Total
2104 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-0429 | 1 Aipower | 1 Aipower | 2025-01-24 | 7.2 High |
| The "AI Power: Complete AI Pack" plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.8.96 via deserialization of untrusted input from the $form['post_content'] variable through the wpaicg_export_ai_forms() function. This allows authenticated attackers, with administrative privileges, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | ||||
| CVE-2023-31890 | 1 Glazedlists | 1 Glazed Lists | 2025-01-23 | 9.8 Critical |
| An XML Deserialization vulnerability in glazedlists v1.11.0 allows an attacker to execute arbitrary code via the BeanXMLByteCoder.decode() parameter. | ||||
| CVE-2025-23944 | 2025-01-22 | 8.8 High | ||
| Deserialization of Untrusted Data vulnerability in WOOEXIM.COM WOOEXIM allows Object Injection. This issue affects WOOEXIM: from n/a through 5.0.0. | ||||
| CVE-2024-3483 | 1 Microfocus | 1 Imanager | 2025-01-21 | 7.8 High |
| Remote Code Execution has been discovered in OpenText™ iManager 3.2.6.0200. The vulnerability can trigger command injection and insecure deserialization issues. | ||||
| CVE-2024-3967 | 1 Microfocus | 1 Imanager | 2025-01-21 | 7.6 High |
| Remote Code Execution has been discovered in OpenText™ iManager 3.2.6.0200. The vulnerability can trigger remote code execution unisng unsafe java object deserialization. | ||||
| CVE-2023-1967 | 1 Keysight | 1 N8844a | 2025-01-16 | 9.8 Critical |
| Keysight N8844A Data Analytics Web Service deserializes untrusted data without sufficiently verifying the resulting data will be valid. | ||||
| CVE-2022-41778 | 1 Deltaww | 1 Infrasuite Device Master | 2025-01-16 | 9.8 Critical |
| Delta Electronics InfraSuite Device Master versions 00.00.01a and prior deserialize user-supplied data provided through the Device-DataCollect service port without proper verification. An attacker could provide malicious serialized objects to execute arbitrary code upon deserialization. | ||||
| CVE-2023-1139 | 1 Deltaww | 1 Infrasuite Device Master | 2025-01-16 | 8.8 High |
| Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-gateway service, which could allow deserialization of requests prior to authentication, resulting in remote code execution. | ||||
| CVE-2023-1145 | 1 Deltaww | 1 Infrasuite Device Master | 2025-01-16 | 7.8 High |
| Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution. | ||||
| CVE-2023-1399 | 1 Keysight | 2 N6854a, N6854a Firmware | 2025-01-16 | 7.8 High |
| N6854A Geolocation Server versions 2.4.2 are vulnerable to untrusted data deserialization, which may allow a malicious actor to escalate privileges in the affected device’s default configuration and achieve remote code execution. | ||||
| CVE-2023-51389 | 1 Apache | 1 Hertzbeat | 2025-01-16 | 9.8 Critical |
| Hertzbeat is a real-time monitoring system. At the interface of `/define/yml`, SnakeYAML is used as a parser to parse yml content, but no security configuration is used, resulting in a YAML deserialization vulnerability. Version 1.4.1 fixes this vulnerability. | ||||
| CVE-2024-4200 | 1 Progress | 1 Telerik Reporting | 2025-01-16 | 7.7 High |
| In Progress® Telerik® Reporting versions prior to 2024 Q2 (18.1.24.2.514), a code execution attack is possible by a local threat actor through an insecure deserialization vulnerability. | ||||
| CVE-2024-1856 | 1 Progress | 1 Telerik Reporting | 2025-01-16 | 8.5 High |
| In Progress® Telerik® Reporting versions prior to 2024 Q1 (18.0.24.130), a code execution attack is possible by a remote threat actor through an insecure deserialization vulnerability. | ||||
| CVE-2024-1801 | 1 Progress | 1 Telerik Reporting | 2025-01-16 | 7.7 High |
| In Progress® Telerik® Reporting versions prior to 2024 Q1 (18.0.24.130), a code execution attack is possible by a local threat actor through an insecure deserialization vulnerability. | ||||
| CVE-2024-23052 | 1 5kcrm | 1 Wukongcrm | 2025-01-16 | 9.8 Critical |
| An issue in WuKongOpenSource WukongCRM v.72crm_9.0.1_20191202 allows a remote attacker to execute arbitrary code via the parseObject() function in the fastjson component. | ||||
| CVE-2024-1800 | 1 Progress | 1 Telerik Report Server | 2025-01-16 | 9.9 Critical |
| In Progress® Telerik® Report Server versions prior to 2024 Q1 (10.0.24.130), a remote code execution attack is possible through an insecure deserialization vulnerability. | ||||
| CVE-2022-4815 | 1 Hitachi | 2 Vantara Pentaho, Vantara Pentaho Business Analytics Server | 2025-01-16 | 8 High |
| Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x deserialize untrusted JSON data without constraining the parser to approved classes and methods. | ||||
| CVE-2019-11458 | 1 Cakephp | 1 Cakephp | 2025-01-15 | N/A |
| An issue was discovered in SmtpTransport in CakePHP 3.7.6. An unserialized object with modified internal properties can trigger arbitrary file overwriting upon destruction. | ||||
| CVE-2024-54676 | 1 Apache | 1 Openmeetings | 2025-01-15 | 9.8 Critical |
| Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0 Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html doesn't specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data. Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' configurations as shown in the documentation. | ||||
| CVE-2024-49375 | 2025-01-15 | 9.1 Critical | ||
| Open source machine learning framework. A vulnerability has been identified in Rasa that enables an attacker who has the ability to load a maliciously crafted model remotely into a Rasa instance to achieve Remote Code Execution. The prerequisites for this are: 1. The HTTP API must be enabled on the Rasa instance eg with `--enable-api`. This is not the default configuration. 2. For unauthenticated RCE to be exploitable, the user must not have configured any authentication or other security controls recommended in our documentation. 3. For authenticated RCE, the attacker must posses a valid authentication token or JWT to interact with the Rasa API. This issue has been addressed in rasa version 3.6.21 and all users are advised to upgrade. Users unable to upgrade should ensure that they require authentication and that only trusted users are given access. | ||||