Total
2185 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-61622 | 1 Apache | 1 Fory | 2025-12-03 | N/A | 9.8 CRITICAL |
| Deserialization of untrusted data in python in pyfory versions 0.12.0 through 0.12.2, or the legacy pyfury versions from 0.1.0 through 0.10.3: allows arbitrary code execution. An application is vulnerable if it reads pyfory serialized data from untrusted sources. An attacker can craft a data stream that selects pickle-fallback serializer during deserialization, leading to the execution of `pickle.loads`, which is vulnerable to remote code execution. Users are recommended to upgrade to pyfory version 0.12.3 or later, which has removed pickle fallback serializer and thus fixes this issue. | |||||
| CVE-2025-51742 | 1 Jishenghua | 1 Jsherp | 2025-12-02 | N/A | 9.8 CRITICAL |
| An issue was discovered in jishenghua JSH_ERP 2.3.1. The /material/getMaterialEnableSerialNumberList endpoint passes the search query parameter directly to parseObject(), introducing a Fastjson deserialization vulnerability that can lead to RCE via JDBC payloads. | |||||
| CVE-2025-51743 | 1 Jishenghua | 1 Jsherp | 2025-12-02 | N/A | 9.8 CRITICAL |
| An issue was discovered in jishenghua JSH_ERP 2.3.1. The /materialCategory/addMaterialCategory endpoint is vulnerable to fastjson deserialization attacks. | |||||
| CVE-2025-51744 | 1 Jishenghua | 1 Jsherp | 2025-12-02 | N/A | 9.8 CRITICAL |
| An issue was discovered in jishenghua JSH_ERP 2.3.1. The /user/addUser endpoint is vulnerable to fastjson deserialization attacks. | |||||
| CVE-2025-51745 | 1 Jishenghua | 1 Jsherp | 2025-12-02 | N/A | 9.8 CRITICAL |
| An issue was discovered in jishenghua JSH_ERP 2.3.1. The /role/addcan endpoint is vulnerable to fastjson deserialization attacks. | |||||
| CVE-2025-51746 | 1 Jishenghua | 1 Jsherp | 2025-12-02 | N/A | 9.8 CRITICAL |
| An issue was discovered in jishenghua JSH_ERP 2.3.1. The /serialNumber/addSerialNumber endpoint is vulnerable to fastjson deserialization attacks. | |||||
| CVE-2025-9191 | 2025-12-01 | N/A | 6.3 MEDIUM | ||
| The Houzez theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.1.6 via deserialization of untrusted input in saved-search-item.php. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | |||||
| CVE-2025-41700 | 2025-12-01 | N/A | 7.8 HIGH | ||
| An unauthenticated attacker can trick a local user into executing arbitrary code by opening a deliberately manipulated CODESYS project file with a CODESYS development system. This arbitrary code is executed in the user context. | |||||
| CVE-2025-13805 | 2025-12-01 | 2.6 LOW | 3.7 LOW | ||
| A weakness has been identified in nutzam NutzBoot up to 2.6.0-SNAPSHOT. This affects the function getInputStream of the file nutzcloud/nutzcloud-literpc/src/main/java/org/nutz/boot/starter/literpc/impl/endpoint/http/HttpServletRpcEndpoint.java of the component LiteRpc-Serializer. Executing manipulation can lead to deserialization. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit has been made available to the public and could be exploited. | |||||
| CVE-2025-61168 | 1 Sigb | 1 Pmb | 2025-12-01 | N/A | 9.8 CRITICAL |
| An issue in the cms_rest.php component of SIGB PMB v8.0.1.14 allows attackers to execute arbitrary code via unserializing an arbitrary file. | |||||
| CVE-2025-32434 | 1 Linuxfoundation | 1 Pytorch | 2025-12-01 | N/A | 9.8 CRITICAL |
| PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd system. In version 2.5.1 and prior, a Remote Command Execution (RCE) vulnerability exists in PyTorch when loading a model using torch.load with weights_only=True. This issue has been patched in version 2.6.0. | |||||
| CVE-2025-62703 | 2025-11-26 | N/A | 8.8 HIGH | ||
| Fugue is a unified interface for distributed computing that lets users execute Python, Pandas, and SQL code on Spark, Dask, and Ray with minimal rewrites. In version 0.9.2 and prior, there is a remote code execution vulnerability by pickle deserialization via FlaskRPCServer. The Fugue framework implements an RPC server system for distributed computing operations. In the core functionality of the RPC server implementation, I found that the _decode() function in fugue/rpc/flask.py directly uses cloudpickle.loads() to deserialize data without any sanitization. This creates a remote code execution vulnerability when malicious pickle data is processed by the RPC server. The vulnerability exists in the RPC communication mechanism where the client can send arbitrary serialized Python objects that will be deserialized on the server side, allowing attackers to execute arbitrary code on the victim's machine. This issue has been patched via commit 6f25326. | |||||
| CVE-2025-13467 | 2025-11-25 | N/A | 5.5 MEDIUM | ||
| A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration. | |||||
| CVE-2025-64408 | 1 Apache | 1 Causeway | 2025-11-25 | N/A | 6.3 MEDIUM |
| Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through user-controllable URL parameters. These vulnerabilities affect all applications using Causeway's ViewModel functionality and can be exploited by authenticated attackers to execute arbitrary code with application privileges. This issue affects all current versions. Users are recommended to upgrade to version 3.5.0, which fixes the issue. | |||||
| CVE-2024-53477 | 1 Jflyfox | 1 Jfinal Cms | 2025-11-25 | N/A | 9.8 CRITICAL |
| JFinal CMS 5.1.0 is vulnerable to Command Execution via unauthorized execution of deserialization in the file ApiForm.java | |||||
| CVE-2025-13081 | 1 Drupal | 1 Drupal | 2025-11-24 | N/A | 5.9 MEDIUM |
| Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8. | |||||
| CVE-2025-66073 | 2025-11-21 | N/A | 6.5 MEDIUM | ||
| Deserialization of Untrusted Data vulnerability in Cozmoslabs WP Webhooks wp-webhooks allows Object Injection.This issue affects WP Webhooks: from n/a through <= 3.3.8. | |||||
| CVE-2025-59245 | 1 Microsoft | 1 Sharepoint Online | 2025-11-21 | N/A | 9.8 CRITICAL |
| Microsoft SharePoint Online Elevation of Privilege Vulnerability | |||||
| CVE-2025-66055 | 2025-11-21 | N/A | 7.2 HIGH | ||
| Deserialization of Untrusted Data vulnerability in Icegram Email Subscribers & Newsletters email-subscribers allows Object Injection.This issue affects Email Subscribers & Newsletters: from n/a through <= 5.9.10. | |||||
| CVE-2025-34067 | 2025-11-20 | N/A | N/A | ||
| An unauthenticated remote command execution vulnerability exists in the applyCT component of the Hikvision Integrated Security Management Platform due to the use of a vulnerable version of the Fastjson library. The endpoint /bic/ssoService/v1/applyCT deserializes untrusted user input, allowing an attacker to trigger Fastjson's auto-type feature to load arbitrary Java classes. By referencing a malicious class via an LDAP URL, an attacker can achieve remote code execution on the underlying system. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC. | |||||