Total
2097 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-60209 | 2025-10-23 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in CRM Perks Connector for Gravity Forms and Google Sheets wp-gravity-forms-spreadsheets allows Object Injection.This issue affects Connector for Gravity Forms and Google Sheets: from n/a through <= 1.2.6. | |||||
| CVE-2025-60039 | 2025-10-23 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in rascals Noisa noisa allows Object Injection.This issue affects Noisa: from n/a through <= 2.6.0. | |||||
| CVE-2025-24813 | 3 Apache, Debian, Netapp | 4 Tomcat, Debian Linux, Bootstrap Os and 1 more | 2025-10-23 | N/A | 9.8 CRITICAL |
| Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue. | |||||
| CVE-2025-60213 | 2025-10-23 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Whitebox-Studio Scape scape allows Object Injection.This issue affects Scape: from n/a through <= 1.5.13. | |||||
| CVE-2023-38203 | 1 Adobe | 1 Coldfusion | 2025-10-23 | N/A | 9.8 CRITICAL |
| Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction. | |||||
| CVE-2023-29300 | 1 Adobe | 1 Coldfusion | 2025-10-23 | N/A | 9.8 CRITICAL |
| Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction. | |||||
| CVE-2023-26359 | 1 Adobe | 1 Coldfusion | 2025-10-23 | N/A | 9.8 CRITICAL |
| Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. | |||||
| CVE-2018-4939 | 1 Adobe | 1 Coldfusion | 2025-10-23 | 10.0 HIGH | 9.8 CRITICAL |
| Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable Deserialization of Untrusted Data vulnerability. Successful exploitation could lead to arbitrary code execution. | |||||
| CVE-2025-49380 | 2025-10-22 | N/A | 5.3 MEDIUM | ||
| Deserialization of Untrusted Data vulnerability in wpinstinct WooCommerce Vehicle Parts Finder woo-vehicle-parts-finder allows Object Injection.This issue affects WooCommerce Vehicle Parts Finder: from n/a through <= 3.7. | |||||
| CVE-2025-60214 | 2025-10-22 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in BoldThemes Goldenblatt goldenblatt allows Object Injection.This issue affects Goldenblatt: from n/a through <= 1.2.1. | |||||
| CVE-2025-52737 | 2025-10-22 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in Tijmen Smit WP Store Locator wp-store-locator allows Object Injection.This issue affects WP Store Locator: from n/a through <= 2.2.260. | |||||
| CVE-2025-59007 | 2025-10-22 | N/A | 8.1 HIGH | ||
| Deserialization of Untrusted Data vulnerability in themesflat TF Woo Product Grid Addon For Elementor tf-woo-product-grid allows Object Injection.This issue affects TF Woo Product Grid Addon For Elementor: from n/a through <= 1.0.1. | |||||
| CVE-2025-60225 | 2025-10-22 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in AncoraThemes BugsPatrol bugspatrol allows Object Injection.This issue affects BugsPatrol: from n/a through <= 1.5.0. | |||||
| CVE-2025-61765 | 2025-10-22 | N/A | 6.4 MEDIUM | ||
| python-socketio is a Python implementation of the Socket.IO realtime client and server. A remote code execution vulnerability in python-socketio versions prior to 5.14.0 allows attackers to execute arbitrary Python code through malicious pickle deserialization in multi-server deployments on which the attacker previously gained access to the message queue that the servers use for internal communications. When Socket.IO servers are configured to use a message queue backend such as Redis for inter-server communication, messages sent between the servers are encoded using the `pickle` Python module. When a server receives one of these messages through the message queue, it assumes it is trusted and immediately deserializes it. The vulnerability stems from deserialization of messages using Python's `pickle.loads()` function. Having previously obtained access to the message queue, the attacker can send a python-socketio server a crafted pickle payload that executes arbitrary code during deserialization via Python's `__reduce__` method. This vulnerability only affects deployments with a compromised message queue. The attack can lead to the attacker executing random code in the context of, and with the privileges of a Socket.IO server process. Single-server systems that do not use a message queue, and multi-server systems with a secure message queue are not vulnerable. In addition to making sure standard security practices are followed in the deployment of the message queue, users of the python-socketio package can upgrade to version 5.14.0 or newer, which remove the `pickle` module and use the much safer JSON encoding for inter-server messaging. | |||||
| CVE-2021-42237 | 1 Sitecore | 1 Experience Platform | 2025-10-22 | 10.0 HIGH | 9.8 CRITICAL |
| Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability. | |||||
| CVE-2021-35464 | 1 Forgerock | 2 Access Management, Openam | 2025-10-22 | 10.0 HIGH | 9.8 CRITICAL |
| ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier | |||||
| CVE-2020-7961 | 1 Liferay | 1 Liferay Portal | 2025-10-22 | 7.5 HIGH | 9.8 CRITICAL |
| Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS). | |||||
| CVE-2020-10189 | 1 Zohocorp | 1 Manageengine Desktop Central | 2025-10-22 | 10.0 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets. | |||||
| CVE-2019-9875 | 1 Sitecore | 1 Cms | 2025-10-22 | 6.5 MEDIUM | 8.8 HIGH |
| Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in an HTTP POST parameter. | |||||
| CVE-2019-9874 | 1 Sitecore | 2 Cms, Experience Platform | 2025-10-22 | 7.5 HIGH | 9.8 CRITICAL |
| Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN. | |||||