-09 | N/A | 9.8 CRITICAL |
| Voltronic Power ViewPower Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Voltronic Power ViewPower. Authentication is not required to exploit this vulnerability. The specific flaw exists within the RMI interface, which listens on TCP port 51099 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-22012. | |||||
| CVE-2025-29793 | 1 Microsoft | 2 Sharepoint Enterprise Server, Sharepoint Server | 2025-07-09 | N/A | 7.2 HIGH |
| Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | |||||
| CVE-2025-1913 | 1 Webtoffee | 1 Product Import Export For Woocommerce | 2025-07-09 | N/A | 7.2 HIGH |
| The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.5.0 via deserialization of untrusted input from the 'form_data' parameter This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | |||||
| CVE-2025-47166 | 1 Microsoft | 2 Sharepoint Enterprise Server, Sharepoint Server | 2025-07-09 | N/A | 8.8 HIGH |
| Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | |||||
| CVE-2025-47163 | 1 Microsoft | 2 Sharepoint Enterprise Server, Sharepoint Server | 2025-07-09 | N/A | 8.8 HIGH |
| Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | |||||
| CVE-2025-27130 | 1 Welcart | 1 Welcart E-commerce | 2025-07-08 | N/A | 8.8 HIGH |
| Welcart e-Commerce 2.11.6 and earlier versions contains an untrusted data deserialization vulnerability. If this vulnerability is exploited, arbitrary code may be executed by a remote unauthenticated attacker who can access websites created using the product. | |||||
| CVE-2025-6279 | 1 Upsonic | 1 Upsonic | 2025-07-08 | 5.2 MEDIUM | 5.5 MEDIUM |
| A vulnerability, which was classified as critical, has been found in Upsonic up to 0.55.6. This issue affects the function cloudpickle.loads of the file /tools/add_tool of the component Pickle Handler. The manipulation leads to deserialization. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-52828 | 2025-07-08 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in designthemes Red Art allows Object Injection. This issue affects Red Art: from n/a through 3.7. | |||||
| CVE-2025-49417 | 2025-07-08 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in BestWpDeveloper WooCommerce Product Multi-Action allows Object Injection. This issue affects WooCommerce Product Multi-Action: from n/a through 1.3. | |||||
| CVE-2025-42966 | 2025-07-08 | N/A | 9.1 CRITICAL | ||
| SAP NetWeaver XML Data Archiving Service allows an authenticated attacker with administrative privileges to exploit an insecure Java deserialization vulnerability by sending a specially crafted serialized Java object. This could lead to high impact on confidentiality, integrity, and availability of the application. | |||||
| CVE-2025-42963 | 2025-07-08 | N/A | 9.1 CRITICAL | ||
| A critical vulnerability in SAP NetWeaver Application server for Java Log Viewer enables authenticated administrator users to exploit unsafe Java object deserialization. Successful exploitation can lead to full operating system compromise, granting attackers complete control over the affected system. This results in a severe impact on the confidentiality, integrity, and availability of the application and host environment. | |||||
| CVE-2025-42980 | 2025-07-08 | N/A | 9.1 CRITICAL | ||
| SAP NetWeaver Enterprise Portal Federated Portal Network is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system. | |||||
| CVE-2025-42964 | 2025-07-08 | N/A | 9.1 CRITICAL | ||
| SAP NetWeaver Enterprise Portal Administration is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system. | |||||
| CVE-2025-32897 | 1 Apache | 1 Seata | 2025-07-08 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This security vulnerability is the same as CVE-2024-47552, but the version range described in the CVE-2024-47552 definition is too narrow. This issue affects Apache Seata (incubating): from 2.0.0 before 2.3.0. Users are recommended to upgrade to version 2.3.0, which fixes the issue. | |||||
| CVE-2025-47568 | 1 Digitalzoomstudio | 1 Zoomsounds | 2025-07-08 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in ZoomIt ZoomSounds allows Object Injection. This issue affects ZoomSounds: from n/a through 6.91. | |||||
| CVE-2022-23302 | 5 Apache, Broadcom, Netapp and 2 more | 26 Log4j, Brocade Sannav, Snapmanager and 23 more | 2025-07-07 | 6.0 MEDIUM | 8.8 HIGH |
| JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. | |||||