Total
1829 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-23120 | 1 Veeam | 1 Veeam Backup \& Replication | 2025-04-02 | N/A | 8.8 HIGH |
| A vulnerability allowing remote code execution (RCE) for domain users. | |||||
| CVE-2024-32431 | 1 Wpallimport | 1 Wp All Import | 2025-04-02 | N/A | 4.4 MEDIUM |
| Deserialization of Untrusted Data vulnerability in WP All Import Import Users from CSV.This issue affects Import Users from CSV: from n/a through 1.2. | |||||
| CVE-2025-31612 | 2025-04-02 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Sabuj Kundu CBX Poll allows Object Injection. This issue affects CBX Poll: from n/a through 1.2.7. | |||||
| CVE-2024-39780 | 2025-04-02 | N/A | 8.4 HIGH | ||
| A YAML deserialization vulnerability was found in the Robot Operating System (ROS) 'dynparam', a command-line tool for getting, setting, and deleting parameters of a dynamically configurable node, affecting ROS distributions Noetic and earlier. The issue is caused by the use of the yaml.load() function in the 'set' and 'get' verbs, and allows for the creation of arbitrary Python objects. Through this flaw, a local or remote user can craft and execute arbitrary Python code. This issue has now been fixed for ROS Noetic via commit 3d93ac13603438323d7e9fa74e879e45c5fe2e8e. | |||||
| CVE-2025-30892 | 2025-04-02 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in magepeopleteam WpTravelly allows Object Injection. This issue affects WpTravelly: from n/a through 1.8.7. | |||||
| CVE-2020-0618 | 1 Microsoft | 1 Sql Server | 2025-04-01 | 6.5 MEDIUM | 8.8 HIGH |
| A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests, aka 'Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability'. | |||||
| CVE-2024-47552 | 1 Apache | 1 Seata | 2025-04-01 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubating): from 2.0.0 before 2.2.0. Users are recommended to upgrade to version 2.2.0, which fixes the issue. | |||||
| CVE-2025-31129 | 2025-04-01 | N/A | 8.8 HIGH | ||
| Jooby is a web framework for Java and Kotlin. The pac4j io.jooby.internal.pac4j.SessionStoreImpl#get module deserializes untrusted data. This vulnerability is fixed in 2.17.0 (2.x) and 3.7.0 (3.x). | |||||
| CVE-2025-27130 | 2025-04-01 | N/A | 6.3 MEDIUM | ||
| Welcart e-Commerce 2.11.6 and earlier versions contains an untrusted data deserialization vulnerability. If this vulnerability is exploited, arbitrary code may be executed by a remote unauthenticated attacker who can access websites created using the product. | |||||
| CVE-2025-31074 | 2025-04-01 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in MDJM MDJM Event Management allows Object Injection. This issue affects MDJM Event Management: from n/a through 1.7.5.2. | |||||
| CVE-2025-31087 | 2025-04-01 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in silverplugins217 Multiple Shipping And Billing Address For Woocommerce allows Object Injection. This issue affects Multiple Shipping And Billing Address For Woocommerce: from n/a through 1.5. | |||||
| CVE-2025-29310 | 1 Opennetworking | 1 Onos | 2025-04-01 | N/A | 9.8 CRITICAL |
| An issue in onos v2.7.0 allows attackers to trigger a packet deserialization problem when supplying a crafted LLDP packet. This vulnerability allows attackers to execute arbitrary commands or access network information. | |||||
| CVE-2022-31710 | 1 Vmware | 1 Vrealize Log Insight | 2025-04-01 | N/A | 7.5 HIGH |
| vRealize Log Insight contains a deserialization vulnerability. An unauthenticated malicious actor can remotely trigger the deserialization of untrusted data which could result in a denial of service. | |||||
| CVE-2018-0824 | 1 Microsoft | 13 Windows 10 1507, Windows 10 1607, Windows 10 1703 and 10 more | 2025-03-31 | 5.1 MEDIUM | 8.8 HIGH |
| A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects, aka "Microsoft COM for Windows Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. | |||||
| CVE-2024-26579 | 1 Apache | 1 Inlong | 2025-03-28 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.7.0 through 1.11.0, the attackers can bypass using malicious parameters. Users are advised to upgrade to Apache InLong's 1.12.0 or cherry-pick [1], [2] to solve it. [1] https://github.com/apache/inlong/pull/9694 [2] https://github.com/apache/inlong/pull/9707 | |||||
| CVE-2025-22526 | 2025-03-28 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in NotFound PHP/MySQL CPU performance statistics allows Object Injection. This issue affects PHP/MySQL CPU performance statistics: from n/a through 1.2.1. | |||||
| CVE-2025-26873 | 2025-03-28 | N/A | 9.0 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Shinetheme Traveler.This issue affects Traveler: from n/a through 3.1.8. | |||||
| CVE-2025-20124 | 1 Cisco | 1 Identity Services Engine | 2025-03-28 | N/A | 9.9 CRITICAL |
| A vulnerability in an API of Cisco ISE could allow an authenticated, remote attacker to execute arbitrary commands as the root user on an affected device. This vulnerability is due to insecure deserialization of user-supplied Java byte streams by the affected software. An attacker could exploit this vulnerability by sending a crafted serialized Java object to an affected API. A successful exploit could allow the attacker to execute arbitrary commands on the device and elevate privileges. Note: To successfully exploit this vulnerability, the attacker must have valid read-only administrative credentials. In a single-node deployment, new devices will not be able to authenticate during the reload time. | |||||
| CVE-2024-27604 | 1 Alldata | 1 Alldata | 2025-03-27 | N/A | 9.8 CRITICAL |
| Alldata V0.4.6 is vulnerable to Command execution vulnerability. System commands can be deserialized. | |||||
| CVE-2025-2332 | 2025-03-27 | N/A | 9.8 CRITICAL | ||
| The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.13 via deserialization of untrusted input in the 'returnMetaValueAsCustomerInput' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | |||||