Vulnerabilities (CVE)

Filtered by CWE-502
Total 2885 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2015-8103 2 Jenkins, Redhat 2 Jenkins, Openshift Container Platform 2026-06-17 7.5 HIGH 9.8 CRITICAL
The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".
CVE-2015-7501 1 Redhat 15 Data Grid, Jboss A-mq, Jboss Bpm Suite and 12 more 2026-06-17 10.0 HIGH 9.8 CRITICAL
Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
CVE-2015-7450 1 Ibm 7 Sterling B2b Integrator, Sterling Integrator, Tivoli Common Reporting and 4 more 2026-06-17 10.0 HIGH 9.8 CRITICAL
Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the InvokerTransformer class in the Apache Commons Collections library.
CVE-2015-6420 1 Apache 1 Commons Collections 2026-06-17 7.5 HIGH 9.8 CRITICAL
Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
CVE-2015-5164 2 Pulpproject, Redhat 2 Qpid, Satellite 2026-06-17 9.0 HIGH 7.2 HIGH
The Qpid server on Red Hat Satellite 6 does not properly restrict message types, which allows remote authenticated users with administrative access on a managed content host to execute arbitrary code via a crafted message, related to a pickle processing problem in pulp.
CVE-2015-4852 1 Oracle 3 Storagetek Tape Analytics Sw Tool, Virtual Desktop Infrastructure, Weblogic Server 2026-06-17 7.5 HIGH 9.8 CRITICAL
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.
CVE-2015-2020 1 Myscript 1 Myscript 2026-06-17 7.5 HIGH 9.8 CRITICAL
The MyScript SDK before 1.3 for Android might allow attackers to execute arbitrary code by leveraging a finalize method in a Serializable class that improperly passes an attacker-controlled pointer to a native function.
CVE-2014-9515 1 Dozer Project 1 Dozer 2026-06-17 7.5 HIGH 9.8 CRITICAL
Dozer improperly uses a reflection-based approach to type conversion, which might allow remote attackers to execute arbitrary code via a crafted serialized object.
CVE-2014-8731 1 Phpmemcachedadmin Project 1 Phpmemcachedadmin 2026-06-17 10.0 HIGH 9.8 CRITICAL
PHPMemcachedAdmin 1.2.2 and earlier allows remote attackers to execute arbitrary PHP code via vectors related "serialized data and the last part of the concatenated filename," which creates a file in webroot.
CVE-2014-3699 1 Redhat 2 Edeploy, Jboss Enterprise Web Server 2026-06-17 7.5 HIGH 9.8 CRITICAL
eDeploy has RCE via cPickle deserialization of untrusted data
CVE-2014-1860 1 Contao 1 Contao Cms 2026-06-17 7.5 HIGH 9.8 CRITICAL
Contao CMS through 3.2.4 has PHP Object Injection Vulnerabilities
CVE-2014-1420 1 Canonical 1 Ubuntu-ui-toolkit 2026-06-17 2.1 LOW 3.8 LOW
On desktop, Ubuntu UI Toolkit's StateSaver would serialise data on tmp/ files which an attacker could use to expose potentially sensitive data. StateSaver would also open files without the O_EXCL flag. An attacker could exploit this to launch a symlink attack, though this is partially mitigated by symlink and hardlink restrictions in Ubuntu. Fixed in 1.1.1188+14.10.20140813.4-0ubuntu1.
CVE-2013-7489 1 Beakerbrowser 1 Beaker 2026-06-17 5.2 MEDIUM 6.8 MEDIUM
The Beaker library through 1.11.0 for Python is affected by deserialization of untrusted data, which could lead to arbitrary code execution.
CVE-2013-4521 1 Nuxeo 1 Nuxeo 2026-06-16 7.5 HIGH 9.8 CRITICAL
RichFaces implementation in Nuxeo Platform 5.6.0 before HF27 and 5.8.0 before HF-01 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data. NOTE: this vulnerability may overlap CVE-2013-2165.
CVE-2013-4271 1 Restlet 1 Restlet 2026-06-16 7.5 HIGH N/A
The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources, which allows remote attackers to execute arbitrary Java code via a serialized object, a different vulnerability than CVE-2013-4221.
CVE-2013-1465 1 Cubecart 1 Cubecart 2026-06-16 7.5 HIGH 9.8 CRITICAL
The Cubecart::_basket method in classes/cubecart.class.php in CubeCart 5.0.0 through 5.2.0 allows remote attackers to unserialize arbitrary PHP objects via a crafted shipping parameter, as demonstrated by modifying the application configuration using the Config object.
CVE-2012-4406 3 Fedoraproject, Openstack, Redhat 7 Fedora, Swift, Enterprise Linux Server and 4 more 2026-06-16 7.5 HIGH 9.8 CRITICAL
OpenStack Object Storage (swift) before 1.7.0 uses the loads function in the pickle Python module unsafely when storing and loading metadata in memcached, which allows remote attackers to execute arbitrary code via a crafted pickle object.
CVE-2012-3527 2 Debian, Typo3 2 Debian Linux, Typo3 2026-06-16 4.6 MEDIUM N/A
view_help.php in the backend help system in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote authenticated backend users to unserialize arbitrary objects and possibly execute arbitrary PHP code via an unspecified parameter, related to a "missing signature (HMAC)."
CVE-2012-0911 1 Tiki 1 Tikiwiki Cms\/groupware 2026-06-16 7.5 HIGH 9.8 CRITICAL
TikiWiki CMS/Groupware before 6.7 LTS and before 8.4 allows remote attackers to execute arbitrary PHP code via a crafted serialized object in the (1) cookieName to lib/banners/bannerlib.php; (2) printpages or (3) printstructures parameter to (a) tiki-print_multi_pages.php or (b) tiki-print_pages.php; or (4) sendpages, (5) sendstructures, or (6) sendarticles parameter to tiki-send_objects.php, which is not properly handled when processed by the unserialize function.
CVE-2011-2894 1 Vmware 2 Spring Framework, Spring Security 2026-06-16 6.8 MEDIUM N/A
Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class.