Total
1805 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-4905 | 2025-05-19 | 4.3 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability was found in iop-apl-uw basestation3 up to 3.0.4 and classified as problematic. This issue affects the function load_qc_pickl of the file basestation3/QC.py. The manipulation of the argument qc_file leads to deserialization. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The code maintainer tagged the issue as closed. But there is no new commit nor release in the GitHub repository available so far. | |||||
| CVE-2025-30382 | 1 Microsoft | 1 Sharepoint Server | 2025-05-19 | N/A | 7.8 HIGH |
| Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code locally. | |||||
| CVE-2025-48134 | 2025-05-19 | N/A | 7.2 HIGH | ||
| Deserialization of Untrusted Data vulnerability in ShapedPlugin LLC WP Tabs allows Object Injection. This issue affects WP Tabs: from n/a through 2.2.11. | |||||
| CVE-2025-42999 | 1 Sap | 1 Netweaver | 2025-05-16 | N/A | 9.1 CRITICAL |
| SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system. | |||||
| CVE-2025-47292 | 2025-05-16 | N/A | N/A | ||
| Cap Collectif is an online decision making platform that integrates several tools. Before commit 812f2a7d271b76deab1175bdaf2be0b8102dd198, the `DebateAlternateArgumentsResolver` deserializes a `Cursor`, allowing any classes and which can be controlled by unauthenticated user. Exploitation of this vulnerability can lead to Remote Code Execution. The vulnerability is fixed in commit 812f2a7d271b76deab1175bdaf2be0b8102dd198. | |||||
| CVE-2025-3623 | 2025-05-16 | N/A | 8.1 HIGH | ||
| The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.4.0.1 via deserialization of untrusted input in the automator_api_decode_message() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files. | |||||
| CVE-2025-4701 | 2025-05-16 | 4.3 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability, which was classified as problematic, has been found in VITA-MLLM Freeze-Omni up to 20250421. This issue affects the function torch.load of the file models/utils.py. The manipulation of the argument path leads to deserialization. It is possible to launch the attack on the local host. | |||||
| CVE-2025-47784 | 2025-05-16 | N/A | N/A | ||
| Emlog is an open source website building system. Versions 2.5.13 and prior have a deserialization vulnerability. A user who creates a carefully crafted nickname can cause `str_replace` to replace the value of `name_orig` with empty, causing deserialization to fail and return `false`. Commit 9643250802188b791419e3c2188577073256a8a2 fixes the issue. | |||||
| CVE-2025-4742 | 2025-05-16 | 4.3 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability classified as problematic has been found in XU-YIJIE grpo-flat up to 9024b43f091e2eb9bac65802b120c0b35f9ba856. Affected is the function main of the file grpo_vanilla.py. The manipulation leads to deserialization. Local access is required to approach this attack. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. | |||||
| CVE-2025-4740 | 2025-05-16 | 4.3 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability was found in BeamCtrl Airiana up to 11.0. It has been declared as problematic. This vulnerability affects unknown code of the file coef. The manipulation leads to deserialization. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2018-18447 | 1 Dotpdn | 1 Paint.net | 2025-05-16 | N/A | 9.8 CRITICAL |
| dotPDN Paint.NET before 4.1.2 allows Deserialization of Untrusted Data (issue 2 of 2). | |||||
| CVE-2018-18446 | 1 Dotpdn | 1 Paint.net | 2025-05-16 | N/A | 9.8 CRITICAL |
| dotPDN Paint.NET before 4.1.2 allows Deserialization of Untrusted Data (issue 1 of 2). | |||||
| CVE-2024-24302 | 1 Prestalife | 1 Product Designer | 2025-05-15 | N/A | 9.8 CRITICAL |
| An issue was discovered in Tunis Soft "Product Designer" (productdesigner) module for PrestaShop before version 1.178.36, allows remote attackers to execute arbitrary code, escalate privileges, and obtain sensitive information via the postProcess() method. | |||||
| CVE-2025-3250 | 1 Eladmin | 1 Eladmin | 2025-05-15 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in elunez eladmin 2.7. Affected by this issue is some unknown functionality of the file /api/database/testConnect of the component Maintenance Management Module. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-20926 | 3 Debian, Netapp, Oracle | 8 Debian Linux, Cloud Insights Acquisition Unit, Cloud Insights Storage Workload Security Agent and 5 more | 2025-05-15 | N/A | 5.9 MEDIUM |
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Scripting). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21; Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). | |||||
| CVE-2024-45772 | 1 Apache | 1 Lucene Replicator | 2025-05-15 | N/A | 5.1 MEDIUM |
| Deserialization of Untrusted Data vulnerability in Apache Lucene Replicator. This issue affects Apache Lucene's replicator module: from 4.4.0 before 9.12.0. The deprecated org.apache.lucene.replicator.http package is affected. The org.apache.lucene.replicator.nrt package is not affected. Users are recommended to upgrade to version 9.12.0, which fixes the issue. The deserialization can only be triggered if users actively deploy an network-accessible implementation and a corresponding client using a HTTP library that uses the API (e.g., a custom servlet and HTTPClient). Java serialization filters (such asĀ -Djdk.serialFilter='!*' on the commandline) can mitigate the issue on vulnerable versions without impacting functionality. | |||||
| CVE-2025-30378 | 1 Microsoft | 1 Sharepoint Server | 2025-05-14 | N/A | 7.0 HIGH |
| Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code locally. | |||||
| CVE-2025-0734 | 1 Ruoyi | 1 Ruoyi | 2025-05-13 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability has been found in y_project RuoYi up to 4.8.0 and classified as critical. This vulnerability affects the function getBeanName of the component Whitelist. The manipulation leads to deserialization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-30012 | 2025-05-13 | N/A | 3.9 LOW | ||
| The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM stack to accept binary Java objects in specific encoding format. On successful exploitation, an authenticated attacker with high privileges could send malicious payload request and receive an outbound DNS request, resulting in deserialization of data in the application. This vulnerability has low impact on confidentiality, integrity and availability of the application. | |||||
| CVE-2020-15842 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-05-13 | 6.8 MEDIUM | 8.1 HIGH |
| Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, because of insecure deserialization. | |||||