Total
2675 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-40551 | 1 Solarwinds | 1 Web Help Desk | 2026-02-03 | N/A | 9.8 CRITICAL |
| SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication. | |||||
| CVE-2025-30160 | 1 Redlib | 1 Redlib | 2026-02-03 | N/A | 7.5 HIGH |
| Redlib is an alternative private front-end to Reddit. A vulnerability has been identified in Redlib where an attacker can cause a denial-of-service (DOS) condition by submitting a specially crafted base2048-encoded DEFLATE decompression bomb to the restore_preferences form. This leads to excessive memory consumption and potential system instability, which can be exploited to disrupt Redlib instances. This vulnerability is fixed in 0.36.0. | |||||
| CVE-2025-33210 | 1 Nvidia | 1 Isaac Lab | 2026-02-02 | N/A | 9.0 CRITICAL |
| NVIDIA Isaac Lab contains a deserialization vulnerability. A successful exploit of this vulnerability might lead to code execution. | |||||
| CVE-2026-24747 | 1 Linuxfoundation | 1 Pytorch | 2026-01-30 | N/A | 8.8 HIGH |
| PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTorch's `weights_only` unpickler allows an attacker to craft a malicious checkpoint file (`.pth`) that, when loaded with `torch.load(..., weights_only=True)`, can corrupt memory and potentially lead to arbitrary code execution. Version 2.10.0 fixes the issue. | |||||
| CVE-2025-27925 | 1 Nintex | 1 Automation | 2026-01-29 | N/A | 8.5 HIGH |
| Nintex Automation 5.6 and 5.7 before 5.8 has insecure deserialization of user input. | |||||
| CVE-2025-27522 | 1 Apache | 1 Inlong | 2026-01-28 | N/A | 6.5 MEDIUM |
| Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 through 2.1.0. This vulnerability is a secondary mining bypass for CVE-2024-26579. Users are advised to upgrade to Apache InLong's 2.2.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/11732 | |||||
| CVE-2026-24656 | 1 Apache | 1 Karaf Decanter | 2026-01-27 | N/A | 3.7 LOW |
| Deserialization of Untrusted Data vulnerability in Apache Karaf Decanter. The Decanter log socket collector exposes the port 4560, without authentication. If the collector exposes allowed classes property, this configuration can be bypassed. It means that the log socket collector is vulnerable to deserialization of untrusted data, eventually causing DoS. NB: Decanter log socket collector is not installed by default. Users who have not installed Decanter log socket are not impacted by this issue. This issue affects Apache Karaf Decanter before 2.12.0. Users are recommended to upgrade to version 2.12.0, which fixes the issue. | |||||
| CVE-2025-30025 | 1 Axis | 2 Camera Station Pro, Device Manager | 2026-01-23 | N/A | 7.8 HIGH |
| The communication protocol used between the server process and the service control had a flaw that could lead to a local privilege escalation. | |||||
| CVE-2025-30023 | 1 Axis | 3 Camera Station, Camera Station Pro, Device Manager | 2026-01-23 | N/A | 9.0 CRITICAL |
| The communication protocol used between client and server had a flaw that could lead to an authenticated user performing a remote code execution attack. | |||||
| CVE-2023-7334 | 1 Chanjetvip | 1 T\+ | 2026-01-23 | N/A | 9.8 CRITICAL |
| Changjetong T+ versions up to and including 16.x contain a .NET deserialization vulnerability in an AjaxPro endpoint that can lead to remote code execution. A remote attacker can send a crafted request to /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore with a malicious JSON body that leverages deserialization of attacker-controlled .NET types to invoke arbitrary methods such as System.Diagnostics.Process.Start. This can result in execution of arbitrary commands in the context of the T+ application service account. Exploitation evidence was observed by the Shadowserver Foundation as early as 2023-08-19 (UTC). | |||||
| CVE-2025-11346 | 1 Ilias | 1 Ilias | 2026-01-23 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability has been found in ILIAS up to 8.23/9.13/10.1. This affects the function unserialize of the component Base64 Decoding Handler. Such manipulation of the argument f_settings leads to deserialization. It is possible to launch the attack remotely. Upgrading to version 8.24, 9.14 and 10.2 is able to mitigate this issue. It is advisable to upgrade the affected component. | |||||
| CVE-2025-11345 | 1 Ilias | 1 Ilias | 2026-01-23 | 6.5 MEDIUM | 5.5 MEDIUM |
| A flaw has been found in ILIAS up to 8.23/9.13/10.1. Affected by this issue is the function unserialize of the component Test Import. This manipulation causes deserialization. It is possible to initiate the attack remotely. Upgrading to version 8.24, 9.14 and 10.2 can resolve this issue. Upgrading the affected component is advised. | |||||
| CVE-2025-47584 | 1 Themegoods | 1 Photography | 2026-01-22 | N/A | 8.5 HIGH |
| Deserialization of Untrusted Data vulnerability in ThemeGoods Photography.This issue affects Photography: from n/a through 7.5.2. | |||||
| CVE-2025-14930 | 1 Huggingface | 1 Transformers | 2026-01-21 | N/A | 7.8 HIGH |
| Hugging Face Transformers GLM4 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of weights. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28309. | |||||
| CVE-2025-14920 | 1 Huggingface | 1 Transformers | 2026-01-21 | N/A | 7.8 HIGH |
| Hugging Face Transformers Perceiver Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25423. | |||||
| CVE-2025-14921 | 1 Huggingface | 1 Transformers | 2026-01-21 | N/A | 7.8 HIGH |
| Hugging Face Transformers Transformer-XL Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25424. | |||||
| CVE-2025-14929 | 1 Huggingface | 1 Transformers | 2026-01-21 | N/A | 7.8 HIGH |
| Hugging Face Transformers X-CLIP Checkpoint Conversion Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of checkpoints. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28308. | |||||
| CVE-2025-5499 | 1 Phpwcms | 1 Phpwcms | 2026-01-20 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability classified as critical has been found in slackero phpwcms up to 1.9.45/1.10.8. Affected is the function is_file/getimagesize of the file image_resized.php. The manipulation of the argument imgfile leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.9.46 and 1.10.9 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2025-5498 | 1 Phpwcms | 1 Phpwcms | 2026-01-20 | 6.5 MEDIUM | 5.5 MEDIUM |
| A vulnerability was found in slackero phpwcms up to 1.9.45/1.10.8. It has been rated as critical. This issue affects the function file_get_contents/is_file of the file include/inc_lib/content/cnt21.readform.inc.php of the component Custom Source Tab. The manipulation of the argument cpage_custom leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.9.46 and 1.10.9 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2025-60226 | 1 Axiomthemes | 1 White Rabbit | 2026-01-20 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in axiomthemes White Rabbit whiterabbit allows Object Injection.This issue affects White Rabbit: from n/a through <= 1.5.2. | |||||