Total
1860 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2015-8103 | 2 Jenkins, Redhat | 2 Jenkins, Openshift Container Platform | 2025-04-12 | 7.5 HIGH | 9.8 CRITICAL |
The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'". | |||||
CVE-2016-4385 | 1 Hp | 1 Network Automation | 2025-04-12 | 7.5 HIGH | 7.3 HIGH |
The RMI service in HP Network Automation Software 9.1x, 9.2x, 10.0x before 10.00.02.01, and 10.1x before 10.11.00.01 allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) and Commons BeanUtils libraries. | |||||
CVE-2025-31932 | 2025-04-11 | N/A | 8.8 HIGH | ||
Deserialization of untrusted data issue exists in BizRobo! all versions. If this vulnerability is exploited, an arbitrary code is executed on the Management Console. The vendor provides the workaround information and recommends to apply it to the deployment environment. | |||||
CVE-2025-32569 | 2025-04-11 | N/A | 9.8 CRITICAL | ||
Deserialization of Untrusted Data vulnerability in RealMag777 TableOn – WordPress Posts Table Filterable allows Object Injection. This issue affects TableOn – WordPress Posts Table Filterable: from n/a through 1.0.2. | |||||
CVE-2025-32143 | 2025-04-11 | N/A | 8.8 HIGH | ||
Deserialization of Untrusted Data vulnerability in PickPlugins Accordion allows Object Injection. This issue affects Accordion: from n/a through 2.3.10. | |||||
CVE-2025-32145 | 2025-04-11 | N/A | 8.8 HIGH | ||
Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently allows Object Injection. This issue affects WpEvently: from n/a through 4.3.5. | |||||
CVE-2025-32568 | 2025-04-11 | N/A | 9.8 CRITICAL | ||
Deserialization of Untrusted Data vulnerability in empik EmpikPlace for Woocommerce allows Object Injection. This issue affects EmpikPlace for Woocommerce: from n/a through 1.4.2. | |||||
CVE-2025-32607 | 2025-04-11 | N/A | 9.8 CRITICAL | ||
Deserialization of Untrusted Data vulnerability in magepeopleteam WpBookingly allows Object Injection. This issue affects WpBookingly: from n/a through 1.2.0. | |||||
CVE-2025-32144 | 2025-04-11 | N/A | 8.8 HIGH | ||
Deserialization of Untrusted Data vulnerability in PickPlugins Job Board Manager allows Object Injection. This issue affects Job Board Manager: from n/a through 2.1.60. | |||||
CVE-2023-30534 | 2 Cacti, Fedoraproject | 2 Cacti, Fedora | 2025-04-11 | N/A | 4.3 MEDIUM |
Cacti is an open source operational monitoring and fault management framework. There are two instances of insecure deserialization in Cacti version 1.2.24. While a viable gadget chain exists in Cacti’s vendor directory (phpseclib), the necessary gadgets are not included, making them inaccessible and the insecure deserializations not exploitable. Each instance of insecure deserialization is due to using the unserialize function without sanitizing the user input. Cacti has a “safe” deserialization that attempts to sanitize the content and check for specific values before calling unserialize, but it isn’t used in these instances. The vulnerable code lies in graphs_new.php, specifically within the host_new_graphs_save function. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
CVE-2012-3527 | 2 Debian, Typo3 | 2 Debian Linux, Typo3 | 2025-04-11 | 4.6 MEDIUM | N/A |
view_help.php in the backend help system in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote authenticated backend users to unserialize arbitrary objects and possibly execute arbitrary PHP code via an unspecified parameter, related to a "missing signature (HMAC)." | |||||
CVE-2011-2894 | 1 Vmware | 2 Spring Framework, Spring Security | 2025-04-11 | 6.8 MEDIUM | N/A |
Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class. | |||||
CVE-2012-0911 | 1 Tiki | 1 Tikiwiki Cms\/groupware | 2025-04-11 | 7.5 HIGH | 9.8 CRITICAL |
TikiWiki CMS/Groupware before 6.7 LTS and before 8.4 allows remote attackers to execute arbitrary PHP code via a crafted serialized object in the (1) cookieName to lib/banners/bannerlib.php; (2) printpages or (3) printstructures parameter to (a) tiki-print_multi_pages.php or (b) tiki-print_pages.php; or (4) sendpages, (5) sendstructures, or (6) sendarticles parameter to tiki-send_objects.php, which is not properly handled when processed by the unserialize function. | |||||
CVE-2010-3258 | 1 Google | 1 Chrome | 2025-04-11 | 9.3 HIGH | N/A |
The sandbox implementation in Google Chrome before 6.0.472.53 does not properly deserialize parameters, which has unspecified impact and remote attack vectors. | |||||
CVE-2013-4271 | 1 Restlet | 1 Restlet | 2025-04-11 | 7.5 HIGH | N/A |
The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources, which allows remote attackers to execute arbitrary Java code via a serialized object, a different vulnerability than CVE-2013-4221. | |||||
CVE-2012-4406 | 3 Fedoraproject, Openstack, Redhat | 7 Fedora, Swift, Enterprise Linux Server and 4 more | 2025-04-11 | 7.5 HIGH | 9.8 CRITICAL |
OpenStack Object Storage (swift) before 1.7.0 uses the loads function in the pickle Python module unsafely when storing and loading metadata in memcached, which allows remote attackers to execute arbitrary code via a crafted pickle object. | |||||
CVE-2013-1465 | 1 Cubecart | 1 Cubecart | 2025-04-11 | 7.5 HIGH | 9.8 CRITICAL |
The Cubecart::_basket method in classes/cubecart.class.php in CubeCart 5.0.0 through 5.2.0 allows remote attackers to unserialize arbitrary PHP objects via a crafted shipping parameter, as demonstrated by modifying the application configuration using the Config object. | |||||
CVE-2011-2520 | 2 Fedoraproject, Redhat | 2 Fedora, System-config-firewall | 2025-04-11 | 6.0 MEDIUM | 7.8 HIGH |
fw_dbus.py in system-config-firewall 1.2.29 and earlier uses the pickle Python module unsafely during D-Bus communication between the GUI and the backend, which might allow local users to gain privileges via a crafted serialized object. | |||||
CVE-2010-4574 | 2 Google, Linux | 3 Chrome, Chrome Os, Linux Kernel | 2025-04-11 | 7.5 HIGH | N/A |
The Pickle::Pickle function in base/pickle.cc in Google Chrome before 8.0.552.224 and Chrome OS before 8.0.552.343 on 64-bit Linux platforms does not properly perform pointer arithmetic, which allows remote attackers to bypass message deserialization validation, and cause a denial of service or possibly have unspecified other impact, via invalid pickle data. | |||||
CVE-2025-3425 | 2025-04-10 | N/A | N/A | ||
The IntelliSpace portal application utilizes .NET Remoting for its functionality. The vulnerability arises from the exploitation of port 755 through the deserialization vulnerability. After analyzing the configuration files, we observed that the server had set the TypeFilterLevel to Full which is dangerous as it can potentially lead to remote code execution using deserialization. This issue affects IntelliSpace Portal: 12 and prior. |