Total
2200 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-18447 | 1 Dotpdn | 1 Paint.net | 2025-05-16 | 9.8 Critical |
| dotPDN Paint.NET before 4.1.2 allows Deserialization of Untrusted Data (issue 2 of 2). | ||||
| CVE-2018-18446 | 1 Dotpdn | 1 Paint.net | 2025-05-16 | 9.8 Critical |
| dotPDN Paint.NET before 4.1.2 allows Deserialization of Untrusted Data (issue 1 of 2). | ||||
| CVE-2024-24302 | 1 Prestalife | 1 Product Designer | 2025-05-15 | 9.8 Critical |
| An issue was discovered in Tunis Soft "Product Designer" (productdesigner) module for PrestaShop before version 1.178.36, allows remote attackers to execute arbitrary code, escalate privileges, and obtain sensitive information via the postProcess() method. | ||||
| CVE-2025-3250 | 1 Eladmin | 1 Eladmin | 2025-05-15 | 4.3 Medium |
| A vulnerability, which was classified as problematic, has been found in elunez eladmin 2.7. Affected by this issue is some unknown functionality of the file /api/database/testConnect of the component Maintenance Management Module. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-1225 | 1 Qibosoft | 1 Qibocms X1 | 2025-05-15 | 7.3 High |
| A vulnerability classified as critical was found in QiboSoft QiboCMS X1 up to 1.0.6. Affected by this vulnerability is the function rmb_pay of the file /application/index/controller/Pay.php. The manipulation of the argument callback_class leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252847. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-45772 | 1 Apache | 1 Lucene Replicator | 2025-05-15 | 5.1 Medium |
| Deserialization of Untrusted Data vulnerability in Apache Lucene Replicator. This issue affects Apache Lucene's replicator module: from 4.4.0 before 9.12.0. The deprecated org.apache.lucene.replicator.http package is affected. The org.apache.lucene.replicator.nrt package is not affected. Users are recommended to upgrade to version 9.12.0, which fixes the issue. The deserialization can only be triggered if users actively deploy an network-accessible implementation and a corresponding client using a HTTP library that uses the API (e.g., a custom servlet and HTTPClient). Java serialization filters (such as -Djdk.serialFilter='!*' on the commandline) can mitigate the issue on vulnerable versions without impacting functionality. | ||||
| CVE-2019-10173 | 3 Oracle, Redhat, Xstream | 15 Banking Platform, Business Activity Monitoring, Communications Billing And Revenue Management Elastic Charging Engine and 12 more | 2025-05-14 | 9.8 Critical |
| It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285) | ||||
| CVE-2025-0734 | 1 Ruoyi | 1 Ruoyi | 2025-05-13 | 4.7 Medium |
| A vulnerability has been found in y_project RuoYi up to 4.8.0 and classified as critical. This vulnerability affects the function getBeanName of the component Whitelist. The manipulation leads to deserialization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2020-15842 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-05-13 | 8.1 High |
| Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, because of insecure deserialization. | ||||
| CVE-2022-3291 | 1 Gitlab | 1 Gitlab | 2025-05-13 | 6.5 Medium |
| Serialization of sensitive data in GitLab EE affecting all versions from 14.9 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 can leak sensitive information via cache | ||||
| CVE-2024-49063 | 1 Microsoft | 1 Muzic | 2025-05-13 | 8.4 High |
| Microsoft/Muzic Remote Code Execution Vulnerability | ||||
| CVE-2024-49147 | 1 Microsoft | 1 Update Catalog | 2025-05-13 | 9.3 Critical |
| Deserialization of untrusted data in Microsoft Update Catalog allows an unauthorized attacker to elevate privileges on the website’s webserver. | ||||
| CVE-2024-49070 | 1 Microsoft | 1 Sharepoint Server | 2025-05-13 | 7.4 High |
| Microsoft SharePoint Remote Code Execution Vulnerability | ||||
| CVE-2022-40889 | 1 Phpok | 1 Phpok | 2025-05-13 | 9.8 Critical |
| Phpok 6.1 has a deserialization vulnerability via framework/phpok_call.php. | ||||
| CVE-2022-39198 | 1 Apache | 1 Dubbo | 2025-05-13 | 9.8 Critical |
| A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.17 and prior versions; Apache Dubbo 3.0.x version 3.0.11 and prior versions; Apache Dubbo 3.1.x version 3.1.0 and prior versions. | ||||
| CVE-2025-31103 | 1 Appleple | 1 A-blog Cms | 2025-05-13 | 7.5 High |
| Untrusted data deserialization vulnerability exists in a-blog cms. Processing a specially crafted request may store arbitrary files on the server where the product is running. This can be leveraged to execute an arbitrary script on the server. | ||||
| CVE-2024-2721 | 1 Sygnoos | 1 Social Media Share Buttons | 2025-05-13 | 8.2 High |
| Deserialization of Untrusted Data vulnerability in Social Media Share Buttons By Sygnoos Social Media Share Buttons.This issue affects Social Media Share Buttons: from n/a through 2.1.0. | ||||
| CVE-2025-47629 | 1 Wp-crm | 1 Wp-crm System | 2025-05-12 | 7.2 High |
| Deserialization of Untrusted Data vulnerability in Mario Peshev WP-CRM System allows Object Injection. This issue affects WP-CRM System: from n/a through 3.4.1. | ||||
| CVE-2023-1650 | 1 Quantumcloud | 1 Wpbot | 2025-05-12 | 9.8 Critical |
| The AI ChatBot WordPress plugin before 4.4.7 unserializes user input from cookies via an AJAX action available to unauthenticated users, which could allow them to perform PHP Object Injection when a suitable gadget is present on the blog | ||||
| CVE-2020-8165 | 4 Debian, Opensuse, Redhat and 1 more | 5 Debian Linux, Leap, Satellite and 2 more | 2025-05-09 | 9.8 Critical |
| A deserialization of untrusted data vulnernerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE. | ||||