Total
2599 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-33725 | 1 Metabase | 1 Metabase | 2026-04-02 | 7.2 High |
| Metabase is an open source business intelligence and embedded analytics tool. In Metabase Enterprise prior to versions 1.54.22, 1.55.22, 1.56.22, 1.57.16, 1.58.10, and 1.59.4, authenticated admins on Metabase Enterprise Edition can achieve Remote Code Execution (RCE) and Arbitrary File Read via the `POST /api/ee/serialization/import` endpoint. A crafted serialization archive injects an `INIT` property into the H2 JDBC spec, which can execute arbitrary SQL during a database sync. We confirmed this was possible on Metabase Cloud. This only affects Metabase Enterprise. Metabase OSS lacks the affected codepaths. All versions of Metabase Enterprise that have serialization, which dates back to at least version 1.47, are affected. Metabase Enterprise versions 1.54.22, 1.55.22, 1.56.22, 1.57.16, 1.58.10, and 1.59.4 patch the issue. As a workaround, disable the serialization import endpoint in their Metabase instance to prevent access to the vulnerable codepaths. | ||||
| CVE-2026-4851 | 1 Casiano | 2 Grid::machine, Grid\ | 2026-04-02 | 9.8 Critical |
| GRID::Machine versions through 0.127 for Perl allows arbitrary code execution via unsafe deserialization. GRID::Machine provides Remote Procedure Calls (RPC) over SSH for Perl. The client connects to remote hosts to execute code on them. A compromised or malicious remote host can execute arbitrary code back on the client through unsafe deserialization in the RPC protocol. read_operation() in lib/GRID/Machine/Message.pm deserialises values from the remote side using eval() $arg .= '$VAR1'; my $val = eval "no strict; $arg"; # line 40-41 $arg is raw bytes from the protocol pipe. A compromised remote host can embed arbitrary perl in the Dumper-formatted response: $VAR1 = do { system("..."); }; This executes on the client silently on every RPC call, as the return values remain correct. This functionality is by design but the trust requirement for the remote host is not documented in the distribution. | ||||
| CVE-2026-20963 | 1 Microsoft | 3 Sharepoint Server, Sharepoint Server 2016, Sharepoint Server 2019 | 2026-04-02 | 9.8 Critical |
| Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network. | ||||
| CVE-2025-58839 | 2026-04-01 | N/A | ||
| Deserialization of Untrusted Data vulnerability in aThemeArt Translations eDS Responsive Menu eds-responsive-menu allows Object Injection.This issue affects eDS Responsive Menu: from n/a through <= 1.2. | ||||
| CVE-2025-58815 | 1 Wordpress | 1 Wordpress | 2026-04-01 | N/A |
| Deserialization of Untrusted Data vulnerability in Rubel Miah Aitasi Coming Soon aitasi-coming-soon allows Object Injection.This issue affects Aitasi Coming Soon: from n/a through <= 2.0.2. | ||||
| CVE-2025-58662 | 2 Getawesomesupport, Wordpress | 2 Awesome Support, Wordpress | 2026-04-01 | N/A |
| Deserialization of Untrusted Data vulnerability in awesomesupport Awesome Support awesome-support allows Object Injection.This issue affects Awesome Support: from n/a through <= 6.3.5. | ||||
| CVE-2025-58644 | 2 Enituretechnology, Wordpress | 2 Ltl Freight Quotes, Wordpress | 2026-04-01 | N/A |
| Deserialization of Untrusted Data vulnerability in enituretechnology LTL Freight Quotes - TQL Edition ltl-freight-quotes-tql-edition allows Object Injection.This issue affects LTL Freight Quotes - TQL Edition: from n/a through <= 1.2.6. | ||||
| CVE-2025-58643 | 2 Enituretechnology, Wordpress | 2 Ltl Freight Quotes, Wordpress | 2026-04-01 | N/A |
| Deserialization of Untrusted Data vulnerability in enituretechnology LTL Freight Quotes – Daylight Edition ltl-freight-quotes-daylight-edition allows Object Injection.This issue affects LTL Freight Quotes – Daylight Edition: from n/a through <= 2.2.7. | ||||
| CVE-2025-58642 | 2 Enituretechnology, Wordpress | 2 Ltl Freight Quotes, Wordpress | 2026-04-01 | N/A |
| Deserialization of Untrusted Data vulnerability in enituretechnology LTL Freight Quotes – Day & Ross Edition ltl-freight-quotes-day-ross-edition allows Object Injection.This issue affects LTL Freight Quotes – Day & Ross Edition: from n/a through <= 2.1.11. | ||||
| CVE-2025-58218 | 2026-04-01 | N/A | ||
| Deserialization of Untrusted Data vulnerability in enituretechnology Small Package Quotes – USPS Edition small-package-quotes-usps-edition allows Object Injection.This issue affects Small Package Quotes – USPS Edition: from n/a through <= 1.3.9. | ||||
| CVE-2025-57919 | 2 Conveythis, Wordpress | 2 Language Translate Widget For Wordpress Conveythis, Wordpress | 2026-04-01 | N/A |
| Deserialization of Untrusted Data vulnerability in ConveyThis ConveyThis conveythis-translate allows Object Injection.This issue affects ConveyThis: from n/a through <= 269.1. | ||||
| CVE-2025-54742 | 1 Wordpress | 1 Wordpress | 2026-04-01 | N/A |
| Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.This issue affects WpEvently: from n/a through <= 4.4.8. | ||||
| CVE-2025-54686 | 1 Wordpress | 1 Wordpress | 2026-04-01 | N/A |
| Deserialization of Untrusted Data vulnerability in scriptsbundle Exertio exertio allows Object Injection.This issue affects Exertio: from n/a through <= 1.3.2. | ||||
| CVE-2025-54053 | 2 Groundhogg, Wordpress | 2 Groundhogg, Wordpress | 2026-04-01 | N/A |
| Deserialization of Untrusted Data vulnerability in Adrian Tobey Groundhogg groundhogg allows Object Injection.This issue affects Groundhogg: from n/a through <= 4.2.2. | ||||
| CVE-2025-54014 | 1 Wordpress | 1 Wordpress | 2026-04-01 | N/A |
| Deserialization of Untrusted Data vulnerability in QuanticaLabs MediCenter - Health Medical Clinic medicenter allows Object Injection.This issue affects MediCenter - Health Medical Clinic: from n/a through <= 15.1. | ||||
| CVE-2025-54012 | 2 Welcart, Wordpress | 2 E-commerce, Wordpress | 2026-04-01 | N/A |
| Deserialization of Untrusted Data vulnerability in info@welcart Welcart e-Commerce usc-e-shop allows Object Injection.This issue affects Welcart e-Commerce: from n/a through <= 2.11.16. | ||||
| CVE-2025-54007 | 2026-04-01 | N/A | ||
| Deserialization of Untrusted Data vulnerability in PickPlugins Post Grid and Gutenberg Blocks post-grid allows Object Injection.This issue affects Post Grid and Gutenberg Blocks: from n/a through <= 2.3.11. | ||||
| CVE-2025-53990 | 1 Wordpress | 1 Wordpress | 2026-04-01 | N/A |
| Deserialization of Untrusted Data vulnerability in jetmonsters JetFormBuilder jetformbuilder allows Object Injection.This issue affects JetFormBuilder: from n/a through <= 3.5.1.2. | ||||
| CVE-2025-53584 | 2026-04-01 | N/A | ||
| Deserialization of Untrusted Data vulnerability in emarket-design WP Ticket Customer Service Software & Support Ticket System wp-ticket allows Object Injection.This issue affects WP Ticket Customer Service Software & Support Ticket System: from n/a through <= 6.0.2. | ||||
| CVE-2025-53583 | 1 Wordpress | 1 Wordpress | 2026-04-01 | N/A |
| Deserialization of Untrusted Data vulnerability in emarket-design Employee Spotlight employee-spotlight allows Object Injection.This issue affects Employee Spotlight: from n/a through <= 5.1.1. | ||||