Total
2675 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-61880 | 1 Infoblox | 1 Nios | 2026-02-19 | N/A | 8.8 HIGH |
| In Infoblox NIOS through 9.0.7, insecure deserialization can result in remote code execution. | |||||
| CVE-2025-70560 | 1 Jwohlwend | 1 Boltz | 2026-02-19 | N/A | 8.4 HIGH |
| Boltz 2.0.0 contains an insecure deserialization vulnerability in its molecule loading functionality. The application uses Python pickle to deserialize molecule data files without validation. An attacker with the ability to place a malicious pickle file in a directory processed by boltz can achieve arbitrary code execution when the file is loaded. | |||||
| CVE-2026-2555 | 1 Jeecg | 1 Jeecg Boot | 2026-02-18 | 4.6 MEDIUM | 5.0 MEDIUM |
| A weakness has been identified in JeecgBoot 3.9.1. This vulnerability affects the function importDocumentFromZip of the file org/jeecg/modules/airag/llm/controller/AiragKnowledgeController.java of the component Retrieval-Augmented Generation. Executing a manipulation can lead to deserialization. The attack can be launched remotely. Attacks of this nature are highly complex. It is stated that the exploitability is difficult. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2026-0772 | 1 Langflow | 1 Langflow | 2026-02-18 | N/A | 7.5 HIGH |
| Langflow Disk Cache Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is required to exploit this vulnerability. The specific flaw exists within the disk cache service. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27919. | |||||
| CVE-2026-0764 | 1 Binary-husky | 1 Gpt Academic | 2026-02-18 | N/A | 9.8 CRITICAL |
| GPT Academic upload Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GPT Academic. Authentication is not required to exploit this vulnerability. The specific flaw exists within the upload endpoint. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27957. | |||||
| CVE-2026-0763 | 1 Binary-husky | 1 Gpt Academic | 2026-02-18 | N/A | 9.8 CRITICAL |
| GPT Academic run_in_subprocess_wrapper_func Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GPT Academic. Authentication is not required to exploit this vulnerability. The specific flaw exists within the run_in_subprocess_wrapper_func function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27958. | |||||
| CVE-2026-0762 | 1 Binary-husky | 1 Gpt Academic | 2026-02-18 | N/A | 8.1 HIGH |
| GPT Academic stream_daas Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GPT Academic. Interaction with a malicious DAAS server is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the stream_daas function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27956. | |||||
| CVE-2026-23946 | 1 Tendenci | 1 Tendenci | 2026-02-17 | N/A | 6.8 MEDIUM |
| Tendenci is an open source content management system built for non-profits, associations and cause-based sites. Versions 15.3.11 and below include a critical deserialization vulnerability in the Helpdesk module (which is not enabled by default). This vulnerability allows Remote Code Execution (RCE) by an authenticated user with staff security level due to using Python's pickle module in helpdesk /reports/. The original CVE-2020-14942 was incompletely patched. While ticket_list() was fixed to use safe JSON deserialization, the run_report() function still uses unsafe pickle.loads(). The impact is limited to the permissions of the user running the application, typically www-data, which generally lacks write (except for upload directories) and execute permissions. This issue has been fixed in version 15.3.12. | |||||
| CVE-2026-23685 | 1 Sap | 1 Netweaver | 2026-02-17 | N/A | 4.4 MEDIUM |
| Due to a Deserialization vulnerability in SAP NetWeaver (JMS service), an attacker authenticated as an administrator with local access could submit specially crafted content to the server. If processed by the application, this content could trigger unintended behavior during internal logic execution, potentially causing a denial of service. Successful exploitation results in a high impact on availability, while confidentiality and integrity remain unaffected. | |||||
| CVE-2026-25614 | 1 Phillipsdata | 1 Blesta | 2026-02-13 | N/A | 7.5 HIGH |
| Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5680. | |||||
| CVE-2026-25615 | 1 Phillipsdata | 1 Blesta | 2026-02-13 | N/A | 7.2 HIGH |
| Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5668. | |||||
| CVE-2025-47732 | 1 Microsoft | 1 Dataverse | 2026-02-13 | N/A | 8.7 HIGH |
| Deserialization of untrusted data in Microsoft Dataverse allows an authorized attacker to execute code over a network. | |||||
| CVE-2026-23864 | 1 Facebook | 1 React | 2026-02-13 | N/A | 7.5 HIGH |
| Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack. The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code. Strongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components. | |||||
| CVE-2026-21531 | 1 Microsoft | 1 Azure Conversation Authoring Client Library | 2026-02-12 | N/A | 9.8 CRITICAL |
| Deserialization of untrusted data in Azure SDK allows an unauthorized attacker to execute code over a network. | |||||
| CVE-2026-21511 | 1 Microsoft | 5 365 Apps, Office, Office Long Term Servicing Channel and 2 more | 2026-02-11 | N/A | 7.5 HIGH |
| Deserialization of untrusted data in Microsoft Office Outlook allows an unauthorized attacker to perform spoofing over a network. | |||||
| CVE-2025-10492 | 1 Cloud | 5 Jasperreports Io, Jasperreports Library, Jasperreports Server and 2 more | 2026-02-10 | N/A | 9.8 CRITICAL |
| A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library | |||||
| CVE-2025-56005 | 1 Dabeaz | 1 Ply | 2026-02-06 | N/A | 9.8 CRITICAL |
| An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the `picklefile` parameter in the `yacc()` function. This parameter accepts a `.pkl` file that is deserialized with `pickle.load()` without validation. Because `pickle` allows execution of embedded code via `__reduce__()`, an attacker can achieve code execution by passing a malicious pickle file. The parameter is not mentioned in official documentation or the GitHub repository, yet it is active in the PyPI version. This introduces a stealthy backdoor and persistence risk. NOTE: A third-party states that this vulnerability should be rejected because the proof of concept does not demonstrate arbitrary code execution and fails to complete successfully. | |||||
| CVE-2026-21226 | 1 Microsoft | 1 Azure Core Shared Client Library | 2026-02-05 | N/A | 7.5 HIGH |
| Deserialization of untrusted data in Azure Core shared client library for Python allows an authorized attacker to execute code over a network. | |||||
| CVE-2025-63617 | 1 Kutangguo | 1 Ktg-mes | 2026-02-05 | N/A | 6.5 MEDIUM |
| ktg-mes before commit a484f96 (2025-07-03) has a fastjson deserialization vulnerability. This is because it uses a vulnerable version of fastjson and deserializes unsafe input data. | |||||
| CVE-2025-48780 | 1 Scshr | 1 Hr Portal | 2026-02-04 | N/A | 9.8 CRITICAL |
| A deserialization of untrusted data vulnerability in the download file function of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to execute arbitrary system commands via a crafted serialized object. | |||||