Total
1982 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-22850 | 1 Tiki | 1 Tiki | 2025-04-07 | N/A | 8.8 HIGH |
| Tiki before 24.1, when the Spreadsheets feature is enabled, allows lib/sheet/grid.php PHP Object Injection because of an unserialize call. | |||||
| CVE-2022-46478 | 1 Datax-web Project | 1 Datax-web | 2025-04-07 | N/A | 9.8 CRITICAL |
| The RPC interface in datax-web v1.0.0 and v2.0.0 to v2.1.2 contains no permission checks by default which allows attackers to execute arbitrary commands via crafted Hessian serialized data. | |||||
| CVE-2025-3165 | 2025-04-07 | 4.3 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability classified as critical has been found in thu-pacman chitu 0.1.0. This affects the function torch.load of the file chitu/chitu/backend.py. The manipulation of the argument ckpt_path/quant_ckpt_dir leads to deserialization. An attack has to be approached locally. | |||||
| CVE-2025-30889 | 2025-04-07 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in PickPlugins Testimonial Slider allows Object Injection. This issue affects Testimonial Slider: from n/a through 2.0.13. | |||||
| CVE-2022-45923 | 1 Opentext | 1 Opentext Extended Ecm | 2025-04-04 | N/A | 8.8 HIGH |
| An issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803). The Common Gateway Interface (CGI) program cs.exe allows an attacker to increase/decrease an arbitrary memory address by 1 and trigger a call to a method of a vftable with a vftable pointer value chosen by the attacker. | |||||
| CVE-2024-26289 | 1 Sigb | 1 Pmb | 2025-04-04 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in PMB Services PMB allows Remote Code Inclusion.This issue affects PMB: from 7.5.1 before 7.5.6-2, from 7.4.1 before 7.4.9, from 7.3.1 before 7.3.18. | |||||
| CVE-2019-9875 | 1 Sitecore | 1 Cms | 2025-04-04 | 6.5 MEDIUM | 8.8 HIGH |
| Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in an HTTP POST parameter. | |||||
| CVE-2019-9874 | 1 Sitecore | 2 Cms, Experience Platform | 2025-04-04 | 7.5 HIGH | 9.8 CRITICAL |
| Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN. | |||||
| CVE-2022-41082 | 1 Microsoft | 1 Exchange Server | 2025-04-03 | N/A | 8.0 HIGH |
| Microsoft Exchange Server Remote Code Execution Vulnerability | |||||
| CVE-2021-42237 | 1 Sitecore | 1 Experience Platform | 2025-04-03 | 10.0 HIGH | 9.8 CRITICAL |
| Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability. | |||||
| CVE-2025-31084 | 1 Sunshinephotocart | 1 Sunshine Photo Cart | 2025-04-03 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in sunshinephotocart Sunshine Photo Cart allows Object Injection. This issue affects Sunshine Photo Cart: from n/a through 3.4.10. | |||||
| CVE-2024-1772 | 1 Hammadh | 1 Play.ht | 2025-04-03 | N/A | 8.8 HIGH |
| The Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.6.4 via deserialization of untrusted input from the play_podcast_data post meta. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | |||||
| CVE-2003-0791 | 2 Mozilla, Sco | 2 Mozilla, Openserver | 2025-04-03 | 7.5 HIGH | 9.8 CRITICAL |
| The Script.prototype.freeze/thaw functionality in Mozilla 1.4 and earlier allows attackers to execute native methods by modifying the string used as input to the script.thaw JavaScript function, which is then deserialized and executed. | |||||
| CVE-2025-23006 | 1 Sonicwall | 15 Sma6200, Sma6200 Firmware, Sma6210 and 12 more | 2025-04-02 | N/A | 9.8 CRITICAL |
| Pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), which in specific conditions could potentially enable a remote unauthenticated attacker to execute arbitrary OS commands. | |||||
| CVE-2024-23114 | 1 Apache | 1 Camel | 2025-04-02 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization. Under specific conditions it is possible to deserialize malicious payload.This issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0. Users are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1 | |||||
| CVE-2024-22369 | 1 Apache | 1 Camel | 2025-04-02 | N/A | 7.8 HIGH |
| Deserialization of Untrusted Data vulnerability in Apache Camel SQL ComponentThis issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0. Users are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1 | |||||
| CVE-2025-23120 | 1 Veeam | 1 Veeam Backup \& Replication | 2025-04-02 | N/A | 8.8 HIGH |
| A vulnerability allowing remote code execution (RCE) for domain users. | |||||
| CVE-2024-32431 | 1 Wpallimport | 1 Wp All Import | 2025-04-02 | N/A | 4.4 MEDIUM |
| Deserialization of Untrusted Data vulnerability in WP All Import Import Users from CSV.This issue affects Import Users from CSV: from n/a through 1.2. | |||||
| CVE-2025-31612 | 2025-04-02 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Sabuj Kundu CBX Poll allows Object Injection. This issue affects CBX Poll: from n/a through 1.2.7. | |||||
| CVE-2025-30892 | 2025-04-02 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in magepeopleteam WpTravelly allows Object Injection. This issue affects WpTravelly: from n/a through 1.8.7. | |||||