Total
2676 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-44351 | 1 Skycaiji | 1 Skycaiji | 2025-04-23 | N/A | 9.8 CRITICAL |
| Skycaiji v2.5.1 was discovered to contain a deserialization vulnerability via /SkycaijiApp/admin/controller/Mystore.php. | |||||
| CVE-2022-44371 | 1 Hope-boot Project | 1 Hope-boot | 2025-04-23 | N/A | 9.8 CRITICAL |
| hope-boot 1.0.0 has a deserialization vulnerability that can cause Remote Code Execution (RCE). | |||||
| CVE-2025-32375 | 1 Bentoml | 1 Bentoml | 2025-04-22 | N/A | 9.8 CRITICAL |
| BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.8, there was an insecure deserialization in BentoML's runner server. By setting specific headers and parameters in the POST request, it is possible to execute any unauthorized arbitrary code on the server, which will grant the attackers to have the initial access and information disclosure on the server. This vulnerability is fixed in 1.4.8. | |||||
| CVE-2024-20150 | 1 Mediatek | 80 Lr12a, Lr13, Mt2735 and 77 more | 2025-04-22 | N/A | 7.5 HIGH |
| In Modem, there is a possible system crash due to a logic error. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01412526; Issue ID: MSV-2018. | |||||
| CVE-2021-33420 | 1 Replicator Project | 1 Replicator | 2025-04-21 | N/A | 9.8 CRITICAL |
| A deserialization issue discovered in inikulin replicator before 1.0.4 allows remote attackers to run arbitrary code via the fromSerializable function in TypedArray object. | |||||
| CVE-2025-30284 | 1 Adobe | 1 Coldfusion | 2025-04-21 | N/A | 8.4 HIGH |
| ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could leverage this vulnerability to bypass security protections and execute code. Exploitation of this issue requires user interaction and scope is changed. | |||||
| CVE-2025-30285 | 1 Adobe | 1 Coldfusion | 2025-04-21 | N/A | 8.4 HIGH |
| ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could leverage this vulnerability to bypass security protections and execute code. Exploitation of this issue requires user interaction and scope is changed. | |||||
| CVE-2021-38241 | 1 Ruoyi | 1 Ruoyi | 2025-04-21 | N/A | 9.8 CRITICAL |
| Deserialization issue discovered in Ruoyi before 4.6.1 allows remote attackers to run arbitrary code via weak cipher in Shiro framework. | |||||
| CVE-2023-49442 | 1 Jeecg | 1 Jeecg | 2025-04-17 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data in jeecgFormDemoController in JEECG 4.0 and earlier allows attackers to run arbitrary code via crafted POST request. | |||||
| CVE-2022-41596 | 1 Huawei | 2 Emui, Harmonyos | 2025-04-16 | N/A | 7.5 HIGH |
| The system tool has inconsistent serialization and deserialization. Successful exploitation of this vulnerability will cause unauthorized startup of components. | |||||
| CVE-2022-45185 | 1 Salesagility | 1 Suitecrm | 2025-04-15 | N/A | 8.8 HIGH |
| An issue was discovered in SuiteCRM 7.12.7. Authenticated users can use CRM functions to upload malicious files. Then, deserialization can be used to achieve code execution. | |||||
| CVE-2023-30534 | 2 Cacti, Fedoraproject | 2 Cacti, Fedora | 2025-04-11 | N/A | 4.3 MEDIUM |
| Cacti is an open source operational monitoring and fault management framework. There are two instances of insecure deserialization in Cacti version 1.2.24. While a viable gadget chain exists in Cacti’s vendor directory (phpseclib), the necessary gadgets are not included, making them inaccessible and the insecure deserializations not exploitable. Each instance of insecure deserialization is due to using the unserialize function without sanitizing the user input. Cacti has a “safe” deserialization that attempts to sanitize the content and check for specific values before calling unserialize, but it isn’t used in these instances. The vulnerable code lies in graphs_new.php, specifically within the host_new_graphs_save function. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-57762 | 1 Wangl1989 | 1 Mysiteforme | 2025-04-10 | N/A | 7.5 HIGH |
| MSFM before v2025.01.01 was discovered to contain a deserialization vulnerability via the pom.xml configuration file. | |||||
| CVE-2024-57763 | 1 Wangl1989 | 1 Mysiteforme | 2025-04-10 | N/A | 9.1 CRITICAL |
| MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/addField. | |||||
| CVE-2024-57764 | 1 Wangl1989 | 1 Mysiteforme | 2025-04-10 | N/A | 9.1 CRITICAL |
| MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/add. | |||||
| CVE-2024-57766 | 1 Wangl1989 | 1 Mysiteforme | 2025-04-10 | N/A | 9.1 CRITICAL |
| MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/editField. | |||||
| CVE-2023-22850 | 1 Tiki | 1 Tiki | 2025-04-07 | N/A | 8.8 HIGH |
| Tiki before 24.1, when the Spreadsheets feature is enabled, allows lib/sheet/grid.php PHP Object Injection because of an unserialize call. | |||||
| CVE-2022-46478 | 1 Datax-web Project | 1 Datax-web | 2025-04-07 | N/A | 9.8 CRITICAL |
| The RPC interface in datax-web v1.0.0 and v2.0.0 to v2.1.2 contains no permission checks by default which allows attackers to execute arbitrary commands via crafted Hessian serialized data. | |||||
| CVE-2022-45923 | 1 Opentext | 1 Opentext Extended Ecm | 2025-04-04 | N/A | 8.8 HIGH |
| An issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803). The Common Gateway Interface (CGI) program cs.exe allows an attacker to increase/decrease an arbitrary memory address by 1 and trigger a call to a method of a vftable with a vftable pointer value chosen by the attacker. | |||||
| CVE-2024-26289 | 1 Sigb | 1 Pmb | 2025-04-04 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in PMB Services PMB allows Remote Code Inclusion.This issue affects PMB: from 7.5.1 before 7.5.6-2, from 7.4.1 before 7.4.9, from 7.3.1 before 7.3.18. | |||||