Total
2603 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-70559 | 1 Pdfminer | 1 Pdfminer.six | 2026-02-11 | 6.5 Medium |
| pdfminer.six before 20251230 contains an insecure deserialization vulnerability in the CMap loading mechanism. The library uses Python pickle to deserialize CMap cache files without validation. An attacker with the ability to place a malicious pickle file in a location accessible to the application can trigger arbitrary code execution or privilege escalation when the file is loaded by a trusted process. This is caused by an incomplete patch to CVE-2025-64512. | ||||
| CVE-2024-38094 | 1 Microsoft | 1 Sharepoint Server | 2026-02-10 | 7.2 High |
| Microsoft SharePoint Remote Code Execution Vulnerability | ||||
| CVE-2024-38024 | 1 Microsoft | 1 Sharepoint Server | 2026-02-10 | 7.2 High |
| Microsoft SharePoint Server Remote Code Execution Vulnerability | ||||
| CVE-2024-38023 | 1 Microsoft | 1 Sharepoint Server | 2026-02-10 | 7.2 High |
| Microsoft SharePoint Server Remote Code Execution Vulnerability | ||||
| CVE-2025-10492 | 2 Cloud, Jaspersoft | 6 Jasperreports Io, Jasperreports Library, Jasperreports Server and 3 more | 2026-02-10 | 9.8 Critical |
| A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library | ||||
| CVE-2025-61140 | 1 Dchester | 1 Jsonpath | 2026-02-09 | 9.8 Critical |
| The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution. | ||||
| CVE-2025-56005 | 2 Dabeaz, Python | 2 Ply, Ply | 2026-02-06 | 9.8 Critical |
| An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the `picklefile` parameter in the `yacc()` function. This parameter accepts a `.pkl` file that is deserialized with `pickle.load()` without validation. Because `pickle` allows execution of embedded code via `__reduce__()`, an attacker can achieve code execution by passing a malicious pickle file. The parameter is not mentioned in official documentation or the GitHub repository, yet it is active in the PyPI version. This introduces a stealthy backdoor and persistence risk. NOTE: A third-party states that this vulnerability should be rejected because the proof of concept does not demonstrate arbitrary code execution and fails to complete successfully. | ||||
| CVE-2025-63617 | 2 Alibaba, Kutangguo | 2 Fastjson, Ktg-mes | 2026-02-05 | 6.5 Medium |
| ktg-mes before commit a484f96 (2025-07-03) has a fastjson deserialization vulnerability. This is because it uses a vulnerable version of fastjson and deserializes unsafe input data. | ||||
| CVE-2020-37071 | 1 Craftcms | 1 Craftcms | 2026-02-04 | 9.8 Critical |
| CraftCMS 3 vCard Plugin 1.0.0 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary PHP code through a crafted payload. Attackers can generate a malicious serialized payload that triggers remote code execution by exploiting the plugin's vCard download functionality with a specially crafted request. | ||||
| CVE-2025-48780 | 1 Scshr | 1 Hr Portal | 2026-02-04 | 9.8 Critical |
| A deserialization of untrusted data vulnerability in the download file function of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to execute arbitrary system commands via a crafted serialized object. | ||||
| CVE-2025-61505 | 1 E107 | 1 E107 | 2026-02-03 | 6.5 Medium |
| e107 CMS thru 2.3.3 are vulnerable to insecure deserialization in the `install.php` script. The script processes user-controlled input in the `previous_steps` POST parameter using `unserialize(base64_decode())` without validation, allowing attackers to craft malicious serialized data. This could lead to remote code execution, arbitrary file operations, or denial of service, depending on available PHP object gadgets in the codebase. | ||||
| CVE-2025-30160 | 1 Redlib | 1 Redlib | 2026-02-03 | 7.5 High |
| Redlib is an alternative private front-end to Reddit. A vulnerability has been identified in Redlib where an attacker can cause a denial-of-service (DOS) condition by submitting a specially crafted base2048-encoded DEFLATE decompression bomb to the restore_preferences form. This leads to excessive memory consumption and potential system instability, which can be exploited to disrupt Redlib instances. This vulnerability is fixed in 0.36.0. | ||||
| CVE-2025-33210 | 1 Nvidia | 1 Isaac Lab | 2026-02-02 | 9 Critical |
| NVIDIA Isaac Lab contains a deserialization vulnerability. A successful exploit of this vulnerability might lead to code execution. | ||||
| CVE-2025-27925 | 1 Nintex | 1 Automation | 2026-01-29 | 8.5 High |
| Nintex Automation 5.6 and 5.7 before 5.8 has insecure deserialization of user input. | ||||
| CVE-2025-27522 | 1 Apache | 1 Inlong | 2026-01-28 | 6.5 Medium |
| Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 through 2.1.0. This vulnerability is a secondary mining bypass for CVE-2024-26579. Users are advised to upgrade to Apache InLong's 2.2.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/11732 | ||||
| CVE-2026-24815 | 1 Datavane | 1 Tis | 2026-01-27 | N/A |
| Unrestricted Upload of File with Dangerous Type, Deserialization of Untrusted Data vulnerability in datavane tis (tis-plugin/src/main/java/com/qlangtech/tis/extension/impl modules). This vulnerability is associated with program files XmlFile.Java. This issue affects tis: before v4.3.0. | ||||
| CVE-2026-24656 | 1 Apache | 2 Karaf, Karaf Decanter | 2026-01-27 | 3.7 Low |
| Deserialization of Untrusted Data vulnerability in Apache Karaf Decanter. The Decanter log socket collector exposes the port 4560, without authentication. If the collector exposes allowed classes property, this configuration can be bypassed. It means that the log socket collector is vulnerable to deserialization of untrusted data, eventually causing DoS. NB: Decanter log socket collector is not installed by default. Users who have not installed Decanter log socket are not impacted by this issue. This issue affects Apache Karaf Decanter before 2.12.0. Users are recommended to upgrade to version 2.12.0, which fixes the issue. | ||||
| CVE-2026-0895 | 1 Typo3 | 1 Mailqueue | 2026-01-26 | N/A |
| The extension extends TYPO3’ FileSpool component, which was vulnerable to Insecure Deserialization prior to TYPO3-CORE-SA-2026-004 https://typo3.org/security/advisory/typo3-core-sa-2026-004 . Since the related fix is overwritten by the extension, using the extension with a patched TYPO3 core version still allows for Insecure Deserialization, because the affected vulnerable code was extracted from TYPO3 core to the extension. More information about this vulnerability can be found in the related TYPO3 Core Security Advisory TYPO3-CORE-SA-2026-004 https://typo3.org/security/advisory/typo3-core-sa-2026-004 . | ||||
| CVE-2026-0773 | 1 Upsonic | 1 Upsonic | 2026-01-26 | N/A |
| Upsonic Cloudpickle Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Upsonic. Authentication is not required to exploit this vulnerability. The specific flaw exists within the add_tool endpoint, which listens on TCP port 7541 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26845. | ||||
| CVE-2025-30025 | 1 Axis | 2 Camera Station Pro, Device Manager | 2026-01-23 | 7.8 High |
| The communication protocol used between the server process and the service control had a flaw that could lead to a local privilege escalation. | ||||