Total
2525 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-9571 | 2026-04-15 | N/A | N/A | ||
| A remote code execution (RCE) vulnerability exists in Google Cloud Data Fusion. A user with permissions to upload artifacts to a Data Fusion instance can execute arbitrary code within the core AppFabric component. This could allow the attacker to gain control over the Data Fusion instance, potentially leading to unauthorized access to sensitive data, modification of data pipelines, and exploration of the underlying infrastructure. The following CDAP versions include the necessary update to protect against this vulnerability: * 6.10.6+ * 6.11.1+ Users must immediately upgrade to them, or greater ones, available at: https://github.com/cdapio/cdap-build/releases . | |||||
| CVE-2024-55556 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| A vulnerability in Crater Invoice allows an unauthenticated attacker with knowledge of the APP_KEY to achieve remote command execution on the server by manipulating the laravel_session cookie, exploiting arbitrary deserialization through the encrypted session data. The exploitation vector of this vulnerability relies on an attacker obtaining Laravel's secret APP_KEY, which would allow them to decrypt and manipulate session cookies (laravel_session) containing serialized data. By altering this data and re-encrypting it with the APP_KEY, the attacker could trigger arbitrary deserialization on the server, potentially leading to remote command execution (RCE). The vulnerability is primarily exploited by accessing an exposed cookie and manipulating it using the secret key to gain malicious access to the server. | |||||
| CVE-2023-27531 | 2026-04-15 | N/A | 5.3 MEDIUM | ||
| There is a deserialization of untrusted data vulnerability in the Kredis JSON deserialization code | |||||
| CVE-2025-58643 | 2026-04-15 | N/A | N/A | ||
| Deserialization of Untrusted Data vulnerability in enituretechnology LTL Freight Quotes – Daylight Edition ltl-freight-quotes-daylight-edition allows Object Injection.This issue affects LTL Freight Quotes – Daylight Edition: from n/a through <= 2.2.7. | |||||
| CVE-2025-32568 | 2026-04-15 | N/A | N/A | ||
| Deserialization of Untrusted Data vulnerability in empik EmpikPlace for Woocommerce empik-for-woocommerce allows Object Injection.This issue affects EmpikPlace for Woocommerce: from n/a through <= 1.4.3. | |||||
| CVE-2024-43252 | 2026-04-15 | N/A | N/A | ||
| Deserialization of Untrusted Data vulnerability in Crew HRM Crew HRM hr-management.This issue affects Crew HRM: from n/a through <= 1.1.1. | |||||
| CVE-2025-39356 | 2026-04-15 | N/A | N/A | ||
| Deserialization of Untrusted Data vulnerability in Chimpstudio Foodbakery Sticky Cart foodbakery-sticky-cart allows Object Injection.This issue affects Foodbakery Sticky Cart: from n/a through <= 3.2. | |||||
| CVE-2026-22346 | 2026-04-15 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in A WP Life Slider Responsive Slideshow – Image slider, Gallery slideshow slider-responsive-slideshow allows Object Injection.This issue affects Slider Responsive Slideshow – Image slider, Gallery slideshow: from n/a through <= 1.5.4. | |||||
| CVE-2024-7561 | 2026-04-15 | N/A | 8.8 HIGH | ||
| The The Next theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.0 via deserialization of untrusted input from the wpeden_post_meta post meta value. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | |||||
| CVE-2024-31277 | 2026-04-15 | N/A | 8.7 HIGH | ||
| Deserialization of Untrusted Data vulnerability in PickPlugins Product Designer.This issue affects Product Designer: from n/a through 1.0.32. | |||||
| CVE-2025-49330 | 2026-04-15 | N/A | N/A | ||
| Deserialization of Untrusted Data vulnerability in CRM Perks Integration for Contact Form 7 and Zoho CRM, Bigin cf7-zoho allows Object Injection.This issue affects Integration for Contact Form 7 and Zoho CRM, Bigin: from n/a through <= 1.3.0. | |||||
| CVE-2025-68541 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in BoldThemes Ippsum ippsum allows Object Injection.This issue affects Ippsum: from n/a through <= 1.2.0. | |||||
| CVE-2024-34515 | 2026-04-15 | N/A | 8.8 HIGH | ||
| image-optimizer before 1.7.3 allows PHAR deserialization, e.g., the phar:// protocol in arguments to file_exists(). | |||||
| CVE-2025-26921 | 2026-04-15 | N/A | N/A | ||
| Deserialization of Untrusted Data vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows Object Injection.This issue affects Booking and Rental Manager: from n/a through <= 2.2.6. | |||||
| CVE-2025-52761 | 2026-04-15 | N/A | N/A | ||
| Deserialization of Untrusted Data vulnerability in manfcarlo WP Funnel Manager wp-funnel-manager allows Object Injection.This issue affects WP Funnel Manager: from n/a through <= 1.4.0. | |||||
| CVE-2024-3301 | 2026-04-15 | N/A | 8.5 HIGH | ||
| An unsafe .NET object deserialization vulnerability in DELMIA Apriso Release 2019 through Release 2024 could lead to post-authentication remote code execution. | |||||
| CVE-2025-60216 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in BoldThemes Addison addison allows Object Injection.This issue affects Addison: from n/a through < 1.4.8. | |||||
| CVE-2024-12627 | 2026-04-15 | N/A | 7.5 HIGH | ||
| The Coupon X: Discount Pop Up, Promo Code Pop Ups, Announcement Pop Up, WooCommerce Popups plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.5 via deserialization of untrusted input from post content passed to the capture_email AJAX action. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | |||||
| CVE-2025-54723 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in BoldThemes DentiCare denticare allows Object Injection.This issue affects DentiCare: from n/a through < 1.4.3. | |||||
| CVE-2024-2229 | 2026-04-15 | N/A | 7.8 HIGH | ||
| CWE-502: Deserialization of Untrusted Data vulnerability exists that could cause remote code execution when a malicious project file is loaded into the application by a valid user. | |||||