Total
2104 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-23512 | 1 Wpxpo | 1 Wowstore | 2025-05-07 | 8.7 High |
| Deserialization of Untrusted Data vulnerability in wpxpo ProductX – WooCommerce Builder & Gutenberg WooCommerce Blocks.This issue affects ProductX – WooCommerce Builder & Gutenberg WooCommerce Blocks: from n/a through 3.1.4. | ||||
| CVE-2024-22320 | 1 Ibm | 1 Operational Decision Manager | 2025-05-07 | 9.8 Critical |
| IBM Operational Decision Manager 8.10.3 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization. By sending specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code in the context of SYSTEM. IBM X-Force ID: 279146. | ||||
| CVE-2024-1198 | 1 Openbi | 1 Openbi | 2025-05-07 | 6.3 Medium |
| A vulnerability, which was classified as critical, was found in openBI up to 6.0.3. Affected is the function addxinzhi of the file application/controllers/User.php of the component Phar Handler. The manipulation of the argument outimgurl leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252696. | ||||
| CVE-2022-39944 | 1 Apache | 1 Linkis | 2025-05-07 | 8.8 High |
| In Apache Linkis <=1.2.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures a JDBC EC with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. Versions of Apache Linkis <= 1.2.0 will be affected, We recommend users to update to 1.3.0. | ||||
| CVE-2024-34433 | 1 Ocdi | 1 One Click Demo Import | 2025-05-07 | 4.4 Medium |
| Deserialization of Untrusted Data vulnerability in OCDI One Click Demo Import.This issue affects One Click Demo Import: from n/a through 3.2.0. | ||||
| CVE-2024-26580 | 1 Apache | 1 Inlong | 2025-05-07 | 9.1 Critical |
| Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.8.0 through 1.10.0, the attackers can use the specific payload to read from an arbitrary file. Users are advised to upgrade to Apache InLong's 1.11.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/9673 | ||||
| CVE-2024-28213 | 1 Naver | 1 Ngrinder | 2025-05-07 | 9.8 Critical |
| nGrinder before 3.5.9 allows to accept serialized Java objects from unauthenticated users, which could allow remote attacker to execute arbitrary code via unsafe Java objects deserialization. | ||||
| CVE-2024-28212 | 1 Naver | 1 Ngrinder | 2025-05-07 | 9.8 Critical |
| nGrinder before 3.5.9 uses old version of SnakeYAML, which could allow remote attacker to execute arbitrary code via unsafe deserialization. | ||||
| CVE-2024-28211 | 1 Naver | 1 Ngrinder | 2025-05-07 | 9.8 Critical |
| nGrinder before 3.5.9 allows connection to malicious JMX/RMI server by default, which could be the cause of executing arbitrary code via RMI registry by remote attacker. | ||||
| CVE-2022-40238 | 1 Cert | 1 Vince | 2025-05-07 | 8.8 High |
| A Remote Code Injection vulnerability exists in CERT software prior to version 1.50.5. An authenticated attacker can inject arbitrary pickle object as part of a user's profile. This can lead to code execution on the server when the user's profile is accessed. | ||||
| CVE-2025-0855 | 2025-05-07 | 9.8 Critical | ||
| The PGS Core plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.8.0 via deserialization of untrusted input in the 'import_header' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | ||||
| CVE-2024-29433 | 1 Alldata | 1 Alldata | 2025-05-07 | 9.8 Critical |
| A deserialization vulnerability in the FASTJSON component of Alldata v0.4.6 allows attackers to execute arbitrary commands via supplying crafted data. | ||||
| CVE-2022-3380 | 1 Wpbeaverbuilder | 1 Customizer Export\/import | 2025-05-06 | 7.2 High |
| The Customizer Export/Import WordPress plugin before 0.9.5 unserializes the content of an imported file, which could lead to PHP object injection issues when an admin imports (intentionally or not) a malicious file and a suitable gadget chain is present on the blog. | ||||
| CVE-2022-3374 | 1 Oceanwp | 1 Ocean Extra | 2025-05-06 | 7.2 High |
| The Ocean Extra WordPress plugin before 2.0.5 unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import (intentionally or not) a malicious Customizer Styling file and a suitable gadget chain is present on the blog. | ||||
| CVE-2022-3366 | 1 Publishpress | 1 Capabilities | 2025-05-06 | 7.2 High |
| The PublishPress Capabilities WordPress plugin before 2.5.2, PublishPress Capabilities Pro WordPress plugin before 2.5.2 unserializes the content of imported files, which could lead to PHP object injection attacks by administrators, on multisite WordPress configurations. Successful exploitation in this case requires other plugins with a suitable gadget chain to be present on the site. | ||||
| CVE-2022-3360 | 1 Thimpress | 1 Learnpress | 2025-05-06 | 8.1 High |
| The LearnPress WordPress plugin before 4.1.7.2 unserialises user input in a REST API endpoint available to unauthenticated users, which could lead to PHP Object Injection when a suitable gadget is present, leadint to remote code execution (RCE). To successfully exploit this vulnerability attackers must have knowledge of the site secrets, allowing them to generate a valid hash via the wp_hash() function. | ||||
| CVE-2022-3357 | 1 Nextendweb | 1 Smart Slider 3 | 2025-05-06 | 8.8 High |
| The Smart Slider 3 WordPress plugin before 3.5.1.11 unserialises the content of an imported file, which could lead to PHP object injection issues when a user import (intentionally or not) a malicious file, and a suitable gadget chain is present on the site. | ||||
| CVE-2025-2855 | 1 Eladmin | 1 Eladmin | 2025-05-06 | 4.7 Medium |
| A vulnerability, which was classified as problematic, has been found in elunez eladmin up to 2.7. Affected by this issue is the function checkFile of the file /api/deploy/upload. The manipulation of the argument servers leads to deserialization. The attack may be launched remotely. | ||||
| CVE-2023-46615 | 1 Kallidan | 1 Kd Coming Soon | 2025-05-06 | 5.4 Medium |
| Deserialization of Untrusted Data vulnerability in Kalli Dan. KD Coming Soon.This issue affects KD Coming Soon: from n/a through 1.7. | ||||
| CVE-2023-49772 | 1 Phpbits | 1 Genesis Simple Love | 2025-05-06 | 10 Critical |
| Deserialization of Untrusted Data vulnerability in Phpbits Creative Studio Genesis Simple Love.This issue affects Genesis Simple Love: from n/a through 2.0. | ||||