Total
2676 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-24794 | 2025-01-29 | N/A | 6.7 MEDIUM | ||
| The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Snowflake discovered and remediated a vulnerability in the Snowflake Connector for Python. The OCSP response cache uses pickle as the serialization format, potentially leading to local privilege escalation. This vulnerability affects versions 2.7.12 through 3.13.0. Snowflake fixed the issue in version 3.13.1. | |||||
| CVE-2024-9314 | 1 Rankmath | 1 Seo | 2025-01-29 | N/A | 7.2 HIGH |
| The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.228 via deserialization of untrusted input 'set_redirections' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | |||||
| CVE-2023-27068 | 1 Sitecore | 1 Experience Platform | 2025-01-28 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data in Sitecore Experience Platform through 10.2 allows remote attackers to run arbitrary code via ValidationResult.aspx. | |||||
| CVE-2023-20878 | 1 Vmware | 2 Cloud Foundation, Vrealize Operations | 2025-01-27 | N/A | 7.2 HIGH |
| VMware Aria Operations contains a deserialization vulnerability. A malicious actor with administrative privileges can execute arbitrary commands and disrupt the system. | |||||
| CVE-2025-0428 | 1 Aipower | 1 Aipower | 2025-01-24 | N/A | 7.2 HIGH |
| The "AI Power: Complete AI Pack" plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.8.96 via deserialization of untrusted input from the $form['post_content'] variable through the wpaicg_export_prompts function. This allows authenticated attackers, with administrative privileges, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | |||||
| CVE-2025-0429 | 1 Aipower | 1 Aipower | 2025-01-24 | N/A | 7.2 HIGH |
| The "AI Power: Complete AI Pack" plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.8.96 via deserialization of untrusted input from the $form['post_content'] variable through the wpaicg_export_ai_forms() function. This allows authenticated attackers, with administrative privileges, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | |||||
| CVE-2023-31890 | 1 Glazedlists | 1 Glazed Lists | 2025-01-23 | N/A | 9.8 CRITICAL |
| An XML Deserialization vulnerability in glazedlists v1.11.0 allows an attacker to execute arbitrary code via the BeanXMLByteCoder.decode() parameter. | |||||
| CVE-2024-0692 | 1 Solarwinds | 1 Security Event Manager | 2025-01-21 | N/A | 8.8 HIGH |
| The SolarWinds Security Event Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an unauthenticated user to abuse SolarWinds’ service, resulting in remote code execution. | |||||
| CVE-2024-3483 | 1 Microfocus | 1 Imanager | 2025-01-21 | N/A | 7.8 HIGH |
| Remote Code Execution has been discovered in OpenText™ iManager 3.2.6.0200. The vulnerability can trigger command injection and insecure deserialization issues. | |||||
| CVE-2024-3967 | 1 Microfocus | 1 Imanager | 2025-01-21 | N/A | 7.6 HIGH |
| Remote Code Execution has been discovered in OpenText™ iManager 3.2.6.0200. The vulnerability can trigger remote code execution unisng unsafe java object deserialization. | |||||
| CVE-2023-1967 | 1 Keysight | 1 N8844a | 2025-01-16 | N/A | 9.8 CRITICAL |
| Keysight N8844A Data Analytics Web Service deserializes untrusted data without sufficiently verifying the resulting data will be valid. | |||||
| CVE-2024-4200 | 1 Progress | 1 Telerik Reporting | 2025-01-16 | N/A | 7.7 HIGH |
| In Progress® Telerik® Reporting versions prior to 2024 Q2 (18.1.24.2.514), a code execution attack is possible by a local threat actor through an insecure deserialization vulnerability. | |||||
| CVE-2024-23052 | 1 5kcrm | 1 Wukongcrm | 2025-01-16 | N/A | 9.8 CRITICAL |
| An issue in WuKongOpenSource WukongCRM v.72crm_9.0.1_20191202 allows a remote attacker to execute arbitrary code via the parseObject() function in the fastjson component. | |||||
| CVE-2019-11458 | 1 Cakephp | 1 Cakephp | 2025-01-15 | 6.4 MEDIUM | 7.5 HIGH |
| An issue was discovered in SmtpTransport in CakePHP 3.7.6. An unserialized object with modified internal properties can trigger arbitrary file overwriting upon destruction. | |||||
| CVE-2024-54676 | 1 Apache | 1 Openmeetings | 2025-01-15 | N/A | 9.8 CRITICAL |
| Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0 Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html doesn't specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data. Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' configurations as shown in the documentation. | |||||
| CVE-2023-2288 | 1 Themeisle | 1 Otter | 2025-01-10 | N/A | 8.8 HIGH |
| The Otter WordPress plugin before 2.2.6 does not sanitize some user-controlled file paths before performing file operations on them. This leads to a PHAR deserialization vulnerability on PHP < 8.0 using the phar:// stream wrapper. | |||||
| CVE-2024-13136 | 1 Wangl1989 | 1 Mysiteforme | 2025-01-10 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in wangl1989 mysiteforme 1.0 and classified as critical. Affected by this issue is the function rememberMeManager of the file src/main/java/com/mysiteforme/admin/config/ShiroConfig.java. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-49147 | 1 Microsoft | 1 Update Catalog | 2025-01-10 | N/A | 9.3 CRITICAL |
| Deserialization of untrusted data in Microsoft Update Catalog allows an unauthorized attacker to elevate privileges on the website’s webserver. | |||||
| CVE-2024-30042 | 1 Microsoft | 5 365 Apps, Excel, Office and 2 more | 2025-01-08 | N/A | 7.8 HIGH |
| Microsoft Excel Remote Code Execution Vulnerability | |||||
| CVE-2024-30044 | 1 Microsoft | 1 Sharepoint Server | 2025-01-08 | N/A | 7.2 HIGH |
| Microsoft SharePoint Server Remote Code Execution Vulnerability | |||||