Export limit exceeded: 35583 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (3112 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-44371 | 1 Hope-boot Project | 1 Hope-boot | 2025-04-23 | 9.8 Critical |
| hope-boot 1.0.0 has a deserialization vulnerability that can cause Remote Code Execution (RCE). | ||||
| CVE-2022-21663 | 3 Debian, Fedoraproject, Wordpress | 3 Debian Linux, Fedora, Wordpress | 2025-04-22 | 6.6 Medium |
| WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue. | ||||
| CVE-2022-31115 | 1 Amazon | 1 Opensearch | 2025-04-22 | 8.8 High |
| opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. In versions prior to 2.0.1 the ruby `YAML.load` function was used instead of `YAML.safe_load`. As a result opensearch-ruby 2.0.0 and prior can lead to unsafe deserialization using YAML.load if the response is of type YAML. An attacker must be in control of an opensearch server and convince the victim to connect to it in order to exploit this vulnerability. The problem has been patched in opensearch-ruby gem version 2.0.1. Users are advised to upgrade. There are no known workarounds for this issue. | ||||
| CVE-2022-39312 | 1 Dataease | 1 Dataease | 2025-04-22 | 9.8 Critical |
| Dataease is an open source data visualization analysis tool. Dataease prior to 1.15.2 has a deserialization vulnerability. In Dataease, the Mysql data source in the data source function can customize the JDBC connection parameters and the Mysql server target to be connected. In `backend/src/main/java/io/dataease/provider/datasource/JdbcProvider.java`, the `MysqlConfiguration` class does not filter any parameters. If an attacker adds some parameters to a JDBC url and connects to a malicious mysql server, the attacker can trigger the mysql jdbc deserialization vulnerability. Through the deserialization vulnerability, the attacker can execute system commands and obtain server privileges. Version 1.15.2 contains a patch for this issue. | ||||
| CVE-2025-32375 | 1 Bentoml | 1 Bentoml | 2025-04-22 | 9.8 Critical |
| BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.8, there was an insecure deserialization in BentoML's runner server. By setting specific headers and parameters in the POST request, it is possible to execute any unauthorized arbitrary code on the server, which will grant the attackers to have the initial access and information disclosure on the server. This vulnerability is fixed in 1.4.8. | ||||
| CVE-2024-1748 | 1 Vanderschaar-lab | 1 Autoprognosis | 2025-04-22 | 5 Medium |
| A vulnerability classified as critical was found in van_der_Schaar LAB AutoPrognosis 0.1.21. This vulnerability affects the function load_model_from_file of the component Release Note Handler. The manipulation leads to deserialization. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. VDB-254530 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2022-41958 | 1 Super Xray Project | 1 Super Xray | 2025-04-22 | 7.3 High |
| super-xray is a web vulnerability scanning tool. Versions prior to 0.7 assumed trusted input for the program config which is stored in a yaml file. An attacker with local access to the file could exploit this and compromise the program. This issue has been addressed in commit `4d0d5966` and will be included in future releases. Users are advised to upgrade. There are no known workarounds for this issue. | ||||
| CVE-2024-20150 | 1 Mediatek | 80 Lr12a, Lr13, Mt2735 and 77 more | 2025-04-22 | 7.5 High |
| In Modem, there is a possible system crash due to a logic error. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01412526; Issue ID: MSV-2018. | ||||
| CVE-2021-33420 | 1 Replicator Project | 1 Replicator | 2025-04-21 | 9.8 Critical |
| A deserialization issue discovered in inikulin replicator before 1.0.4 allows remote attackers to run arbitrary code via the fromSerializable function in TypedArray object. | ||||
| CVE-2025-30285 | 1 Adobe | 1 Coldfusion | 2025-04-21 | 8.4 High |
| ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could leverage this vulnerability to bypass security protections and execute code. Exploitation of this issue requires user interaction and scope is changed. | ||||
| CVE-2021-38241 | 1 Ruoyi | 1 Ruoyi | 2025-04-21 | 9.8 Critical |
| Deserialization issue discovered in Ruoyi before 4.6.1 allows remote attackers to run arbitrary code via weak cipher in Shiro framework. | ||||
| CVE-2022-24282 | 1 Siemens | 1 Sinec Network Management System | 2025-04-21 | 7.2 High |
| A vulnerability has been identified in SINEC NMS (All versions >= V1.0.3 < V2.0), SINEC NMS (All versions < V1.0.3), SINEMA Server V14 (All versions). The affected system allows to upload JSON objects that are deserialized to Java objects. Due to insecure deserialization of user-supplied content by the affected software, a privileged attacker could exploit this vulnerability by sending a maliciously crafted serialized Java object. This could allow the attacker to execute arbitrary code on the device with root privileges. | ||||
| CVE-2022-1799 | 1 Google | 1 Google Play Services Software Development Kit | 2025-04-21 | 5.7 Medium |
| Incorrect signature trust exists within Google Play services SDK play-services-basement. A debug version of Google Play services is trusted by the SDK for devices that are non-GMS. We recommend upgrading the SDK past the 2022-05-03 release. | ||||
| CVE-2017-8045 | 1 Pivotal Software | 1 Spring Advanced Message Queuing Protocol | 2025-04-20 | N/A |
| In Pivotal Spring AMQP versions prior to 1.7.4, 1.6.11, and 1.5.7, an org.springframework.amqp.core.Message may be unsafely deserialized when being converted into a string. A malicious payload could be crafted to exploit this and enable a remote code execution attack. | ||||
| CVE-2016-0360 | 1 Ibm | 1 Websphere Mq Jms | 2025-04-20 | N/A |
| IBM Websphere MQ JMS 7.0.1, 7.1, 7.5, 8.0, and 9.0 client provides classes that deserialize objects from untrusted sources which could allow a malicious user to execute arbitrary Java code by adding vulnerable classes to the classpath. IBM Reference #: 1983457. | ||||
| CVE-2016-5003 | 2 Apache, Redhat | 4 Ws-xmlrpc, Enterprise Linux, Jboss Fuse and 1 more | 2025-04-20 | N/A |
| The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an <ex:serializable> element. | ||||
| CVE-2016-6199 | 1 Gradle | 1 Gradle | 2025-04-20 | N/A |
| ObjectSocketWrapper.java in Gradle 2.12 allows remote attackers to execute arbitrary code via a crafted serialized object. | ||||
| CVE-2016-7050 | 1 Redhat | 5 Enterprise Linux, Enterprise Linux Desktop, Enterprise Linux Hpc Node and 2 more | 2025-04-20 | N/A |
| SerializableProvider in RESTEasy in Red Hat Enterprise Linux Desktop 7, Red Hat Enterprise Linux HPC Node 7, Red Hat Enterprise Linux Server 7, and Red Hat Enterprise Linux Workstation 7 allows remote attackers to execute arbitrary code. | ||||
| CVE-2016-9299 | 2 Fedoraproject, Jenkins | 2 Fedora, Jenkins | 2025-04-20 | N/A |
| The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server. | ||||
| CVE-2017-1000195 | 1 Octobercms | 1 October | 2025-04-20 | N/A |
| October CMS build 412 is vulnerable to PHP object injection in asset move functionality resulting in ability to delete files limited by file permissions on the server. | ||||