Total
2616 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-39154 | 6 Debian, Fedoraproject, Netapp and 3 more | 21 Debian Linux, Fedora, Snapmanager and 18 more | 2025-05-23 | 8.5 High |
| XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. | ||||
| CVE-2023-52219 | 1 Gecka | 1 Terms Thumbnails | 2025-05-23 | 9.9 Critical |
| Deserialization of Untrusted Data vulnerability in Gecka Gecka Terms Thumbnails.This issue affects Gecka Terms Thumbnails: from n/a through 1.1. | ||||
| CVE-2023-52205 | 1 Svnlabs | 1 Html5 Soundcloud Player With Playlist Free | 2025-05-23 | 9.1 Critical |
| Deserialization of Untrusted Data vulnerability in SVNLabs Softwares HTML5 SoundCloud Player with Playlist Free.This issue affects HTML5 SoundCloud Player with Playlist Free: from n/a through 2.8.0. | ||||
| CVE-2022-45845 | 1 Nextendweb | 1 Smart Slider 3 | 2025-05-23 | 4.3 Medium |
| Deserialization of Untrusted Data vulnerability in Nextend Smart Slider 3.This issue affects Smart Slider 3: from n/a through 3.5.1.9. | ||||
| CVE-2024-22309 | 1 Quantumcloud | 1 Wpbot | 2025-05-23 | 8.7 High |
| Deserialization of Untrusted Data vulnerability in QuantumCloud ChatBot with AI.This issue affects ChatBot with AI: from n/a through 5.1.0. | ||||
| CVE-2022-2903 | 1 Ninjaforms | 1 Ninja Forms | 2025-05-21 | 7.2 High |
| The Ninja Forms Contact Form WordPress plugin before 3.6.13 unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog. | ||||
| CVE-2024-5488 | 1 Seopress | 1 Seopress | 2025-05-21 | 9.8 Critical |
| The SEOPress WordPress plugin before 7.9 does not properly protect some of its REST API routes, which combined with another Object Injection vulnerability can allow unauthenticated attackers to unserialize malicious gadget chains, compromising the site if a suitable chain is present. | ||||
| CVE-2025-0767 | 1 Melapress | 1 Wp Activity Log | 2025-05-21 | 9.8 Critical |
| WP Activity Log 5.3.2 was found to be vulnerable. Unvalidated user input is used directly in an unserialize function in myapp/classes/Writers/class-csv-writer.php. | ||||
| CVE-2022-40314 | 1 Moodle | 1 Moodle | 2025-05-20 | 9.8 Critical |
| A remote code execution risk when restoring backup files originating from Moodle 1.9 was identified. | ||||
| CVE-2018-18447 | 1 Dotpdn | 1 Paint.net | 2025-05-16 | 9.8 Critical |
| dotPDN Paint.NET before 4.1.2 allows Deserialization of Untrusted Data (issue 2 of 2). | ||||
| CVE-2018-18446 | 1 Dotpdn | 1 Paint.net | 2025-05-16 | 9.8 Critical |
| dotPDN Paint.NET before 4.1.2 allows Deserialization of Untrusted Data (issue 1 of 2). | ||||
| CVE-2024-24302 | 1 Prestalife | 1 Product Designer | 2025-05-15 | 9.8 Critical |
| An issue was discovered in Tunis Soft "Product Designer" (productdesigner) module for PrestaShop before version 1.178.36, allows remote attackers to execute arbitrary code, escalate privileges, and obtain sensitive information via the postProcess() method. | ||||
| CVE-2025-3250 | 1 Eladmin | 1 Eladmin | 2025-05-15 | 4.3 Medium |
| A vulnerability, which was classified as problematic, has been found in elunez eladmin 2.7. Affected by this issue is some unknown functionality of the file /api/database/testConnect of the component Maintenance Management Module. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-1225 | 1 Qibosoft | 1 Qibocms X1 | 2025-05-15 | 7.3 High |
| A vulnerability classified as critical was found in QiboSoft QiboCMS X1 up to 1.0.6. Affected by this vulnerability is the function rmb_pay of the file /application/index/controller/Pay.php. The manipulation of the argument callback_class leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252847. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-45772 | 1 Apache | 1 Lucene Replicator | 2025-05-15 | 5.1 Medium |
| Deserialization of Untrusted Data vulnerability in Apache Lucene Replicator. This issue affects Apache Lucene's replicator module: from 4.4.0 before 9.12.0. The deprecated org.apache.lucene.replicator.http package is affected. The org.apache.lucene.replicator.nrt package is not affected. Users are recommended to upgrade to version 9.12.0, which fixes the issue. The deserialization can only be triggered if users actively deploy an network-accessible implementation and a corresponding client using a HTTP library that uses the API (e.g., a custom servlet and HTTPClient). Java serialization filters (such asĀ -Djdk.serialFilter='!*' on the commandline) can mitigate the issue on vulnerable versions without impacting functionality. | ||||
| CVE-2019-10173 | 3 Oracle, Redhat, Xstream | 15 Banking Platform, Business Activity Monitoring, Communications Billing And Revenue Management Elastic Charging Engine and 12 more | 2025-05-14 | 9.8 Critical |
| It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285) | ||||
| CVE-2025-0734 | 1 Ruoyi | 1 Ruoyi | 2025-05-13 | 4.7 Medium |
| A vulnerability has been found in y_project RuoYi up to 4.8.0 and classified as critical. This vulnerability affects the function getBeanName of the component Whitelist. The manipulation leads to deserialization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2020-15842 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-05-13 | 8.1 High |
| Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, because of insecure deserialization. | ||||
| CVE-2022-3291 | 1 Gitlab | 1 Gitlab | 2025-05-13 | 6.5 Medium |
| Serialization of sensitive data in GitLab EE affecting all versions from 14.9 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 can leak sensitive information via cache | ||||
| CVE-2024-49063 | 1 Microsoft | 1 Muzic | 2025-05-13 | 8.4 High |
| Microsoft/Muzic Remote Code Execution Vulnerability | ||||