Total
2455 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-60237 | 2026-03-19 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Themeton Finag allows Object Injection.This issue affects Finag: from n/a through 1.5.0. | |||||
| CVE-2026-27096 | 2026-03-19 | N/A | 8.1 HIGH | ||
| Deserialization of Untrusted Data vulnerability in BuddhaThemes ColorFolio - Freelance Designer WordPress Theme allows Object Injection.This issue affects ColorFolio - Freelance Designer WordPress Theme: from n/a through 1.3. | |||||
| CVE-2026-25873 | 2026-03-19 | N/A | 9.8 CRITICAL | ||
| OmniGen2-RL contains an unauthenticated remote code execution vulnerability in the reward server component that allows remote attackers to execute arbitrary commands by sending malicious HTTP POST requests. Attackers can exploit insecure pickle deserialization of request bodies to achieve code execution on the host system running the exposed service. | |||||
| CVE-2025-60233 | 2026-03-19 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Themeton Zuut allows Object Injection.This issue affects Zuut: from n/a through 1.4.2. | |||||
| CVE-2026-25445 | 2026-03-19 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in Membership Software WishList Member X allows Object Injection.This issue affects WishList Member X: from n/a through 3.29.0. | |||||
| CVE-2026-20963 | 1 Microsoft | 1 Sharepoint Server | 2026-03-19 | N/A | 8.8 HIGH |
| Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | |||||
| CVE-2026-25632 | 1 Waterfutures | 1 Epyt-flow | 2026-03-18 | N/A | 10.0 CRITICAL |
| EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water distribution networks. Prior to 0.16.1, EPyT-Flow’s REST API parses attacker-controlled JSON request bodies using a custom deserializer (my_load_from_json) that supports a type field. When type is present, the deserializer dynamically imports an attacker-specified module/class and instantiates it with attacker-supplied arguments. This allows invoking dangerous classes such as subprocess.Popen, which can lead to OS command execution during JSON parsing. This also affects the loading of JSON files. This vulnerability is fixed in 0.16.1. | |||||
| CVE-2026-25449 | 2026-03-18 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Shinetheme Traveler allows Object Injection.This issue affects Traveler: from n/a before 3.2.8.1. | |||||
| CVE-2025-39480 | 2026-03-18 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in ThemeMakers Car Dealer allows Object Injection.This issue affects Car Dealer: from n/a before 1.6.8. | |||||
| CVE-2026-25923 | 1 Mylittleforum | 1 My Little Forum | 2026-03-17 | N/A | 9.1 CRITICAL |
| my little forum is a PHP and MySQL based internet forum that displays the messages in classical threaded view. Prior to 20260208.1, the application fails to filter the phar:// protocol in URL validation, allowing attackers to upload a malicious Phar Polyglot file (disguised as JPEG) via the image upload feature, trigger Phar deserialization through BBCode [img] tag processing, and exploit Smarty 4.1.0 POP chain to achieve arbitrary file deletion. This vulnerability is fixed in 20260208.1. | |||||
| CVE-2025-13913 | 2026-03-17 | N/A | 6.3 MEDIUM | ||
| A privileged Ignition user, intentionally or otherwise, imports an external file with a specially crafted payload, which executes embedded malicious code. | |||||
| CVE-2026-3060 | 1 Lmsys | 1 Sglang | 2026-03-17 | N/A | 9.8 CRITICAL |
| SGLang' encoder parallel disaggregation system is vulnerable to unauthenticated remote code execution through the disaggregation module, which deserializes untrusted data using pickle.loads() without authentication. | |||||
| CVE-2026-1323 | 2026-03-17 | N/A | N/A | ||
| The extension fails to properly define allowed classes used when deserializing transport failure metadata. An attacker may exploit this to execute untrusted serialized code. Note that an active exploit requires write access to the directory configured at $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_filepath']. | |||||
| CVE-2026-3059 | 1 Lmsys | 1 Sglang | 2026-03-17 | N/A | 9.8 CRITICAL |
| SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker, which deserializes untrusted data using pickle.loads() without authentication. | |||||
| CVE-2026-32355 | 2026-03-16 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in Crocoblock JetEngine jet-engine allows Object Injection.This issue affects JetEngine: from n/a through < 3.8.4.1. | |||||
| CVE-2026-25166 | 1 Microsoft | 12 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 9 more | 2026-03-13 | N/A | 7.8 HIGH |
| Deserialization of untrusted data in Windows System Image Manager allows an authorized attacker to execute code locally. | |||||
| CVE-2026-26114 | 1 Microsoft | 1 Sharepoint Server | 2026-03-13 | N/A | 8.8 HIGH |
| Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | |||||
| CVE-2026-27749 | 1 Avira | 1 Internet Security | 2026-03-13 | N/A | 7.8 HIGH |
| Avira Internet Security contains a deserialization of untrusted data vulnerability in the System Speedup component. The Avira.SystemSpeedup.RealTimeOptimizer.exe process, which runs with SYSTEM privileges, deserializes data from a file located in C:\\ProgramData using .NET BinaryFormatter without implementing input validation or deserialization safeguards. Because the file can be created or modified by a local user in default configurations, an attacker can supply a crafted serialized payload that is deserialized by the privileged process, resulting in arbitrary code execution as SYSTEM. | |||||
| CVE-2026-3967 | 2026-03-12 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A flaw has been found in Alfresco Activiti up to 7.19/8.8.0. Affected by this issue is the function deserialize/createObjectInputStream of the file activiti-core/activiti-engine/src/main/java/org/activiti/engine/impl/variable/SerializableType.java of the component Process Variable Serialization System. This manipulation causes deserialization. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-57622 | 2026-03-12 | N/A | 9.8 CRITICAL | ||
| An issue in Step-Video-T2V allows a remote attacker to execute arbitrary code via the /vae-api , /caption-api , feature = pickle.loads(request.get_data()) component | |||||