Total
2675 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-27475 | 1 Spip | 1 Spip | 2026-02-24 | N/A | 8.1 HIGH |
| SPIP before 4.4.9 allows Insecure Deserialization in the public area through the table_valeur filter and the DATA iterator, which accept serialized data. An attacker who can place malicious serialized content (a pre-condition requiring prior access or another vulnerability) can trigger arbitrary object instantiation and potentially achieve code execution. The use of serialized data in these components has been deprecated and will be removed in SPIP 5. This vulnerability is not mitigated by the SPIP security screen. | |||||
| CVE-2015-6420 | 1 Apache | 1 Commons Collections | 2026-02-24 | 7.5 HIGH | 9.8 CRITICAL |
| Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. | |||||
| CVE-2026-24891 | 1 It-novum | 1 Openitcockpit | 2026-02-24 | N/A | 7.5 HIGH |
| openITCOCKPIT is an open source monitoring tool built for different monitoring engines like Nagios, Naemon and Prometheus. Versions 5.3.1 and below contain an unsafe deserialization sink in the Gearman worker implementation. The worker function registered as oitc_gearman calls PHP's unserialize() on job payloads without enforcing class restrictions or validating data origin. While the intended deployment assumes only trusted internal components enqueue Gearman jobs, this trust boundary is not enforced in application code. In environments where the Gearman service or worker is exposed to untrusted systems, an attacker may submit crafted serialized payloads to trigger PHP Object Injection in the worker process. This vulnerability is exploitable when Gearman listens on non-local interfaces, network access to TCP/4730 is unrestricted, or untrusted systems can enqueue jobs. Default, correctly hardened deployments may not be immediately exploitable, but the unsafe sink remains present in code regardless of deployment configuration. Enforcing this trust boundary in code would significantly reduce risk and prevent exploitation in misconfigured environments. This issue has been fixed in version 5.4.0. | |||||
| CVE-2025-60036 | 1 Bosch | 2 Rexroth Indraworks, Rexroth Ua.testclient | 2026-02-24 | N/A | 7.8 HIGH |
| A vulnerability has been identified in the UA.Testclient utility, which is included in Rexroth IndraWorks. All versions prior to 15V24 are affected. This flaw allows an attacker to execute arbitrary code on the user's system by parsing a manipulated file containing malicious serialized data. Exploitation requires user interaction, specifically opening a specially crafted file, which then causes the application to deserialize the malicious data, enabling Remote Code Execution (RCE). This can lead to a complete compromise of the system running the UA.Testclient. | |||||
| CVE-2025-60037 | 1 Bosch | 1 Rexroth Indraworks | 2026-02-24 | N/A | 7.8 HIGH |
| A vulnerability has been identified in Rexroth IndraWorks. This flaw allows an attacker to execute arbitrary code on the user's system by parsing a manipulated file containing malicious serialized data. Exploitation requires user interaction, specifically opening a specially crafted file, which then causes the application to deserialize the malicious data, enabling Remote Code Execution (RCE). This can lead to a complete compromise of the system running Rexroth IndraWorks. | |||||
| CVE-2025-60038 | 1 Bosch | 1 Rexroth Indraworks | 2026-02-24 | N/A | 7.8 HIGH |
| A vulnerability has been identified in Rexroth IndraWorks. This flaw allows an attacker to execute arbitrary code on the user's system by parsing a manipulated file containing malicious serialized data. Exploitation requires user interaction, specifically opening a specially crafted file, which then causes the application to deserialize the malicious data, enabling Remote Code Execution (RCE). This can lead to a complete compromise of the system running Rexroth IndraWorks. | |||||
| CVE-2025-60035 | 1 Bosch | 1 Rexroth Indraworks | 2026-02-24 | N/A | 7.8 HIGH |
| A vulnerability has been identified in the OPC.Testclient utility, which is included in Rexroth IndraWorks. All versions prior to 15V24 are affected. This flaw allows an attacker to execute arbitrary code on the user's system by parsing a manipulated file containing malicious serialized data. Exploitation requires user interaction, specifically opening a specially crafted file, which then causes the application to deserialize the malicious data, enabling Remote Code Execution (RCE). This can lead to a complete compromise of the system running the OPC.Testclient. | |||||
| CVE-2025-15348 | 1 Anritsu | 1 Shockline | 2026-02-23 | N/A | 7.8 HIGH |
| Anritsu ShockLine CHX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Anritsu ShockLine. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CHX files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27833. | |||||
| CVE-2019-2391 | 1 Mongodb | 1 Js-bson | 2026-02-23 | 5.5 MEDIUM | 4.2 MEDIUM |
| Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure. This issue affects: MongoDB Inc. js-bson library version 1.1.3 and prior to. | |||||
| CVE-2025-15350 | 1 Anritsu | 1 Vectorstar | 2026-02-23 | N/A | 7.8 HIGH |
| Anritsu VectorStar CHX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Anritsu VectorStar. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CHX files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27039. | |||||
| CVE-2025-15351 | 1 Anritsu | 1 Vectorstar | 2026-02-23 | N/A | 7.8 HIGH |
| Anritsu VectorStar CHX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Anritsu VectorStar. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CHX files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27040. | |||||
| CVE-2025-41700 | 1 Codesys | 1 Codesys | 2026-02-23 | N/A | 7.8 HIGH |
| An unauthenticated attacker can trick a local user into executing arbitrary code by opening a deliberately manipulated CODESYS project file with a CODESYS development system. This arbitrary code is executed in the user context. | |||||
| CVE-2025-49113 | 2 Debian, Roundcube | 2 Debian Linux, Webmail | 2026-02-23 | N/A | 9.9 CRITICAL |
| Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. | |||||
| CVE-2025-33241 | 1 Nvidia | 1 Nemo | 2026-02-20 | N/A | 7.8 HIGH |
| NVIDIA NeMo Framework contains a vulnerability where an attacker could cause remote code execution by loading a maliciously crafted file. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. | |||||
| CVE-2025-33243 | 1 Nvidia | 1 Nemo | 2026-02-20 | N/A | 7.8 HIGH |
| NVIDIA NeMo Framework contains a vulnerability where an attacker could cause remote code execution in distributed environments. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. | |||||
| CVE-2025-33245 | 1 Nvidia | 1 Nemo | 2026-02-20 | N/A | 8.0 HIGH |
| NVIDIA NeMo Framework contains a vulnerability where malicious data could cause remote code execution. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. | |||||
| CVE-2025-33252 | 1 Nvidia | 1 Nemo | 2026-02-20 | N/A | 7.8 HIGH |
| NVIDIA NeMo Framework contains a vulnerability where an attacker could cause remote code execution. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering. | |||||
| CVE-2025-33253 | 1 Nvidia | 1 Nemo | 2026-02-20 | N/A | 7.8 HIGH |
| NVIDIA NeMo Framework contains a vulnerability where an attacker could cause remote code execution by convincing a user to load a maliciously crafted file. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering. | |||||
| CVE-2021-44228 | 12 Apache, Apple, Bentley and 9 more | 166 Log4j, Xcode, Synchro and 163 more | 2026-02-20 | 9.3 HIGH | 10.0 CRITICAL |
| Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. | |||||
| CVE-2026-0760 | 1 Deepwisdom | 1 Metagpt | 2026-02-20 | N/A | 9.8 CRITICAL |
| Foundation Agents MetaGPT deserialize_message Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foundation Agents MetaGPT. Authentication is not required to exploit this vulnerability. The specific flaw exists within the deserialize_message function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28121. | |||||