Total
2051 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-52577 | 1 Apache | 1 Ignite | 2025-07-14 | 9.0 Critical |
| In Apache Ignite versions from 2.6.0 and before 2.17.0, configured Class Serialization Filters are ignored for some Ignite endpoints. The vulnerability could be exploited if an attacker manually crafts an Ignite message containing a vulnerable object whose class is present in the Ignite server classpath and sends it to Ignite server endpoints. Deserialization of such a message by the Ignite server may result in the execution of arbitrary code on the Apache Ignite server side. | ||||
| CVE-2024-10553 | 2 H2o, H2oai | 2 H2o, H2o-3 | 2025-07-14 | N/A |
| A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitrary code via deserialization of untrusted data. The vulnerability exists in the endpoints POST /99/ImportSQLTable and POST /3/SaveToHiveTable, where user-controlled JDBC URLs are passed to DriverManager.getConnection, leading to deserialization if a MySQL or PostgreSQL driver is available in the classpath. This issue is fixed in version 3.47.0. | ||||
| CVE-2024-56180 | 1 Apache | 1 Eventmesh | 2025-07-14 | 9.8 Critical |
| CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft plugin module in Apache EventMesh master branch without release version on windows\linux\mac os e.g. platforms allows attackers to send controlled message and remote code execute via hessian deserialization rpc protocol. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue. | ||||
| CVE-2025-7099 | 1 Boyun | 1 Boyuncms | 2025-07-13 | 5.6 Medium |
| A vulnerability has been found in BoyunCMS up to 1.21 on PHP7 and classified as critical. Affected by this vulnerability is an unknown functionality of the file install/install2.php of the component Installation Handler. The manipulation of the argument db_host leads to deserialization. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-7216 | 1 Lty628 | 1 Aidigu | 2025-07-13 | 7.3 High |
| A vulnerability, which was classified as critical, was found in lty628 Aidigu up to 1.8.2. This affects the function checkUserCookie of the file /application/common.php of the component PHP Object Handler. The manipulation of the argument rememberMe leads to deserialization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-52724 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in BoldThemes Amwerk allows Object Injection. This issue affects Amwerk: from n/a through 1.2.0. | ||||
| CVE-2025-52827 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 8.8 High |
| Deserialization of Untrusted Data vulnerability in uxper Nuss allows Object Injection. This issue affects Nuss: from n/a through 1.3.3. | ||||
| CVE-2025-52826 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 8.8 High |
| Deserialization of Untrusted Data vulnerability in uxper Sala allows Object Injection. This issue affects Sala: from n/a through 1.1.3. | ||||
| CVE-2025-52725 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in pebas CouponXxL allows Object Injection. This issue affects CouponXxL: from n/a through 3.0.0. | ||||
| CVE-2025-28970 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in pep.vn WP Optimize By xTraffic allows Object Injection. This issue affects WP Optimize By xTraffic: from n/a through 5.1.6. | ||||
| CVE-2025-6464 | 2 Incsub, Wordpress | 2 Forminator, Wordpress | 2025-07-13 | 7.5 High |
| The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.44.2 via deserialization of untrusted input in the 'entry_delete_upload_files' function. This makes it possible for unauthenticated attackers to inject a PHP Object through a PHAR file. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. Deserialization occurs when the form submission is deleted, whether by an Administrator or via auto-deletion determined by plugin settings. | ||||
| CVE-2025-52828 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 8.8 High |
| Deserialization of Untrusted Data vulnerability in designthemes Red Art allows Object Injection. This issue affects Red Art: from n/a through 3.7. | ||||
| CVE-2025-39550 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in Shahjahan Jewel FluentCommunity allows Object Injection. This issue affects FluentCommunity: from n/a through 1.2.15. | ||||
| CVE-2024-10942 | 2 Wordpress, Yaniiliev | 2 Wordpress, All In One Wp Migration And Backup | 2025-07-13 | 7.5 High |
| The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.89 via deserialization of untrusted input in the 'replace_serialized_values' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must export and restore a backup in order to trigger the exploit. | ||||
| CVE-2024-30228 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 9.9 Critical |
| Deserialization of Untrusted Data vulnerability in Hercules Design Hercules Core.This issue affects Hercules Core : from n/a through 6.4. | ||||
| CVE-2025-39354 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Conference allows Object Injection.This issue affects Grand Conference: from n/a through 5.2. | ||||
| CVE-2025-39356 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in Chimpstudio Foodbakery Sticky Cart allows Object Injection.This issue affects Foodbakery Sticky Cart: from n/a through 3.2. | ||||
| CVE-2024-12742 | 1 Ni | 1 G Web Development Software | 2025-07-13 | 7.8 High |
| A deserialization of untrusted data vulnerability exists in NI G Web Development Software that may result in arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted project file. This vulnerability affects G Web Development Software 2022 Q3 and prior versions. | ||||
| CVE-2024-24551 | 1 Bludit | 1 Bludit | 2025-07-13 | N/A |
| A security vulnerability has been identified in Bludit, allowing authenticated attackers to execute arbitrary code through the Image API. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files. | ||||
| CVE-2025-46481 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 7.2 High |
| Deserialization of Untrusted Data vulnerability in Michael Cannon Flickr Shortcode Importer allows Object Injection. This issue affects Flickr Shortcode Importer: from n/a through 2.2.3. | ||||