Total
2514 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-13913 | 2026-03-17 | N/A | 6.3 MEDIUM | ||
| A privileged Ignition user, intentionally or otherwise, imports an external file with a specially crafted payload, which executes embedded malicious code. | |||||
| CVE-2026-1323 | 2026-03-17 | N/A | N/A | ||
| The extension fails to properly define allowed classes used when deserializing transport failure metadata. An attacker may exploit this to execute untrusted serialized code. Note that an active exploit requires write access to the directory configured at $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_filepath']. | |||||
| CVE-2026-32355 | 2026-03-16 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in Crocoblock JetEngine jet-engine allows Object Injection.This issue affects JetEngine: from n/a through < 3.8.4.1. | |||||
| CVE-2026-25166 | 1 Microsoft | 12 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 9 more | 2026-03-13 | N/A | 7.8 HIGH |
| Deserialization of untrusted data in Windows System Image Manager allows an authorized attacker to execute code locally. | |||||
| CVE-2026-26114 | 1 Microsoft | 1 Sharepoint Server | 2026-03-13 | N/A | 8.8 HIGH |
| Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | |||||
| CVE-2026-3967 | 2026-03-12 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A flaw has been found in Alfresco Activiti up to 7.19/8.8.0. Affected by this issue is the function deserialize/createObjectInputStream of the file activiti-core/activiti-engine/src/main/java/org/activiti/engine/impl/variable/SerializableType.java of the component Process Variable Serialization System. This manipulation causes deserialization. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-57622 | 2026-03-12 | N/A | 9.8 CRITICAL | ||
| An issue in Step-Video-T2V allows a remote attacker to execute arbitrary code via the /vae-api , /caption-api , feature = pickle.loads(request.get_data()) component | |||||
| CVE-2026-2626 | 2026-03-11 | N/A | 8.1 HIGH | ||
| The divi-booster WordPress plugin before 5.0.2 does not have authorization and CSRF checks in one of its fixing function, allowing unauthenticated users to modify stored divi-booster WordPress plugin before 5.0.2 options. Furthermore, due to the use of unserialize() on the data, this could be further exploited when combined with a PHP gadget chain to achieve PHP Object Injection | |||||
| CVE-2026-27685 | 2026-03-11 | N/A | 9.1 CRITICAL | ||
| SAP NetWeaver Enterprise Portal Administration is vulnerable if a privileged user uploads untrusted or malicious content that, upon deserialization, could result in a high impact on the confidentiality, integrity, and availability of the host system. | |||||
| CVE-2026-1286 | 2026-03-11 | N/A | N/A | ||
| CWE-502: Deserialization of untrusted data vulnerability exists that could lead to loss of confidentiality, integrity and potential remote code execution on workstation when an admin authenticated user opens a malicious project file. | |||||
| CVE-2025-11739 | 2026-03-11 | N/A | N/A | ||
| CWE‑502: Deserialization of Untrusted Data vulnerability exists that could cause arbitrary code execution with administrative privileges when a locally authenticated attacker sends a crafted data stream, triggering unsafe deserialization. | |||||
| CVE-2026-22471 | 2026-03-10 | N/A | 8.6 HIGH | ||
| Deserialization of Untrusted Data vulnerability in maximsecudeal Secudeal Payments for Ecommerce secudeal-payments-for-ecommerce allows Object Injection.This issue affects Secudeal Payments for Ecommerce: from n/a through <= 1.1. | |||||
| CVE-2026-22454 | 2026-03-10 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in ThemeREX Solaris solaris allows Object Injection.This issue affects Solaris: from n/a through <= 2.5. | |||||
| CVE-2025-26399 | 1 Solarwinds | 1 Web Help Desk | 2026-03-10 | N/A | 9.8 CRITICAL |
| SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986. | |||||
| CVE-2026-22497 | 2026-03-09 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in AncoraThemes Jardi jardi allows Object Injection.This issue affects Jardi: from n/a through <= 1.7.2. | |||||
| CVE-2026-22474 | 2026-03-09 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in ThemeREX Equestrian Centre equestrian-centre allows Object Injection.This issue affects Equestrian Centre: from n/a through <= 1.5. | |||||
| CVE-2026-27338 | 2026-03-09 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in AivahThemes Car Zone carzone allows Object Injection.This issue affects Car Zone: from n/a through <= 3.7. | |||||
| CVE-2026-27369 | 2026-03-09 | N/A | 8.1 HIGH | ||
| Deserialization of Untrusted Data vulnerability in BoldThemes Celeste celeste allows Object Injection.This issue affects Celeste: from n/a through <= 1.3.6. | |||||
| CVE-2026-22453 | 2026-03-09 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in ThemeREX Pets Club petclub allows Object Injection.This issue affects Pets Club: from n/a through <= 2.3. | |||||
| CVE-2026-22417 | 2026-03-09 | N/A | 8.1 HIGH | ||
| Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Wedding grandwedding allows Object Injection.This issue affects Grand Wedding: from n/a through <= 3.1.0. | |||||