Total
1658 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-7696 | 2025-07-19 | N/A | 9.8 CRITICAL | ||
| The Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.3 via deserialization of untrusted input within the verify_field_val() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted. | |||||
| CVE-2024-3366 | 1 Xuxueli | 1 Xxl-job | 2025-07-18 | N/A | 9.8 CRITICAL |
| A vulnerability classified as problematic was found in Xuxueli xxl-job up to 2.4.1. This vulnerability affects the function deserialize of the file com/xxl/job/core/util/JdkSerializeTool.java of the component Template Handler. The manipulation leads to injection. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259480. | |||||
| CVE-2025-36038 | 5 Hp, Ibm, Linux and 2 more | 8 Hp-ux, Aix, I and 5 more | 2025-07-18 | N/A | 9.8 CRITICAL |
| IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially crafted sequence of serialized objects. | |||||
| CVE-2025-47784 | 1 Emlog | 1 Emlog | 2025-07-18 | N/A | 9.8 CRITICAL |
| Emlog is an open source website building system. Versions 2.5.13 and prior have a deserialization vulnerability. A user who creates a carefully crafted nickname can cause `str_replace` to replace the value of `name_orig` with empty, causing deserialization to fail and return `false`. Commit 9643250802188b791419e3c2188577073256a8a2 fixes the issue. | |||||
| CVE-2025-27203 | 2 Adobe, Microsoft | 2 Connect, Windows | 2025-07-18 | N/A | 9.6 CRITICAL |
| Adobe Connect versions 24.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution by an attacker. Exploitation of this issue does require user interaction and scope is changed. | |||||
| CVE-2025-49533 | 1 Adobe | 1 Experience Manager | 2025-07-18 | N/A | 9.8 CRITICAL |
| Adobe Experience Manager (MS) versions 6.5.23.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution by an attacker. Exploitation of this issue does not require user interaction. Scope is unchanged. | |||||
| CVE-2025-39565 | 1 Melapress | 1 Melapress Login Security | 2025-07-17 | N/A | 7.2 HIGH |
| Deserialization of Untrusted Data vulnerability in Melapress MelaPress Login Security allows Object Injection. This issue affects MelaPress Login Security: from n/a through 2.1.0. | |||||
| CVE-2025-30973 | 2025-07-16 | N/A | N/A | ||
| Deserialization of Untrusted Data vulnerability in Codexpert, Inc CoSchool LMS allows Object Injection. This issue affects CoSchool LMS: from n/a through 1.4.3. | |||||
| CVE-2025-24779 | 2025-07-16 | N/A | N/A | ||
| Deserialization of Untrusted Data vulnerability in NooTheme Yogi allows Object Injection. This issue affects Yogi: from n/a through 2.9.0. | |||||
| CVE-2025-28961 | 2025-07-16 | N/A | N/A | ||
| Deserialization of Untrusted Data vulnerability in Md Yeasin Ul Haider URL Shortener allows Object Injection. This issue affects URL Shortener: from n/a through 3.0.7. | |||||
| CVE-2025-30949 | 2025-07-16 | N/A | N/A | ||
| Deserialization of Untrusted Data vulnerability in Guru Team Site Chat on Telegram allows Object Injection. This issue affects Site Chat on Telegram: from n/a through 1.0.4. | |||||
| CVE-2025-31422 | 2025-07-16 | N/A | N/A | ||
| Deserialization of Untrusted Data vulnerability in designthemes Visual Art | Gallery WordPress Theme allows Object Injection. This issue affects Visual Art | Gallery WordPress Theme: from n/a through 2.4. | |||||
| CVE-2025-24777 | 2025-07-16 | N/A | N/A | ||
| Deserialization of Untrusted Data vulnerability in awethemes Hillter allows Object Injection. This issue affects Hillter: from n/a through 3.0.7. | |||||
| CVE-2025-53990 | 2025-07-16 | N/A | N/A | ||
| Deserialization of Untrusted Data vulnerability in jetmonsters JetFormBuilder allows Object Injection. This issue affects JetFormBuilder: from n/a through 3.5.1.2. | |||||
| CVE-2024-48063 | 1 Linuxfoundation | 1 Pytorch | 2025-07-16 | N/A | 9.8 CRITICAL |
| In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. NOTE: this is disputed by multiple parties because this is intended behavior in PyTorch distributed computing. | |||||
| CVE-2025-47994 | 1 Microsoft | 4 365 Apps, Office, Office Long Term Servicing Channel and 1 more | 2025-07-15 | N/A | 8.6 HIGH |
| Deserialization of untrusted data in Microsoft Office allows an unauthorized attacker to elevate privileges locally. | |||||
| CVE-2024-12433 | 1 Infiniflow | 1 Ragflow | 2025-07-14 | N/A | N/A |
| A vulnerability in infiniflow/ragflow versions v0.12.0 allows for remote code execution. The RPC server in RagFlow uses a hard-coded AuthKey 'authkey=b'infiniflow-token4kevinhu'' which can be easily fetched by attackers to join the group communication without restrictions. Additionally, the server processes incoming data using pickle deserialization via `pickle.loads()` on `connection.recv()`, making it vulnerable to remote code execution. This issue is fixed in version 0.14.0. | |||||
| CVE-2024-11039 | 1 Binary-husky | 1 Gpt Academic | 2025-07-14 | N/A | N/A |
| A pickle deserialization vulnerability exists in the Latex English error correction plug-in function of binary-husky/gpt_academic versions up to and including 3.83. This vulnerability allows attackers to achieve remote command execution by deserializing untrusted data. The issue arises from the inclusion of numpy in the deserialization whitelist, which can be exploited by constructing a malicious compressed package containing a merge_result.pkl file and a merge_proofread_en.tex file. The vulnerability is fixed in commit 91f5e6b. | |||||
| CVE-2024-10553 | 1 H2o | 1 H2o | 2025-07-14 | N/A | N/A |
| A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitrary code via deserialization of untrusted data. The vulnerability exists in the endpoints POST /99/ImportSQLTable and POST /3/SaveToHiveTable, where user-controlled JDBC URLs are passed to DriverManager.getConnection, leading to deserialization if a MySQL or PostgreSQL driver is available in the classpath. This issue is fixed in version 3.47.0. | |||||
| CVE-2025-6742 | 1 Brainstormforce | 1 Sureforms | 2025-07-11 | N/A | 7.5 HIGH |
| The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.7.3 via the use of file_exists() in the delete_entry_files() function without restriction on the path provided. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | |||||