Total
1893 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-30892 | 2025-04-02 | 8.8 High | ||
| Deserialization of Untrusted Data vulnerability in magepeopleteam WpTravelly allows Object Injection. This issue affects WpTravelly: from n/a through 1.8.7. | ||||
| CVE-2025-21364 | 1 Microsoft | 2 365 Apps, Office | 2025-04-02 | 7.8 High |
| Microsoft Excel Security Feature Bypass Vulnerability | ||||
| CVE-2020-0618 | 1 Microsoft | 1 Sql Server | 2025-04-01 | 8.8 High |
| A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests, aka 'Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability'. | ||||
| CVE-2024-47552 | 1 Apache | 1 Seata | 2025-04-01 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubating): from 2.0.0 before 2.2.0. Users are recommended to upgrade to version 2.2.0, which fixes the issue. | ||||
| CVE-2025-31129 | 2025-04-01 | 8.8 High | ||
| Jooby is a web framework for Java and Kotlin. The pac4j io.jooby.internal.pac4j.SessionStoreImpl#get module deserializes untrusted data. This vulnerability is fixed in 2.17.0 (2.x) and 3.7.0 (3.x). | ||||
| CVE-2025-27130 | 2025-04-01 | N/A | ||
| Welcart e-Commerce 2.11.6 and earlier versions contains an untrusted data deserialization vulnerability. If this vulnerability is exploited, arbitrary code may be executed by a remote unauthenticated attacker who can access websites created using the product. | ||||
| CVE-2025-31074 | 2025-04-01 | 8.8 High | ||
| Deserialization of Untrusted Data vulnerability in MDJM MDJM Event Management allows Object Injection. This issue affects MDJM Event Management: from n/a through 1.7.5.2. | ||||
| CVE-2025-31087 | 2025-04-01 | 9.8 Critical | ||
| Deserialization of Untrusted Data vulnerability in silverplugins217 Multiple Shipping And Billing Address For Woocommerce allows Object Injection. This issue affects Multiple Shipping And Billing Address For Woocommerce: from n/a through 1.5. | ||||
| CVE-2025-29310 | 1 Opennetworking | 1 Onos | 2025-04-01 | 9.8 Critical |
| An issue in onos v2.7.0 allows attackers to trigger a packet deserialization problem when supplying a crafted LLDP packet. This vulnerability allows attackers to execute arbitrary commands or access network information. | ||||
| CVE-2024-7804 | 2025-04-01 | N/A | ||
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | ||||
| CVE-2025-0724 | 1 Metagauss | 1 Profilegrid | 2025-04-01 | 8.8 High |
| The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.9.4.5 via deserialization of untrusted input in the get_user_meta_fields_html function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | ||||
| CVE-2022-31710 | 1 Vmware | 1 Vrealize Log Insight | 2025-04-01 | 7.5 High |
| vRealize Log Insight contains a deserialization vulnerability. An unauthenticated malicious actor can remotely trigger the deserialization of untrusted data which could result in a denial of service. | ||||
| CVE-2018-0824 | 1 Microsoft | 13 Windows 10 1507, Windows 10 1607, Windows 10 1703 and 10 more | 2025-03-31 | 8.8 High |
| A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects, aka "Microsoft COM for Windows Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. | ||||
| CVE-2021-39321 | 1 Heateor | 1 Sassy Social Share | 2025-03-31 | 8.8 High |
| Version 3.3.23 of the Sassy Social Share WordPress plugin is vulnerable to PHP Object Injection via the wp_ajax_heateor_sss_import_config AJAX action due to deserialization of unvalidated user supplied inputs via the import_config function found in the ~/admin/class-sassy-social-share-admin.php file. This can be exploited by underprivileged authenticated users due to a missing capability check on the import_config function. | ||||
| CVE-2024-26579 | 2 Apache, Apache Software Foundation | 2 Inlong, Apache Inlong | 2025-03-28 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.7.0 through 1.11.0, the attackers can bypass using malicious parameters. Users are advised to upgrade to Apache InLong's 1.12.0 or cherry-pick [1], [2] to solve it. [1] https://github.com/apache/inlong/pull/9694 [2] https://github.com/apache/inlong/pull/9707 | ||||
| CVE-2025-26873 | 2025-03-28 | 9 Critical | ||
| Deserialization of Untrusted Data vulnerability in Shinetheme Traveler.This issue affects Traveler: from n/a through 3.1.8. | ||||
| CVE-2025-22526 | 2025-03-28 | 9.8 Critical | ||
| Deserialization of Untrusted Data vulnerability in NotFound PHP/MySQL CPU performance statistics allows Object Injection. This issue affects PHP/MySQL CPU performance statistics: from n/a through 1.2.1. | ||||
| CVE-2025-20124 | 1 Cisco | 1 Identity Services Engine | 2025-03-28 | 9.9 Critical |
| A vulnerability in an API of Cisco ISE could allow an authenticated, remote attacker to execute arbitrary commands as the root user on an affected device. This vulnerability is due to insecure deserialization of user-supplied Java byte streams by the affected software. An attacker could exploit this vulnerability by sending a crafted serialized Java object to an affected API. A successful exploit could allow the attacker to execute arbitrary commands on the device and elevate privileges. Note: To successfully exploit this vulnerability, the attacker must have valid read-only administrative credentials. In a single-node deployment, new devices will not be able to authenticate during the reload time. | ||||
| CVE-2024-27604 | 1 Alldata | 1 Alldata | 2025-03-27 | 9.8 Critical |
| Alldata V0.4.6 is vulnerable to Command execution vulnerability. System commands can be deserialized. | ||||
| CVE-2025-30773 | 2025-03-27 | 7.2 High | ||
| Deserialization of Untrusted Data vulnerability in Cozmoslabs TranslatePress allows Object Injection. This issue affects TranslatePress: from n/a through 2.9.6. | ||||