Total
2015 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-48336 | 2025-05-30 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in ThimPress Course Builder allows Object Injection.This issue affects Course Builder: from n/a before 3.6.6. | |||||
| CVE-2023-50943 | 1 Apache | 1 Airflow | 2025-05-30 | N/A | 7.5 HIGH |
| Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of "enable_xcom_pickling=False" configuration setting resulting in poisoned data after XCom deserialization. This vulnerability is considered low since it requires a DAG author to exploit it. Users are recommended to upgrade to version 2.8.1 or later, which fixes this issue. | |||||
| CVE-2017-20189 | 1 Clojure | 1 Clojure | 2025-05-30 | N/A | 9.8 CRITICAL |
| In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server deserializes untrusted objects. | |||||
| CVE-2025-48134 | 1 Shapedplugin | 1 Wp Tabs | 2025-05-30 | N/A | 7.2 HIGH |
| Deserialization of Untrusted Data vulnerability in ShapedPlugin LLC WP Tabs allows Object Injection. This issue affects WP Tabs: from n/a through 2.2.11. | |||||
| CVE-2021-29505 | 5 Debian, Fedoraproject, Netapp and 2 more | 17 Debian Linux, Fedora, Snapmanager and 14 more | 2025-05-30 | 6.5 MEDIUM | 7.5 HIGH |
| XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17. | |||||
| CVE-2025-39349 | 1 Potenzaglobalsolutions | 1 Ciyashop | 2025-05-29 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in Potenzaglobalsolutions CiyaShop allows Object Injection.This issue affects CiyaShop: from n/a through 4.18.0. | |||||
| CVE-2025-39348 | 1 Themegoods | 1 Grand Restaurant | 2025-05-29 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Restaurant WordPress allows Object Injection.This issue affects Grand Restaurant WordPress: from n/a through 7.0. | |||||
| CVE-2025-32928 | 1 Themegoods | 1 Altair | 2025-05-29 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in ThemeGoods Altair allows Object Injection.This issue affects Altair: from n/a through 5.2.2. | |||||
| CVE-2025-32927 | 1 Chimpgroup | 1 Foodbakery | 2025-05-29 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in Chimpstudio FoodBakery allows Object Injection.This issue affects FoodBakery: from n/a through 3.3. | |||||
| CVE-2024-30222 | 1 Reputeinfosystems | 1 Armember | 2025-05-29 | N/A | 8.5 HIGH |
| Deserialization of Untrusted Data vulnerability in Repute Infosystems ARMember.This issue affects ARMember: from n/a through 4.0.26. | |||||
| CVE-2024-30223 | 1 Reputeinfosystems | 1 Armember | 2025-05-29 | N/A | 9.0 CRITICAL |
| Deserialization of Untrusted Data vulnerability in Repute Infosystems ARMember.This issue affects ARMember: from n/a through 4.0.26. | |||||
| CVE-2023-37227 | 1 Loftware | 1 Spectrum | 2025-05-29 | N/A | 9.8 CRITICAL |
| Loftware Spectrum before 4.6 HF13 Deserializes Untrusted Data. | |||||
| CVE-2022-40955 | 1 Apache | 1 Inlong | 2025-05-29 | N/A | 8.8 HIGH |
| In versions of Apache InLong prior to 1.3.0, an attacker with sufficient privileges to specify MySQL JDBC connection URL parameters and to write arbitrary data to the MySQL database, could cause this data to be deserialized by Apache InLong, potentially leading to Remote Code Execution on the Apache InLong server. Users are advised to upgrade to Apache InLong 1.3.0 or newer. | |||||
| CVE-2024-22871 | 2 Clojure, Fedoraproject | 2 Clojure, Fedora | 2025-05-28 | N/A | 7.5 HIGH |
| An issue in Clojure versions 1.20 to 1.12.0-alpha5 allows an attacker to cause a denial of service (DoS) via the clojure.core$partial$fn__5920 function. | |||||
| CVE-2025-32444 | 1 Vllm | 1 Vllm | 2025-05-28 | N/A | 10.0 CRITICAL |
| vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Versions starting from 0.6.5 and prior to 0.8.5, having vLLM integration with mooncake, are vulnerable to remote code execution due to using pickle based serialization over unsecured ZeroMQ sockets. The vulnerable sockets were set to listen on all network interfaces, increasing the likelihood that an attacker is able to reach the vulnerable ZeroMQ sockets to carry out an attack. vLLM instances that do not make use of the mooncake integration are not vulnerable. This issue has been patched in version 0.8.5. | |||||
| CVE-2022-41237 | 1 Jenkins | 1 Dotci | 2025-05-28 | N/A | 9.8 CRITICAL |
| Jenkins DotCi Plugin 2.40.00 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. | |||||
| CVE-2025-5148 | 2025-05-28 | 4.3 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability was found in FunAudioLLM InspireMusic up to bf32364bcb0d136497ca69f9db622e9216b029dd. It has been classified as critical. Affected is the function load_state_dict of the file inspiremusic/cli/model.py of the component Pickle Data Handler. The manipulation leads to deserialization. An attack has to be approached locally. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The name of the patch is 784cbf8dde2cf1456ff808aeba23177e1810e7a9. It is recommended to apply a patch to fix this issue. | |||||
| CVE-2025-32434 | 1 Linuxfoundation | 1 Pytorch | 2025-05-28 | N/A | 9.8 CRITICAL |
| PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd system. In version 2.5.1 and prior, a Remote Command Execution (RCE) vulnerability exists in PyTorch when loading a model using torch.load with weights_only=True. This issue has been patched in version 2.6.0. | |||||
| CVE-2024-32600 | 1 Averta | 1 Master Slider | 2025-05-27 | N/A | 8.3 HIGH |
| Deserialization of Untrusted Data vulnerability in Averta Master Slider.This issue affects Master Slider: from n/a through 3.9.5. | |||||
| CVE-2022-36944 | 2 Fedoraproject, Scala-lang | 3 Fedora, Scala, Scala-collection-compat | 2025-05-27 | N/A | 9.8 CRITICAL |
| Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain. | |||||