Total
2817 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-8519 | 1 Hp | 1 Operations Orchestration | 2026-06-17 | 10.0 HIGH | 9.8 CRITICAL |
| A remote code execution vulnerability in HPE Operations Orchestration Community edition and Enterprise edition prior to v10.70 was found. | |||||
| CVE-2016-8511 | 1 Hp | 1 Network Automation | 2026-06-17 | 7.5 HIGH | 9.8 CRITICAL |
| A Remote Code Execution vulnerability in HPE Network Automation using RPCServlet and Java Deserialization version v9.1x, v9.2x, v10.00, v10.00.01, v10.00.02, v10.10, v10.11, v10.11.01, v10.20 was found. | |||||
| CVE-2016-7124 | 1 Php | 1 Php | 2026-06-17 | 7.5 HIGH | 9.8 CRITICAL |
| ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call. | |||||
| CVE-2016-7065 | 1 Redhat | 1 Jboss Enterprise Application Platform | 2026-06-17 | 6.5 MEDIUM | 8.8 HIGH |
| The JMX servlet in Red Hat JBoss Enterprise Application Platform (EAP) 4 and 5 allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object. | |||||
| CVE-2016-7050 | 1 Redhat | 4 Enterprise Linux Desktop, Enterprise Linux Hpc Node, Enterprise Linux Server and 1 more | 2026-06-17 | 7.5 HIGH | 9.8 CRITICAL |
| SerializableProvider in RESTEasy in Red Hat Enterprise Linux Desktop 7, Red Hat Enterprise Linux HPC Node 7, Red Hat Enterprise Linux Server 7, and Red Hat Enterprise Linux Workstation 7 allows remote attackers to execute arbitrary code. | |||||
| CVE-2016-6814 | 2 Apache, Redhat | 2 Groovy, Enterprise Linux Server | 2026-06-17 | 7.5 HIGH | 9.8 CRITICAL |
| When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability. | |||||
| CVE-2016-6809 | 1 Apache | 2 Nutch, Tika | 2026-06-17 | 7.5 HIGH | 9.8 CRITICAL |
| Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization. | |||||
| CVE-2016-6793 | 1 Apache | 1 Wicket | 2026-06-17 | 6.4 MEDIUM | 9.1 CRITICAL |
| The DiskFileItem class in Apache Wicket 6.x before 6.25.0 and 1.5.x before 1.5.17 allows remote attackers to cause a denial of service (infinite loop) and write to, move, and delete files with the permissions of DiskFileItem, and if running on a Java VM before 1.3.1, execute arbitrary code via a crafted serialized Java object. | |||||
| CVE-2016-6620 | 1 Phpmyadmin | 1 Phpmyadmin | 2026-06-17 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in phpMyAdmin. Some data is passed to the PHP unserialize() function without verification that it's valid serialized data. The unserialization can result in code execution because of the interaction with object instantiation and autoloading. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. | |||||
| CVE-2016-6330 | 1 Redhat | 1 Jboss Operations Network | 2026-06-17 | 9.0 HIGH | 9.8 CRITICAL |
| The server in Red Hat JBoss Operations Network (JON), when SSL authentication is not configured for JON server / agent communication, allows remote attackers to execute arbitrary code via a crafted HTTP request, related to message deserialization. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-3737. | |||||
| CVE-2016-6199 | 1 Gradle | 1 Gradle | 2026-06-17 | 7.5 HIGH | 9.8 CRITICAL |
| ObjectSocketWrapper.java in Gradle 2.12 allows remote attackers to execute arbitrary code via a crafted serialized object. | |||||
| CVE-2016-5019 | 1 Apache | 1 Myfaces Trinidad | 2026-06-17 | 7.5 HIGH | 9.8 CRITICAL |
| CoreResponseStateManager in Apache MyFaces Trinidad 1.0.0 through 1.0.13, 1.2.x before 1.2.15, 2.0.x before 2.0.2, and 2.1.x before 2.1.2 might allow attackers to conduct deserialization attacks via a crafted serialized view state string. | |||||
| CVE-2016-5003 | 1 Apache | 1 Ws-xmlrpc | 2026-06-17 | 7.5 HIGH | 9.8 CRITICAL |
| The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an <ex:serializable> element. | |||||
| CVE-2016-4978 | 2 Apache, Redhat | 3 Artemis, Enterprise Linux Server, Jboss Enterprise Application Platform | 2026-06-17 | 6.0 MEDIUM | 7.2 HIGH |
| The getObject method of the javax.jms.ObjectMessage class in the (1) JMS Core client, (2) Artemis broker, and (3) Artemis REST component in Apache ActiveMQ Artemis before 1.4.0 might allow remote authenticated users with permission to send messages to the Artemis broker to deserialize arbitrary objects and execute arbitrary code by leveraging gadget classes being present on the Artemis classpath. | |||||
| CVE-2016-4483 | 3 Debian, Oracle, Xmlsoft | 3 Debian Linux, Solaris, Libxml2 | 2026-06-17 | 5.0 MEDIUM | 7.5 HIGH |
| The xmlBufAttrSerializeTxtContent function in xmlsave.c in libxml2 allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a non-UTF-8 attribute value, related to serialization. NOTE: this vulnerability may be a duplicate of CVE-2016-3627. | |||||
| CVE-2016-4405 | 1 Hp | 1 Business Service Management | 2026-06-17 | 6.5 MEDIUM | 8.8 HIGH |
| A remote code execution vulnerability was identified in HP Business Service Management (BSM) using Apache Commons Collection Java Deserialization versions v9.20-v9.26 | |||||
| CVE-2016-4398 | 1 Hp | 1 Network Node Manager I | 2026-06-17 | 6.5 MEDIUM | 8.8 HIGH |
| A remote arbitrary code execution vulnerability was identified in HP Network Node Manager i (NNMi) Software 10.00, 10.01 (patch1), 10.01 (patch 2), 10.10 using Java Deserialization. | |||||
| CVE-2016-4385 | 1 Hp | 1 Network Automation | 2026-06-17 | 7.5 HIGH | 7.3 HIGH |
| The RMI service in HP Network Automation Software 9.1x, 9.2x, 10.0x before 10.00.02.01, and 10.1x before 10.11.00.01 allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) and Commons BeanUtils libraries. | |||||
| CVE-2016-4000 | 2 Debian, Jython Project | 2 Debian Linux, Jython | 2026-06-17 | 7.5 HIGH | 9.8 CRITICAL |
| Jython before 2.7.1rc1 allows attackers to execute arbitrary code via a crafted serialized PyFunction object. | |||||
| CVE-2016-3957 | 1 Web2py | 1 Web2py | 2026-06-17 | 7.5 HIGH | 9.8 CRITICAL |
| The secure_load function in gluon/utils.py in web2py before 2.14.2 uses pickle.loads to deserialize session information stored in cookies, which might allow remote attackers to execute arbitrary code by leveraging knowledge of encryption_key. | |||||