Total
2672 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-53415 | 2026-04-15 | N/A | 7.8 HIGH | ||
| Delta Electronics DTM Soft Project File Parsing Deserialization of Untrusted Data Remote Code Execution | |||||
| CVE-2026-1542 | 2026-04-15 | N/A | 6.5 MEDIUM | ||
| The Super Stage WP WordPress plugin through 1.0.1 unserializes user input via REQUEST, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog. | |||||
| CVE-2025-9365 | 2026-04-15 | N/A | 7.8 HIGH | ||
| Fuji Electric FRENIC-Loader 4 is vulnerable to a deserialization of untrusted data when importing a file through a specified window, which may allow an attacker to execute arbitrary code. | |||||
| CVE-2025-48018 | 2026-04-15 | N/A | 7.5 HIGH | ||
| An authenticated user can modify application state data. | |||||
| CVE-2025-60225 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in AncoraThemes BugsPatrol bugspatrol allows Object Injection.This issue affects BugsPatrol: from n/a through <= 1.5.0. | |||||
| CVE-2025-42928 | 2026-04-15 | N/A | 9.1 CRITICAL | ||
| Under certain conditions, a high privileged user could exploit a deserialization vulnerability in SAP jConnect to launch remote code execution. The system may be vulnerable when specially crafted input is used to exploit the vulnerability resulting in high impact on confidentiality, integrity and availability of the system. | |||||
| CVE-2026-24954 | 2026-04-15 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.This issue affects WpEvently: from n/a through <= 5.0.8. | |||||
| CVE-2025-49127 | 2026-04-15 | N/A | N/A | ||
| Kafbat UI is a web user interface for managing Apache Kafka clusters. An unsafe deserialization vulnerability in version 1.0.0 allows any unauthenticated user to execute arbitrary code on the server. Version 1.1.0 fixes the issue. | |||||
| CVE-2024-29040 | 2026-04-15 | N/A | 4.3 MEDIUM | ||
| This repository hosts source code implementing the Trusted Computing Group's (TCG) TPM2 Software Stack (TSS). The JSON Quote Info returned by Fapi_Quote has to be deserialized by Fapi_VerifyQuote to the TPM Structure `TPMS_ATTEST`. For the field `TPM2_GENERATED magic` of this structure any number can be used in the JSON structure. The verifier can receive a state which does not represent the actual, possibly malicious state of the device under test. The malicious device might get access to data it shouldn't, or can use services it shouldn't be able to. This issue has been patched in version 4.1.0. | |||||
| CVE-2025-32283 | 2026-04-15 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in designthemes Solar Energy solar allows Object Injection.This issue affects Solar Energy: from n/a through <= 3.5. | |||||
| CVE-2025-3677 | 2026-04-15 | 4.3 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability classified as critical was found in lm-sys fastchat up to 0.2.36. This vulnerability affects the function split_files/apply_delta_low_cpu_mem of the file fastchat/model/apply_delta.py. The manipulation leads to deserialization. An attack has to be approached locally. | |||||
| CVE-2025-64227 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Object Injection.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.7. | |||||
| CVE-2025-69036 | 2026-04-15 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in strongholdthemes Tech Life CPT techlife-cpt allows Object Injection.This issue affects Tech Life CPT: from n/a through <= 16.4. | |||||
| CVE-2025-69371 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in AncoraThemes KindlyCare kindlycare allows Object Injection.This issue affects KindlyCare: from n/a through <= 1.6.1. | |||||
| CVE-2025-66055 | 2026-04-15 | N/A | 7.2 HIGH | ||
| Deserialization of Untrusted Data vulnerability in Icegram Email Subscribers & Newsletters email-subscribers allows Object Injection.This issue affects Email Subscribers & Newsletters: from n/a through <= 5.9.10. | |||||
| CVE-2020-37071 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| CraftCMS 3 vCard Plugin 1.0.0 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary PHP code through a crafted payload. Attackers can generate a malicious serialized payload that triggers remote code execution by exploiting the plugin's vCard download functionality with a specially crafted request. | |||||
| CVE-2025-0855 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| The PGS Core plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.8.0 via deserialization of untrusted input in the 'import_header' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | |||||
| CVE-2025-60039 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in rascals Noisa noisa allows Object Injection.This issue affects Noisa: from n/a through <= 2.6.0. | |||||
| CVE-2025-8145 | 2026-04-15 | N/A | 8.8 HIGH | ||
| The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the get_lead_fields function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in a Contact Form 7 plugin allows attackers to delete arbitrary files. Additionally, in certain server configurations, Remote Code Execution is possible | |||||
| CVE-2025-68047 | 2026-04-15 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in Arraytics Eventin wp-event-solution allows Object Injection.This issue affects Eventin: from n/a through <= 4.1.3. | |||||