Total
1982 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-7697 | 2025-07-22 | N/A | 9.8 CRITICAL | ||
| The Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.1 via deserialization of untrusted input within the verify_field_val() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted. | |||||
| CVE-2025-7876 | 2025-07-22 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability classified as critical was found in Metasoft 美特软件 MetaCRM up to 6.4.2. This vulnerability affects the function AnalyzeParam of the file download.jsp. The manipulation of the argument p leads to deserialization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2019-6446 | 2 Fedoraproject, Numpy | 2 Fedora, Numpy | 2025-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in NumPy before 1.16.3. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. NOTE: third parties dispute this issue because it is a behavior that might have legitimate applications in (for example) loading serialized Python object arrays from trusted and authenticated sources. | |||||
| CVE-2024-3366 | 1 Xuxueli | 1 Xxl-job | 2025-07-18 | 2.7 LOW | 3.5 LOW |
| A vulnerability classified as problematic was found in Xuxueli xxl-job up to 2.4.1. This vulnerability affects the function deserialize of the file com/xxl/job/core/util/JdkSerializeTool.java of the component Template Handler. The manipulation leads to injection. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259480. | |||||
| CVE-2025-36038 | 5 Hp, Ibm, Linux and 2 more | 8 Hp-ux, Aix, I and 5 more | 2025-07-18 | N/A | 9.0 CRITICAL |
| IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially crafted sequence of serialized objects. | |||||
| CVE-2025-47784 | 1 Emlog | 1 Emlog | 2025-07-18 | N/A | 9.8 CRITICAL |
| Emlog is an open source website building system. Versions 2.5.13 and prior have a deserialization vulnerability. A user who creates a carefully crafted nickname can cause `str_replace` to replace the value of `name_orig` with empty, causing deserialization to fail and return `false`. Commit 9643250802188b791419e3c2188577073256a8a2 fixes the issue. | |||||
| CVE-2025-27203 | 2 Adobe, Microsoft | 2 Connect, Windows | 2025-07-18 | N/A | 9.6 CRITICAL |
| Adobe Connect versions 24.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution by an attacker. Exploitation of this issue does require user interaction and scope is changed. | |||||
| CVE-2025-49533 | 1 Adobe | 1 Experience Manager | 2025-07-18 | N/A | 9.8 CRITICAL |
| Adobe Experience Manager (MS) versions 6.5.23.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution by an attacker. Exploitation of this issue does not require user interaction. Scope is unchanged. | |||||
| CVE-2025-7433 | 2025-07-17 | N/A | 8.8 HIGH | ||
| A local privilege escalation vulnerability in Sophos Intercept X for Windows with Central Device Encryption 2025.1 and older allows arbitrary code execution. | |||||
| CVE-2025-39565 | 1 Melapress | 1 Melapress Login Security | 2025-07-17 | N/A | 6.6 MEDIUM |
| Deserialization of Untrusted Data vulnerability in Melapress MelaPress Login Security allows Object Injection. This issue affects MelaPress Login Security: from n/a through 2.1.0. | |||||
| CVE-2025-25034 | 2025-07-16 | N/A | N/A | ||
| A PHP object injection vulnerability exists in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 due to improper validation of PHP serialized input in the SugarRestSerialize.php script. The vulnerable code fails to sanitize the rest_data parameter before passing it to the unserialize() function. This allows an unauthenticated attacker to submit crafted serialized data containing malicious object declarations, resulting in arbitrary code execution within the application context. Although SugarCRM released a prior fix in advisory sugarcrm-sa-2016-001, the patch was incomplete and failed to address some vectors. | |||||
| CVE-2025-53990 | 2025-07-16 | N/A | 7.2 HIGH | ||
| Deserialization of Untrusted Data vulnerability in jetmonsters JetFormBuilder allows Object Injection. This issue affects JetFormBuilder: from n/a through 3.5.1.2. | |||||
| CVE-2025-31422 | 2025-07-16 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in designthemes Visual Art | Gallery WordPress Theme allows Object Injection. This issue affects Visual Art | Gallery WordPress Theme: from n/a through 2.4. | |||||
| CVE-2025-30949 | 2025-07-16 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Guru Team Site Chat on Telegram allows Object Injection. This issue affects Site Chat on Telegram: from n/a through 1.0.4. | |||||
| CVE-2025-30973 | 2025-07-16 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Codexpert, Inc CoSchool LMS allows Object Injection. This issue affects CoSchool LMS: from n/a through 1.4.3. | |||||
| CVE-2025-24777 | 2025-07-16 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in awethemes Hillter allows Object Injection. This issue affects Hillter: from n/a through 3.0.7. | |||||
| CVE-2025-28961 | 2025-07-16 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Md Yeasin Ul Haider URL Shortener allows Object Injection. This issue affects URL Shortener: from n/a through 3.0.7. | |||||
| CVE-2025-24779 | 2025-07-16 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in NooTheme Yogi allows Object Injection. This issue affects Yogi: from n/a through 2.9.0. | |||||
| CVE-2024-4699 | 1 Dlink | 2 Dar-8000-10, Dar-8000-10 Firmware | 2025-07-16 | 6.5 MEDIUM | 6.3 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, has been found in D-Link DAR-8000-10 up to 20230922. This issue affects some unknown processing of the file /importhtml.php. The manipulation of the argument sql leads to deserialization. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-263747. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced. | |||||
| CVE-2024-48063 | 1 Linuxfoundation | 1 Pytorch | 2025-07-16 | N/A | 9.8 CRITICAL |
| In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. NOTE: this is disputed by multiple parties because this is intended behavior in PyTorch distributed computing. | |||||