Total
2059 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-31879 | 1 Ibm | 1 I | 2025-07-03 | 7.5 High |
| IBM i 7.2, 7.3, and 7.4 could allow a remote attacker to execute arbitrary code leading to a denial of service of network ports on the system, caused by the deserialization of untrusted data. IBM X-Force ID: 287539. | ||||
| CVE-2024-10013 | 2 Progress, Progress Software | 2 Telerik Ui For Winforms, Progress Telerik Ui For Wpf Versions | 2025-07-03 | 7.8 High |
| In Progress Telerik UI for WinForms versions prior to 2024 Q4 (2024.4.1113), a code execution attack is possible through an insecure deserialization vulnerability. | ||||
| CVE-2025-34060 | 2025-07-03 | N/A | ||
| A PHP objection injection vulnerability exists in the Monero Project’s Laravel-based forum software due to unsafe handling of untrusted input in the /get/image/ endpoint. The application passes a user-supplied link parameter directly to file_get_contents() without validation. MIME type checks using PHP’s finfo can be bypassed via crafted stream filter chains that prepend spoofed headers, allowing access to internal Laravel configuration files. An attacker can extract the APP_KEY from config/app.php, forge encrypted cookies, and trigger unsafe unserialize() calls, leading to reliable remote code execution. | ||||
| CVE-2025-43713 | 2025-07-03 | 6.5 Medium | ||
| ASNA Assist and ASNA Registrar before 2025-03-31 allow deserialization attacks against .NET remoting. These are Windows system services that support license key management and deprecated Windows network authentication. The services are implemented with .NET remoting and can be exploited via well-known deserialization techniques inherent in the technology. Because the services run with SYSTEM-level rights, exploits can be crafted to achieve escalation of privilege and arbitrary code execution. This affects DataGate for SQL Server 17.0.36.0 and 16.0.89.0, DataGate Component Suite 17.0.36.0 and 16.0.89.0, DataGate Monitor 17.0.26.0 and 16.0.65.0, DataGate WebPak 17.0.37.0 and 16.0.90.0, Monarch for .NET 11.4.50.0 and 10.0.62.0, Encore RPG 4.1.36.0, Visual RPG .NET FW 17.0.37.0 and 16.0.90.0, Visual RPG .NET FW Windows Deployment 17.0.36.0 and 16.0.89.0, WingsRPG 11.0.38.0 and 10.0.95.0, Mobile RPG 11.0.35.0 and 10.0.94.0, Monarch Framework for .NET FW 11.0.36.0 and 10.0.89.0, Browser Terminal 17.0.37.0 and 16.0.90.0, Visual RPG Classic 5.2.7.0 and 5.1.17.0, Visual RPG Deployment 5.2.7.0 and 5.1.17.0, and DataGate Studio 17.0.38.0 and 16.0.104.0. | ||||
| CVE-2024-13786 | 2025-07-03 | 9.8 Critical | ||
| The education theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.6.10 via deserialization of untrusted input in the 'themerex_callback_view_more_posts' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | ||||
| CVE-2025-29807 | 1 Microsoft | 1 Dataverse | 2025-07-03 | 8.7 High |
| Deserialization of untrusted data in Microsoft Dataverse allows an authorized attacker to execute code over a network. | ||||
| CVE-2025-39499 | 2025-07-03 | 9.8 Critical | ||
| Deserialization of Untrusted Data vulnerability in BoldThemes Medicare allows Object Injection.This issue affects Medicare: from n/a through 2.1.0. | ||||
| CVE-2025-1186 | 1 Xunruicms | 1 Xunruicms | 2025-07-03 | 6.3 Medium |
| A vulnerability was found in dayrui XunRuiCMS up to 4.6.4. It has been declared as critical. This vulnerability affects unknown code of the file /Control/Api/Api.php. The manipulation of the argument thumb leads to deserialization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-29783 | 1 Vllm | 1 Vllm | 2025-07-01 | 9.1 Critical |
| vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. When vLLM is configured to use Mooncake, unsafe deserialization exposed directly over ZMQ/TCP on all network interfaces will allow attackers to execute remote code on distributed hosts. This is a remote code execution vulnerability impacting any deployments using Mooncake to distribute KV across distributed hosts. This vulnerability is fixed in 0.8.0. | ||||
| CVE-2024-42323 | 1 Apache | 1 Hertzbeat | 2025-07-01 | 8.8 High |
| SnakeYaml Deser Load Malicious xml rce vulnerability in Apache HertzBeat (incubating). This vulnerability can only be exploited by authorized attackers. This issue affects Apache HertzBeat (incubating): before 1.6.0. Users are recommended to upgrade to version 1.6.0, which fixes the issue. | ||||
| CVE-2025-21364 | 1 Microsoft | 2 365 Apps, Office Long Term Servicing Channel | 2025-07-01 | 7.8 High |
| Microsoft Excel Security Feature Bypass Vulnerability | ||||
| CVE-2025-53415 | 2025-07-01 | 7.8 High | ||
| Delta Electronics DTM Soft Project File Parsing Deserialization of Untrusted Data Remote Code Execution | ||||
| CVE-2025-53393 | 2025-06-30 | 6 Medium | ||
| In Akka through 2.10.6, akka-cluster-metrics uses Java serialization for cluster metrics. | ||||
| CVE-2024-29212 | 1 Veeam | 1 Veeam Service Provider Console | 2025-06-30 | N/A |
| Due to an unsafe de-serialization method used by the Veeam Service Provider Console(VSPC) server in communication between the management agent and its components, under certain conditions, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine. | ||||
| CVE-2025-24357 | 1 Vllm | 1 Vllm | 2025-06-27 | 7.5 High |
| vLLM is a library for LLM inference and serving. vllm/model_executor/weight_utils.py implements hf_model_weights_iterator to load the model checkpoint, which is downloaded from huggingface. It uses the torch.load function and the weights_only parameter defaults to False. When torch.load loads malicious pickle data, it will execute arbitrary code during unpickling. This vulnerability is fixed in v0.7.0. | ||||
| CVE-2025-27520 | 1 Bentoml | 1 Bentoml | 2025-06-27 | 9.8 Critical |
| BentoML is a Python library for building online serving systems optimized for AI apps and model inference. A Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version (v1.4.2) of BentoML. It allows any unauthenticated user to execute arbitrary code on the server. It exists an unsafe code segment in serde.py. This vulnerability is fixed in 1.4.3. | ||||
| CVE-2025-2566 | 2025-06-26 | N/A | ||
| Kaleris NAVIS N4 ULC (Ultra Light Client) contains an unsafe Java deserialization vulnerability. An unauthenticated attacker can make specially crafted requests to execute arbitrary code on the server. | ||||
| CVE-2023-26512 | 4 Apache, Apple, Linux and 1 more | 5 Eventmesh, Eventmesh-connector-rabbitmq, Macos and 2 more | 2025-06-25 | 9.8 Critical |
| CWE-502 Deserialization of Untrusted Data at the rabbitmq-connector plugin module in Apache EventMesh (incubating) V1.7.0\V1.8.0 on windows\linux\mac os e.g. platforms allows attackers to send controlled message and remote code execute via rabbitmq messages. Users can use the code under the master branch in project repo to fix this issue, we will release the new version as soon as possible. | ||||
| CVE-2024-41151 | 1 Apache | 1 Hertzbeat | 2025-06-24 | 8.8 High |
| Deserialization of Untrusted Data vulnerability in Apache HertzBeat. This vulnerability can only be exploited by authorized attackers. This issue affects Apache HertzBeat: before 1.6.1. Users are recommended to upgrade to version 1.6.1, which fixes the issue. | ||||
| CVE-2025-3413 | 1 Opplus | 1 Springboot-admin | 2025-06-24 | 6.3 Medium |
| A vulnerability has been found in opplus springboot-admin up to a2d5310f44fd46780a8686456cf2f9001ab8f024 and classified as critical. Affected by this vulnerability is the function code of the file SysGeneratorController.java. The manipulation of the argument Tables leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way. | ||||