Vulnerabilities (CVE)

Filtered by CWE-502
Total 1860 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2015-8103 2 Jenkins, Redhat 2 Jenkins, Openshift Container Platform 2025-04-12 7.5 HIGH 9.8 CRITICAL
The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".
CVE-2016-4385 1 Hp 1 Network Automation 2025-04-12 7.5 HIGH 7.3 HIGH
The RMI service in HP Network Automation Software 9.1x, 9.2x, 10.0x before 10.00.02.01, and 10.1x before 10.11.00.01 allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) and Commons BeanUtils libraries.
CVE-2025-31932 2025-04-11 N/A 8.8 HIGH
Deserialization of untrusted data issue exists in BizRobo! all versions. If this vulnerability is exploited, an arbitrary code is executed on the Management Console. The vendor provides the workaround information and recommends to apply it to the deployment environment.
CVE-2025-32569 2025-04-11 N/A 9.8 CRITICAL
Deserialization of Untrusted Data vulnerability in RealMag777 TableOn – WordPress Posts Table Filterable allows Object Injection. This issue affects TableOn – WordPress Posts Table Filterable: from n/a through 1.0.2.
CVE-2025-32143 2025-04-11 N/A 8.8 HIGH
Deserialization of Untrusted Data vulnerability in PickPlugins Accordion allows Object Injection. This issue affects Accordion: from n/a through 2.3.10.
CVE-2025-32145 2025-04-11 N/A 8.8 HIGH
Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently allows Object Injection. This issue affects WpEvently: from n/a through 4.3.5.
CVE-2025-32568 2025-04-11 N/A 9.8 CRITICAL
Deserialization of Untrusted Data vulnerability in empik EmpikPlace for Woocommerce allows Object Injection. This issue affects EmpikPlace for Woocommerce: from n/a through 1.4.2.
CVE-2025-32607 2025-04-11 N/A 9.8 CRITICAL
Deserialization of Untrusted Data vulnerability in magepeopleteam WpBookingly allows Object Injection. This issue affects WpBookingly: from n/a through 1.2.0.
CVE-2025-32144 2025-04-11 N/A 8.8 HIGH
Deserialization of Untrusted Data vulnerability in PickPlugins Job Board Manager allows Object Injection. This issue affects Job Board Manager: from n/a through 2.1.60.
CVE-2023-30534 2 Cacti, Fedoraproject 2 Cacti, Fedora 2025-04-11 N/A 4.3 MEDIUM
Cacti is an open source operational monitoring and fault management framework. There are two instances of insecure deserialization in Cacti version 1.2.24. While a viable gadget chain exists in Cacti’s vendor directory (phpseclib), the necessary gadgets are not included, making them inaccessible and the insecure deserializations not exploitable. Each instance of insecure deserialization is due to using the unserialize function without sanitizing the user input. Cacti has a “safe” deserialization that attempts to sanitize the content and check for specific values before calling unserialize, but it isn’t used in these instances. The vulnerable code lies in graphs_new.php, specifically within the host_new_graphs_save function. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2012-3527 2 Debian, Typo3 2 Debian Linux, Typo3 2025-04-11 4.6 MEDIUM N/A
view_help.php in the backend help system in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote authenticated backend users to unserialize arbitrary objects and possibly execute arbitrary PHP code via an unspecified parameter, related to a "missing signature (HMAC)."
CVE-2011-2894 1 Vmware 2 Spring Framework, Spring Security 2025-04-11 6.8 MEDIUM N/A
Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class.
CVE-2012-0911 1 Tiki 1 Tikiwiki Cms\/groupware 2025-04-11 7.5 HIGH 9.8 CRITICAL
TikiWiki CMS/Groupware before 6.7 LTS and before 8.4 allows remote attackers to execute arbitrary PHP code via a crafted serialized object in the (1) cookieName to lib/banners/bannerlib.php; (2) printpages or (3) printstructures parameter to (a) tiki-print_multi_pages.php or (b) tiki-print_pages.php; or (4) sendpages, (5) sendstructures, or (6) sendarticles parameter to tiki-send_objects.php, which is not properly handled when processed by the unserialize function.
CVE-2010-3258 1 Google 1 Chrome 2025-04-11 9.3 HIGH N/A
The sandbox implementation in Google Chrome before 6.0.472.53 does not properly deserialize parameters, which has unspecified impact and remote attack vectors.
CVE-2013-4271 1 Restlet 1 Restlet 2025-04-11 7.5 HIGH N/A
The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources, which allows remote attackers to execute arbitrary Java code via a serialized object, a different vulnerability than CVE-2013-4221.
CVE-2012-4406 3 Fedoraproject, Openstack, Redhat 7 Fedora, Swift, Enterprise Linux Server and 4 more 2025-04-11 7.5 HIGH 9.8 CRITICAL
OpenStack Object Storage (swift) before 1.7.0 uses the loads function in the pickle Python module unsafely when storing and loading metadata in memcached, which allows remote attackers to execute arbitrary code via a crafted pickle object.
CVE-2013-1465 1 Cubecart 1 Cubecart 2025-04-11 7.5 HIGH 9.8 CRITICAL
The Cubecart::_basket method in classes/cubecart.class.php in CubeCart 5.0.0 through 5.2.0 allows remote attackers to unserialize arbitrary PHP objects via a crafted shipping parameter, as demonstrated by modifying the application configuration using the Config object.
CVE-2011-2520 2 Fedoraproject, Redhat 2 Fedora, System-config-firewall 2025-04-11 6.0 MEDIUM 7.8 HIGH
fw_dbus.py in system-config-firewall 1.2.29 and earlier uses the pickle Python module unsafely during D-Bus communication between the GUI and the backend, which might allow local users to gain privileges via a crafted serialized object.
CVE-2010-4574 2 Google, Linux 3 Chrome, Chrome Os, Linux Kernel 2025-04-11 7.5 HIGH N/A
The Pickle::Pickle function in base/pickle.cc in Google Chrome before 8.0.552.224 and Chrome OS before 8.0.552.343 on 64-bit Linux platforms does not properly perform pointer arithmetic, which allows remote attackers to bypass message deserialization validation, and cause a denial of service or possibly have unspecified other impact, via invalid pickle data.
CVE-2025-3425 2025-04-10 N/A N/A
The IntelliSpace portal application utilizes .NET Remoting for its functionality. The vulnerability arises from the exploitation of port 755 through the deserialization vulnerability. After analyzing the configuration files, we observed that the server had set the TypeFilterLevel to Full which is dangerous as it can potentially lead to remote code execution using deserialization. This issue affects IntelliSpace Portal: 12 and prior.