Total
1806 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-2295 | 2 Debian, Puppet | 2 Debian Linux, Puppet | 2025-04-20 | 6.0 MEDIUM | 8.2 HIGH |
| Versions of Puppet prior to 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change constrains the format of data on the wire to PSON or safely decoded YAML. | |||||
| CVE-2017-0806 | 1 Google | 1 Android | 2025-04-20 | 9.3 HIGH | 7.8 HIGH |
| An elevation of privilege vulnerability in the Android framework (gatekeeperresponse). Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-62998805. | |||||
| CVE-2017-1000208 | 1 Swagger | 2 Swagger-codegen, Swagger-parser | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability in Swagger-Parser's (version <= 1.0.30) yaml parsing functionality results in arbitrary code being executed when a maliciously crafted yaml Open-API specification is parsed. This in particular, affects the 'generate' and 'validate' command in swagger-codegen (<= 2.2.2) and can lead to arbitrary code being executed when these commands are used on a well-crafted yaml specification. | |||||
| CVE-2014-9515 | 1 Dozer Project | 1 Dozer | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Dozer improperly uses a reflection-based approach to type conversion, which might allow remote attackers to execute arbitrary code via a crafted serialized object. | |||||
| CVE-2017-8829 | 1 Debian | 1 Lintian | 2025-04-20 | 6.8 MEDIUM | 7.8 HIGH |
| Deserialization vulnerability in lintian through 2.5.50.3 allows attackers to trigger code execution by requesting a review of a source package with a crafted YAML file. | |||||
| CVE-2017-7504 | 1 Redhat | 1 Jboss Enterprise Application Platform | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| HTTPServerILServlet.java in JMS over HTTP Invocation Layer of the JbossMQ implementation, which is enabled by default in Red Hat Jboss Application Server <= Jboss 4.X does not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized data. | |||||
| CVE-2017-12633 | 1 Apache | 1 Camel | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws. | |||||
| CVE-2024-1685 | 1 Sygnoos | 1 Social Media Share Buttons | 2025-04-18 | N/A | 8.8 HIGH |
| The Social Media Share Buttons plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.1.0 via deserialization of untrusted input through the attachmentUrl parameter. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | |||||
| CVE-2025-27286 | 2025-04-17 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in saoshyant1994 Saoshyant Slider allows Object Injection. This issue affects Saoshyant Slider: from n/a through 3.0. | |||||
| CVE-2025-27287 | 2025-04-17 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in ssvadim SS Quiz allows Object Injection. This issue affects SS Quiz: from n/a through 2.0.5. | |||||
| CVE-2025-39588 | 2025-04-17 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in bdthemes Ultimate Store Kit Elementor Addons allows Object Injection. This issue affects Ultimate Store Kit Elementor Addons: from n/a through 2.4.0. | |||||
| CVE-2025-39527 | 2025-04-17 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in bestwebsoft Rating by BestWebSoft allows Object Injection. This issue affects Rating by BestWebSoft: from n/a through 1.7. | |||||
| CVE-2025-39550 | 2025-04-17 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Shahjahan Jewel FluentCommunity allows Object Injection. This issue affects FluentCommunity: from n/a through 1.2.15. | |||||
| CVE-2025-32658 | 2025-04-17 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in wpWax HelpGent allows Object Injection. This issue affects HelpGent: from n/a through 2.2.4. | |||||
| CVE-2025-32572 | 2025-04-17 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Climax Themes Kata Plus allows Object Injection. This issue affects Kata Plus: from n/a through 1.5.2. | |||||
| CVE-2025-32571 | 2025-04-17 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in turitop TuriTop Booking System allows Object Injection. This issue affects TuriTop Booking System: from n/a through 1.0.10. | |||||
| CVE-2025-32662 | 2025-04-17 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in Stylemix uListing allows Object Injection. This issue affects uListing: from n/a through 2.2.0. | |||||
| CVE-2025-32647 | 2025-04-17 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in PickPlugins Question Answer allows Object Injection. This issue affects Question Answer: from n/a through 1.2.70. | |||||
| CVE-2025-39551 | 2025-04-17 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Mahmudul Hasan Arif FluentBoards allows Object Injection. This issue affects FluentBoards: from n/a through 1.47. | |||||
| CVE-2025-32686 | 2025-04-17 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in WP Speedo Team Members allows Object Injection. This issue affects Team Members: from n/a through 3.4.0. | |||||