Total
1866 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-0138 | 1 Airspan | 9 A5x, A5x Firmware, C5c and 6 more | 2025-04-16 | 7.5 High |
| MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 has a deserialization function that does not validate or check the data, allowing arbitrary classes to be created. | ||||
| CVE-2021-27460 | 1 Rockwellautomation | 1 Factorytalk Assetcentre | 2025-04-16 | 10 Critical |
| Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier components contain .NET remoting endpoints that deserialize untrusted data without sufficiently verifying that the resulting data will be valid. This vulnerability may allow a remote, unauthenticated attacker to gain full access to the FactoryTalk AssetCentre main server and all agent machines. | ||||
| CVE-2021-27462 | 1 Rockwellautomation | 1 Factorytalk Assetcentre | 2025-04-16 | 10 Critical |
| A deserialization vulnerability exists in how the AosService.rem service in Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier verifies serialized data. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre. | ||||
| CVE-2021-27466 | 1 Rockwellautomation | 1 Factorytalk Assetcentre | 2025-04-16 | 10 Critical |
| A deserialization vulnerability exists in how the ArchiveService.rem service in Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier verifies serialized data. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre. | ||||
| CVE-2021-27470 | 1 Rockwellautomation | 1 Factorytalk Assetcentre | 2025-04-16 | 10 Critical |
| A deserialization vulnerability exists in how the LogService.rem service in Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier verifies serialized data. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre. | ||||
| CVE-2022-1660 | 1 Keysight | 4 N6841a Rf, N6841a Rf Firmware, N6854a and 1 more | 2025-04-16 | 9.8 Critical |
| The affected products are vulnerable of untrusted data due to deserialization without prior authorization/authentication, which may allow an attacker to remotely execute arbitrary code. | ||||
| CVE-2022-38142 | 1 Deltaww | 1 Infrasuite Device Master | 2025-04-16 | 9.8 Critical |
| Delta Electronics InfraSuite Device Master versions 00.00.01a and prior deserialize user-supplied data provided through the Device-Gateway service port without proper verification. An attacker could provide malicious serialized objects to execute arbitrary code upon deserialization. | ||||
| CVE-2025-39565 | 2025-04-16 | 6.6 Medium | ||
| Deserialization of Untrusted Data vulnerability in Melapress MelaPress Login Security allows Object Injection. This issue affects MelaPress Login Security: from n/a through 2.1.0. | ||||
| CVE-2021-21956 | 1 Cloudlinux | 1 Imunify360 | 2025-04-15 | 7.8 High |
| A php unserialize vulnerability exists in the Ai-Bolit functionality of CloudLinux Inc Imunify360 5.10.2. A specially-crafted malformed file can lead to potential arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability. | ||||
| CVE-2025-31935 | 2025-04-15 | 6.2 Medium | ||
| Subnet Solutions PowerSYSTEM Center is affected by a mishandling of exceptional conditions vulnerability. Crafted data that is passed to the API may trigger an exception, resulting in a denial-of-service condition. | ||||
| CVE-2025-30985 | 2025-04-15 | 9.8 Critical | ||
| Deserialization of Untrusted Data vulnerability in NotFound GNUCommerce allows Object Injection. This issue affects GNUCommerce: from n/a through 1.5.4. | ||||
| CVE-2025-3590 | 2025-04-15 | 6.3 Medium | ||
| A vulnerability has been found in Adianti Framework up to 8.0 and classified as critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 8.1 is able to address this issue. It is recommended to upgrade the affected component. | ||||
| CVE-2022-45185 | 1 Salesagility | 1 Suitecrm | 2025-04-15 | 8.8 High |
| An issue was discovered in SuiteCRM 7.12.7. Authenticated users can use CRM functions to upload malicious files. Then, deserialization can be used to achieve code execution. | ||||
| CVE-2024-1772 | 1 Hammadh | 2 Pay.ht Make Your Blog Posts Accessible With Text To Speech Audio, Play.ht | 2025-04-15 | 8.8 High |
| The Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.6.4 via deserialization of untrusted input from the play_podcast_data post meta. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | ||||
| CVE-2022-2870 | 1 Laravel | 1 Laravel | 2025-04-15 | 4.1 Medium |
| A vulnerability was found in laravel 5.1 and classified as problematic. This issue affects some unknown processing. The manipulation leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-206501 was assigned to this vulnerability. | ||||
| CVE-2022-2886 | 1 Laravel | 1 Laravel | 2025-04-15 | 5 Medium |
| A vulnerability, which was classified as critical, was found in Laravel 5.1. Affected is an unknown function. The manipulation leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-206688. | ||||
| CVE-2020-10650 | 2 Fasterxml, Oracle | 3 Jackson-databind, Retail Merchandising System, Retail Sales Audit | 2025-04-14 | 8.1 High |
| A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider. | ||||
| CVE-2016-4385 | 1 Hp | 1 Network Automation | 2025-04-12 | N/A |
| The RMI service in HP Network Automation Software 9.1x, 9.2x, 10.0x before 10.00.02.01, and 10.1x before 10.11.00.01 allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) and Commons BeanUtils libraries. | ||||
| CVE-2016-2510 | 4 Beanshell, Canonical, Debian and 1 more | 8 Beanshell, Ubuntu Linux, Debian Linux and 5 more | 2025-04-12 | 8.1 High |
| BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler. | ||||
| CVE-2016-1114 | 1 Adobe | 1 Coldfusion | 2025-04-12 | 9.8 Critical |
| Adobe ColdFusion 10 before Update 19, 11 before Update 8, and 2016 before Update 1 allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library. | ||||