Total
1928 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-53990 | 2025-07-16 | N/A | 7.2 HIGH | ||
| Deserialization of Untrusted Data vulnerability in jetmonsters JetFormBuilder allows Object Injection. This issue affects JetFormBuilder: from n/a through 3.5.1.2. | |||||
| CVE-2025-24777 | 2025-07-16 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in awethemes Hillter allows Object Injection. This issue affects Hillter: from n/a through 3.0.7. | |||||
| CVE-2025-28961 | 2025-07-16 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Md Yeasin Ul Haider URL Shortener allows Object Injection. This issue affects URL Shortener: from n/a through 3.0.7. | |||||
| CVE-2025-30949 | 2025-07-16 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Guru Team Site Chat on Telegram allows Object Injection. This issue affects Site Chat on Telegram: from n/a through 1.0.4. | |||||
| CVE-2025-30973 | 2025-07-16 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Codexpert, Inc CoSchool LMS allows Object Injection. This issue affects CoSchool LMS: from n/a through 1.4.3. | |||||
| CVE-2025-31422 | 2025-07-16 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in designthemes Visual Art | Gallery WordPress Theme allows Object Injection. This issue affects Visual Art | Gallery WordPress Theme: from n/a through 2.4. | |||||
| CVE-2025-24779 | 2025-07-16 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in NooTheme Yogi allows Object Injection. This issue affects Yogi: from n/a through 2.9.0. | |||||
| CVE-2024-4699 | 1 Dlink | 2 Dar-8000-10, Dar-8000-10 Firmware | 2025-07-16 | 6.5 MEDIUM | 6.3 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, has been found in D-Link DAR-8000-10 up to 20230922. This issue affects some unknown processing of the file /importhtml.php. The manipulation of the argument sql leads to deserialization. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-263747. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced. | |||||
| CVE-2024-48063 | 1 Linuxfoundation | 1 Pytorch | 2025-07-16 | N/A | 9.8 CRITICAL |
| In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. NOTE: this is disputed by multiple parties because this is intended behavior in PyTorch distributed computing. | |||||
| CVE-2022-41137 | 1 Apache | 1 Hive | 2025-07-15 | N/A | 8.3 HIGH |
| Apache Hive Metastore (HMS) uses SerializationUtilities#deserializeObjectWithTypeInformation method when filtering and fetching partitions that is unsafe and can lead to Remote Code Execution (RCE) since it allows the deserialization of arbitrary data. In real deployments, the vulnerability can be exploited only by authenticated users/clients that were able to successfully establish a connection to the Metastore. From an API perspective any code that calls the unsafe method may be vulnerable unless it performs additional prerechecks on the input arguments. | |||||
| CVE-2024-52338 | 1 Apache | 1 Arrow | 2025-07-15 | N/A | 9.8 CRITICAL |
| Deserialization of untrusted data in IPC and Parquet readers in the Apache Arrow R package versions 4.0.0 through 16.1.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example, user-supplied input files). This vulnerability only affects the arrow R package, not other Apache Arrow implementations or bindings unless those bindings are specifically used via the R package (for example, an R application that embeds a Python interpreter and uses PyArrow to read files from untrusted sources is still vulnerable if the arrow R package is an affected version). It is recommended that users of the arrow R package upgrade to 17.0.0 or later. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to arrow 17.0.0 or later. If using an affected version of the package, untrusted data can read into a Table and its internal to_data_frame() method can be used as a workaround (e.g., read_parquet(..., as_data_frame = FALSE)$to_data_frame()). This issue affects the Apache Arrow R package: from 4.0.0 through 16.1.0. Users are recommended to upgrade to version 17.0.0, which fixes the issue. | |||||
| CVE-2025-47994 | 1 Microsoft | 4 365 Apps, Office, Office Long Term Servicing Channel and 1 more | 2025-07-15 | N/A | 7.8 HIGH |
| Deserialization of untrusted data in Microsoft Office allows an unauthorized attacker to elevate privileges locally. | |||||
| CVE-2025-53416 | 2025-07-15 | N/A | 7.8 HIGH | ||
| Delta Electronics DTN Soft Project File Parsing Deserialization of Untrusted Data Remote Code Execution | |||||
| CVE-2025-30025 | 2025-07-15 | N/A | N/A | ||
| The communication protocol used between the server process and the service control had a flaw that could lead to a local privilege escalation. | |||||
| CVE-2025-30023 | 2025-07-15 | N/A | 9.0 CRITICAL | ||
| The communication protocol used between client and server had a flaw that could lead to an authenticated user performing a remote code execution attack. | |||||
| CVE-2025-2251 | 2025-07-14 | N/A | 6.2 MEDIUM | ||
| A security flaw exists in WildFly and JBoss Enterprise Application Platform (EAP) within the Enterprise JavaBeans (EJB) remote invocation mechanism. This vulnerability stems from untrusted data deserialization handled by JBoss Marshalling. This flaw allows an attacker to send a specially crafted serialized object, leading to remote code execution without requiring authentication. | |||||
| CVE-2024-12433 | 1 Infiniflow | 1 Ragflow | 2025-07-14 | N/A | 9.8 CRITICAL |
| A vulnerability in infiniflow/ragflow versions v0.12.0 allows for remote code execution. The RPC server in RagFlow uses a hard-coded AuthKey 'authkey=b'infiniflow-token4kevinhu'' which can be easily fetched by attackers to join the group communication without restrictions. Additionally, the server processes incoming data using pickle deserialization via `pickle.loads()` on `connection.recv()`, making it vulnerable to remote code execution. This issue is fixed in version 0.14.0. | |||||
| CVE-2024-11039 | 1 Binary-husky | 1 Gpt Academic | 2025-07-14 | N/A | 8.8 HIGH |
| A pickle deserialization vulnerability exists in the Latex English error correction plug-in function of binary-husky/gpt_academic versions up to and including 3.83. This vulnerability allows attackers to achieve remote command execution by deserializing untrusted data. The issue arises from the inclusion of numpy in the deserialization whitelist, which can be exploited by constructing a malicious compressed package containing a merge_result.pkl file and a merge_proofread_en.tex file. The vulnerability is fixed in commit 91f5e6b. | |||||
| CVE-2024-52577 | 1 Apache | 1 Ignite | 2025-07-14 | N/A | 9.0 CRITICAL |
| In Apache Ignite versions from 2.6.0 and before 2.17.0, configured Class Serialization Filters are ignored for some Ignite endpoints. The vulnerability could be exploited if an attacker manually crafts an Ignite message containing a vulnerable object whose class is present in the Ignite server classpath and sends it to Ignite server endpoints. Deserialization of such a message by the Ignite server may result in the execution of arbitrary code on the Apache Ignite server side. | |||||
| CVE-2024-10553 | 1 H2o | 1 H2o | 2025-07-14 | N/A | 9.8 CRITICAL |
| A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitrary code via deserialization of untrusted data. The vulnerability exists in the endpoints POST /99/ImportSQLTable and POST /3/SaveToHiveTable, where user-controlled JDBC URLs are passed to DriverManager.getConnection, leading to deserialization if a MySQL or PostgreSQL driver is available in the classpath. This issue is fixed in version 3.47.0. | |||||