Total
2817 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-14035 | 1 Crushftp | 1 Crushftp | 2026-06-17 | 7.5 HIGH | 9.8 CRITICAL |
| CrushFTP 8.x before 8.2.0 has a serialization vulnerability. | |||||
| CVE-2017-13286 | 1 Google | 1 Android | 2026-06-17 | 7.2 HIGH | 7.8 HIGH |
| In writeToParcel and readFromParcel of OutputConfiguration.java, there is a permission bypass due to mismatched serialization. This could lead to a local escalation of privilege where the user can start an activity with system privileges, with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: 8.0, 8.1. Android ID: A-69683251. | |||||
| CVE-2017-12796 | 1 Openmrs | 1 Openmrs | 2026-06-17 | 10.0 HIGH | 9.8 CRITICAL |
| The Reporting Compatibility Add On before 2.0.4 for OpenMRS, as distributed in OpenMRS Reference Application before 2.6.1, does not authenticate users when deserializing XML input into ReportSchema objects. The result is that remote unauthenticated users are able to execute operating system commands by crafting malicious XML payloads, as demonstrated by a single admin/reports/reportSchemaXml.form request. | |||||
| CVE-2017-12634 | 1 Apache | 1 Camel | 2026-06-17 | 7.5 HIGH | 9.8 CRITICAL |
| The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws. | |||||
| CVE-2017-12633 | 1 Apache | 1 Camel | 2026-06-17 | 7.5 HIGH | 9.8 CRITICAL |
| The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws. | |||||
| CVE-2017-12628 | 1 Apache | 1 James Server | 2026-06-17 | 7.2 HIGH | 7.8 HIGH |
| The JMX server embedded in Apache James, also used by the command line client is exposed to a java de-serialization issue, and thus can be used to execute arbitrary commands. As James exposes JMX socket by default only on local-host, this vulnerability can only be used for privilege escalation. Release 3.0.1 upgrades the incriminated library. | |||||
| CVE-2017-12612 | 1 Apache | 1 Spark | 2026-06-17 | 7.2 HIGH | 7.8 HIGH |
| In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution by an attacker with access to any user account on the local machine. It does not affect apps run by spark-submit or spark-shell. The attacker would be able to execute code as the user that ran the Spark application. Users are encouraged to update to version 2.2.0 or later. | |||||
| CVE-2017-12558 | 1 Hp | 1 Intelligent Management Center | 2026-06-17 | 10.0 HIGH | 9.8 CRITICAL |
| A Remote Code Execution vulnerability in HPE intelligent Management Center (iMC) PLAT version IMC Plat 7.3 E0504P2 and earlier was found. | |||||
| CVE-2017-12557 | 1 Hp | 1 Intelligent Management Center | 2026-06-17 | 10.0 HIGH | 9.8 CRITICAL |
| A Remote Code Execution vulnerability in HPE intelligent Management Center (iMC) PLAT version IMC Plat 7.3 E0504P2 and earlier was found. | |||||
| CVE-2017-12556 | 1 Hp | 1 Intelligent Management Center | 2026-06-17 | 10.0 HIGH | 9.8 CRITICAL |
| A Remote Code Execution vulnerability in HPE intelligent Management Center (iMC) PLAT version IMC Plat 7.3 E0504P2 and earlier was found. | |||||
| CVE-2017-12149 | 1 Redhat | 1 Jboss Enterprise Application Platform | 2026-06-17 | 7.5 HIGH | 9.8 CRITICAL |
| In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data. | |||||
| CVE-2017-11284 | 1 Adobe | 1 Coldfusion | 2026-06-17 | 7.5 HIGH | 9.8 CRITICAL |
| Adobe ColdFusion has an Untrusted Data Deserialization vulnerability. This affects Update 4 and earlier versions for ColdFusion 2016, and Update 12 and earlier versions for ColdFusion 11. | |||||
| CVE-2017-11283 | 1 Adobe | 1 Coldfusion | 2026-06-17 | 7.5 HIGH | 9.8 CRITICAL |
| Adobe ColdFusion has an Untrusted Data Deserialization vulnerability. This affects Update 4 and earlier versions for ColdFusion 2016, and Update 12 and earlier versions for ColdFusion 11. | |||||
| CVE-2017-11153 | 1 Synology | 1 Photo Station | 2026-06-17 | 7.5 HIGH | 9.8 CRITICAL |
| Deserialization vulnerability in synophoto_csPhotoMisc.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to gain administrator privileges via a crafted serialized payload. | |||||
| CVE-2017-11143 | 1 Php | 1 Php | 2026-06-17 | 5.0 MEDIUM | 7.5 HIGH |
| In PHP before 5.6.31, an invalid free in the WDDX deserialization of boolean parameters could be used by attackers able to inject XML for deserialization to crash the PHP interpreter, related to an invalid free for an empty boolean element in ext/wddx/wddx.c. | |||||
| CVE-2017-10992 | 1 Hp | 1 Storage Essentials | 2026-06-17 | 10.0 HIGH | 9.8 CRITICAL |
| In HPE Storage Essentials 9.5.0.142, there is Unauthenticated Java Deserialization with remote code execution via OS commands in a request to invoker/JMXInvokerServlet, aka PSRT110461. | |||||
| CVE-2017-10934 | 1 Zte | 2 Zxiptv-epg, Zxiptv-epg Firmware | 2026-06-17 | 7.5 HIGH | 9.8 CRITICAL |
| All versions prior to V5.09.02.02T4 of the ZTE ZXIPTV-EPG product use the Java RMI service in which the servers use the Apache Commons Collections (ACC) library that may result in Java deserialization vulnerabilities. An unauthenticated remote attacker can exploit the vulnerabilities by sending a crafted RMI request to execute arbitrary code on the target host. | |||||
| CVE-2017-10932 | 1 Zte | 12 Nr8000tr, Nr8000tr Firmware, Nr8120 and 9 more | 2026-06-17 | 10.0 HIGH | 9.8 CRITICAL |
| All versions prior to V12.17.20 of the ZTE Microwave NR8000 series products - NR8120, NR8120A, NR8120, NR8150, NR8250, NR8000 TR and NR8950 are the applications of C/S architecture using the Java RMI service in which the servers use the Apache Commons Collections (ACC) library that may result in Java deserialization vulnerabilities. An unauthenticated remote attacker can exploit the vulnerabilities by sending a crafted RMI request to execute arbitrary code on the target host. | |||||
| CVE-2017-10803 | 1 Odoo | 1 Odoo | 2026-06-17 | 8.5 HIGH | 6.5 MEDIUM |
| In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, insecure handling of anonymization data in the Database Anonymization module allows remote authenticated privileged users to execute arbitrary Python code, because unpickle is used. | |||||
| CVE-2017-1000355 | 1 Jenkins | 1 Jenkins | 2026-06-17 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void. | |||||