Total
1658 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-52828 | 2025-07-04 | N/A | N/A | ||
| Deserialization of Untrusted Data vulnerability in designthemes Red Art allows Object Injection. This issue affects Red Art: from n/a through 3.7. | |||||
| CVE-2024-10013 | 1 Progress | 1 Telerik Ui For Winforms | 2025-07-03 | N/A | 7.8 HIGH |
| In Progress Telerik UI for WinForms versions prior to 2024 Q4 (2024.4.1113), a code execution attack is possible through an insecure deserialization vulnerability. | |||||
| CVE-2025-29807 | 1 Microsoft | 1 Dataverse | 2025-07-03 | N/A | 8.8 HIGH |
| Deserialization of untrusted data in Microsoft Dataverse allows an authorized attacker to execute code over a network. | |||||
| CVE-2025-1186 | 1 Xunruicms | 1 Xunruicms | 2025-07-03 | N/A | 9.8 CRITICAL |
| A vulnerability was found in dayrui XunRuiCMS up to 4.6.4. It has been declared as critical. This vulnerability affects unknown code of the file /Control/Api/Api.php. The manipulation of the argument thumb leads to deserialization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-13786 | 2025-07-02 | N/A | 9.8 CRITICAL | ||
| The education theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.6.10 via deserialization of untrusted input in the 'themerex_callback_view_more_posts' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | |||||
| CVE-2025-53393 | 2025-06-28 | N/A | N/A | ||
| In Akka through 2.10.6, akka-cluster-metrics uses Java serialization for cluster metrics. | |||||
| CVE-2025-24357 | 1 Vllm | 1 Vllm | 2025-06-27 | N/A | 8.8 HIGH |
| vLLM is a library for LLM inference and serving. vllm/model_executor/weight_utils.py implements hf_model_weights_iterator to load the model checkpoint, which is downloaded from huggingface. It uses the torch.load function and the weights_only parameter defaults to False. When torch.load loads malicious pickle data, it will execute arbitrary code during unpickling. This vulnerability is fixed in v0.7.0. | |||||
| CVE-2025-27520 | 1 Bentoml | 1 Bentoml | 2025-06-27 | N/A | N/A |
| BentoML is a Python library for building online serving systems optimized for AI apps and model inference. A Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version (v1.4.2) of BentoML. It allows any unauthenticated user to execute arbitrary code on the server. It exists an unsafe code segment in serde.py. This vulnerability is fixed in 1.4.3. | |||||
| CVE-2025-28970 | 2025-06-27 | N/A | N/A | ||
| Deserialization of Untrusted Data vulnerability in pep.vn WP Optimize By xTraffic allows Object Injection. This issue affects WP Optimize By xTraffic: from n/a through 5.1.6. | |||||
| CVE-2025-52827 | 2025-06-27 | N/A | N/A | ||
| Deserialization of Untrusted Data vulnerability in uxper Nuss allows Object Injection. This issue affects Nuss: from n/a through 1.3.3. | |||||
| CVE-2025-52709 | 2025-06-27 | N/A | N/A | ||
| Deserialization of Untrusted Data vulnerability in wpeverest Everest Forms allows Object Injection. This issue affects Everest Forms: from n/a through 3.2.2. | |||||
| CVE-2025-52725 | 2025-06-27 | N/A | N/A | ||
| Deserialization of Untrusted Data vulnerability in pebas CouponXxL allows Object Injection. This issue affects CouponXxL: from n/a through 3.0.0. | |||||
| CVE-2025-52826 | 2025-06-27 | N/A | N/A | ||
| Deserialization of Untrusted Data vulnerability in uxper Sala allows Object Injection. This issue affects Sala: from n/a through 1.1.3. | |||||
| CVE-2025-52724 | 2025-06-27 | N/A | N/A | ||
| Deserialization of Untrusted Data vulnerability in BoldThemes Amwerk allows Object Injection. This issue affects Amwerk: from n/a through 1.2.0. | |||||
| CVE-2025-53002 | 2025-06-26 | N/A | N/A | ||
| LLaMA-Factory is a tuning library for large language models. A remote code execution vulnerability was discovered in LLaMA-Factory versions up to and including 0.9.3 during the LLaMA-Factory training process. This vulnerability arises because the `vhead_file` is loaded without proper safeguards, allowing malicious attackers to execute arbitrary malicious code on the host system simply by passing a malicious `Checkpoint path` parameter through the `WebUI` interface. The attack is stealthy, as the victim remains unaware of the exploitation. The root cause is that the `vhead_file` argument is loaded without the secure parameter `weights_only=True`. Version 0.9.4 contains a fix for the issue. | |||||
| CVE-2023-26512 | 4 Apache, Apple, Linux and 1 more | 4 Eventmesh-connector-rabbitmq, Macos, Linux Kernel and 1 more | 2025-06-25 | N/A | 9.8 CRITICAL |
| CWE-502 Deserialization of Untrusted Data at the rabbitmq-connector plugin module in Apache EventMesh (incubating) V1.7.0\V1.8.0 on windows\linux\mac os e.g. platforms allows attackers to send controlled message and remote code execute via rabbitmq messages. Users can use the code under the master branch in project repo to fix this issue, we will release the new version as soon as possible. | |||||
| CVE-2025-2566 | 2025-06-24 | N/A | N/A | ||
| Kaleris NAVIS N4 ULC (Ultra Light Client) contains an unsafe Java deserialization vulnerability. An unauthenticated attacker can make specially crafted requests to execute arbitrary code on the server. | |||||
| CVE-2025-47771 | 2025-06-20 | N/A | N/A | ||
| PowSyBl (Power System Blocks) is a framework to build power system oriented software. In versions 6.3.0 to 6.7.1, there is a deserialization issue in the read method of the SparseMatrix class that can lead to a wide range of privilege escalations depending on the circumstances. This method takes in an InputStream and returns a SparseMatrix object. This issue has been patched in com.powsybl:powsybl-math: 6.7.2. A workaround for this issue involves not using SparseMatrix deserialization (SparseMatrix.read(...) methods). | |||||
| CVE-2025-1403 | 1 Ibm | 1 Qiskit | 2025-06-18 | N/A | N/A |
| Qiskit SDK 0.45.0 through 1.2.4 could allow a remote attacker to cause a denial of service using a maliciously crafted QPY file containing a malformed symengine serialization stream which can cause a segfault within the symengine library. | |||||
| CVE-2022-1471 | 1 Snakeyaml Project | 1 Snakeyaml | 2025-06-18 | N/A | 9.8 CRITICAL |
| SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond. | |||||