Total
2675 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-67748 | 1 Trailofbits | 1 Fickling | 2026-01-02 | N/A | 7.8 HIGH |
| Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 had a bypass caused by `pty` missing from the block list of unsafe module imports. This led to unsafe pickles based on `pty.spawn()` being incorrectly flagged as `LIKELY_SAFE`, and was fixed in version 0.1.6. This impacted any user or system that used Fickling to vet pickle files for security issues. | |||||
| CVE-2025-67729 | 1 Internlm | 1 Lmdeploy | 2025-12-31 | N/A | 8.8 HIGH |
| LMDeploy is a toolkit for compressing, deploying, and serving LLMs. Prior to version 0.11.1, an insecure deserialization vulnerability exists in lmdeploy where torch.load() is called without the weights_only=True parameter when loading model checkpoint files. This allows an attacker to execute arbitrary code on the victim's machine when they load a malicious .bin or .pt model file. This issue has been patched in version 0.11.1. | |||||
| CVE-2025-63950 | 1 Tomaszdunia | 1 Twittodon | 2025-12-31 | N/A | 7.5 HIGH |
| An insecure deserialization vulnerability exists in the download.php script of the to3k Twittodon application through commit b1c58a7d1dc664b38deb486ca290779621342c0b (2023-02-28). The 'obj' parameter receives base64-encoded data that is passed directly to the unserialize() function without validation. This allows a remote, unauthenticated attacker to inject arbitrary PHP objects, leading to a denial of service. | |||||
| CVE-2025-63951 | 1 Sourcefabric | 1 Phoniebox | 2025-12-31 | N/A | 7.5 HIGH |
| An insecure deserialization vulnerability exists in the rss-mp3.php script of the MiczFlor RPi-Jukebox-RFID project through commit 4b2334f0ae0e87c0568876fc41c48c38aa9a7014 (2025-10-07). The 'rss' GET parameter receives data that is passed directly to the unserialize() function without validation. This allows a remote, unauthenticated attacker to inject arbitrary PHP objects, causing the application to process them and leading to errors or a denial of service. | |||||
| CVE-2025-62703 | 1 Fugue-project | 1 Fugue | 2025-12-30 | N/A | 8.8 HIGH |
| Fugue is a unified interface for distributed computing that lets users execute Python, Pandas, and SQL code on Spark, Dask, and Ray with minimal rewrites. In version 0.9.2 and prior, there is a remote code execution vulnerability by pickle deserialization via FlaskRPCServer. The Fugue framework implements an RPC server system for distributed computing operations. In the core functionality of the RPC server implementation, I found that the _decode() function in fugue/rpc/flask.py directly uses cloudpickle.loads() to deserialize data without any sanitization. This creates a remote code execution vulnerability when malicious pickle data is processed by the RPC server. The vulnerability exists in the RPC communication mechanism where the client can send arbitrary serialized Python objects that will be deserialized on the server side, allowing attackers to execute arbitrary code on the victim's machine. This issue has been patched via commit 6f25326. | |||||
| CVE-2024-1432 | 1 Iperov | 1 Deepfacelab | 2025-12-30 | 5.1 MEDIUM | 5.0 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in DeepFaceLab pretrained DF.wf.288res.384.92.72.22 and classified as problematic. This issue affects the function apply_xseg of the file main.py. The manipulation leads to deserialization. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-253391. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2025-26866 | 1 Apache | 1 Hugegraph | 2025-12-29 | N/A | 8.8 HIGH |
| A remote code execution vulnerability exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store. The fix enforces IP-based authentication to restrict cluster membership and implements a strict class whitelist to harden the Hessian serialization process against object injection attacks. Users are recommended to upgrade to version 1.7.0, which fixes the issue. | |||||
| CVE-2025-9083 | 1 Ninjaforms | 1 Ninja Forms | 2025-12-23 | N/A | 9.8 CRITICAL |
| The Ninja Forms WordPress plugin before 3.11.1 unserializes user input via form field, which could allow Unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog. | |||||
| CVE-2017-20206 | 1 Wpmudev | 1 Appointments | 2025-12-23 | N/A | 9.8 CRITICAL |
| The Appointments plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.2.1 via deserialization of untrusted input from the `wpmudev_appointments` cookie. This allows unauthenticated attackers to inject a PHP Object. Attackers were actively exploiting this vulnerability with the WP_Theme() class to create backdoors. | |||||
| CVE-2025-34394 | 1 Barracuda | 1 Rmm | 2025-12-23 | N/A | 9.8 CRITICAL |
| Barracuda Service Center, as implemented in the RMM solution, in versions prior to 2025.1.1, exposes a .NET Remoting service that is insufficiently protected against deserialization of arbitrary types. This can lead to remote code execution. | |||||
| CVE-2017-20208 | 1 Metagauss | 1 Registrationmagic | 2025-12-19 | N/A | 9.8 CRITICAL |
| The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to PHP Object Injection in all versions up to 3.7.9.3 (exclusive) via deserialization of untrusted input from the is_expired_by_date() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to fetch a remote file and install it on the site. | |||||
| CVE-2019-10068 | 1 Kentico | 1 Xperience | 2025-12-19 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Kentico 12.0.x before 12.0.15, 11.0.x before 11.0.48, 10.0.x before 10.0.52, and 9.x versions. Due to a failure to validate security headers, it was possible for a specially crafted request to the staging service to bypass the initial authentication and proceed to deserialize user-controlled .NET object input. This deserialization then led to unauthenticated remote code execution on the server where the Kentico instance was hosted. | |||||
| CVE-2025-55232 | 1 Microsoft | 1 Hpc Pack | 2025-12-19 | N/A | 9.8 CRITICAL |
| Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an unauthorized attacker to execute code over a network. | |||||
| CVE-2025-66214 | 1 Wearefrank | 1 Ladybug | 2025-12-17 | N/A | 7.0 HIGH |
| Ladybug adds message-based debugging, unit, system, and regression testing to Java applications. Versions prior to 3.0-20251107.114628 contain the APIs /iaf/ladybug/api/report/{storage} and /iaf/ladybug/api/report/upload, which allow uploading gzip-compressed XML files with user-controllable content. The system deserializes these XML files, enabling attackers to achieve Remote Code Execution (RCE) by submitting carefully crafted XML payloads and thereby gain access to the target server. This issue is fixed in version 3.0-20251107.114628. | |||||
| CVE-2025-55184 | 2 Facebook, Vercel | 2 React, Next.js | 2025-12-15 | N/A | 7.5 HIGH |
| A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served. | |||||
| CVE-2025-36072 | 1 Ibm | 1 Webmethods Integration | 2025-12-15 | N/A | 8.8 HIGH |
| IBM webMethods Integration 10.11 through 10.11_Core_Fix22, 10.15 through 10.15_Core_Fix22, and 11.1 through 11.1_Core_Fix6 IBM webMethods Integration allow an authenticated user to execute arbitrary code on the system, caused by the deserialization of untrusted object graphs data. | |||||
| CVE-2025-67779 | 2 Facebook, Vercel | 2 React, Next.js | 2025-12-12 | N/A | 7.5 HIGH |
| It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served. | |||||
| CVE-2025-61810 | 1 Adobe | 1 Coldfusion | 2025-12-12 | N/A | 8.4 HIGH |
| ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. A high privileged attacker could exploit this vulnerability by providing maliciously crafted serialized data to the application. Exploitation of this issue requires user interaction and scope is changed. | |||||
| CVE-2024-10190 | 1 Horovod | 1 Horovod | 2025-12-11 | N/A | 9.8 CRITICAL |
| Horovod versions up to and including v0.28.1 are vulnerable to unauthenticated remote code execution. The vulnerability is due to improper handling of base64-encoded data in the `ElasticRendezvousHandler`, a subclass of `KVStoreHandler`. Specifically, the `_put_value` method in `ElasticRendezvousHandler` calls `codec.loads_base64(value)`, which eventually invokes `cloudpickle.loads(decoded)`. This allows an attacker to send a malicious pickle object via a PUT request, leading to arbitrary code execution on the server. | |||||
| CVE-2025-63721 | 1 Hummerrisk | 1 Hummerrisk | 2025-12-11 | N/A | 8.8 HIGH |
| HummerRisk thru v1.5.0 is using a vulnerable Snakeyaml component, allowing attackers with normal user privileges to hit the /rule/add API and thereby achieve RCE and take over the server. | |||||