Total
2036 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-49712 | 1 Microsoft | 3 Sharepoint Enterprise Server 2016, Sharepoint Server, Sharepoint Server 2010 | 2025-08-15 | 8.8 High |
| Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | ||||
| CVE-2025-53772 | 1 Microsoft | 2 Web Deploy, Web Deploy 4.0 | 2025-08-15 | 8.8 High |
| Deserialization of untrusted data in Web Deploy allows an authorized attacker to execute code over a network. | ||||
| CVE-2025-8875 | 1 N-able | 1 N-central | 2025-08-15 | 7.8 High |
| Deserialization of Untrusted Data vulnerability in N-able N-central allows Local Execution of Code.This issue affects N-central: before 2025.3.1. | ||||
| CVE-2024-28777 | 2 Ibm, Microsoft | 3 Cognos Controller, Controller, Windows | 2025-08-15 | 8.8 High |
| IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 is vulnerable to unrestricted deserialization. This vulnerability allows users to execute arbitrary code, escalate privileges, or cause denial of service attacks by exploiting the unrestricted deserialization of types in the application. | ||||
| CVE-2024-45084 | 2 Ibm, Microsoft | 3 Cognos Controller, Controller, Windows | 2025-08-15 | 8 High |
| IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 could allow an authenticated attacker to conduct formula injection. An attacker could execute arbitrary commands on the system, caused by improper validation of file contents. | ||||
| CVE-2024-43191 | 1 Ibm | 1 Cloud Pak For Multicloud Management Monitoring | 2025-08-15 | 7.2 High |
| IBM ManageIQ could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted yaml file request. | ||||
| CVE-2025-8963 | 2025-08-15 | 6.3 Medium | ||
| A vulnerability was determined in jeecgboot JimuReport up to 2.1.1. Affected by this issue is some unknown functionality of the file /drag/onlDragDataSource/testConnection of the component Data Large Screen Template. The manipulation leads to deserialization. The attack may be launched remotely. The vendor response to the GitHub issue report is: "Modified, next version updated". | ||||
| CVE-2025-8747 | 1 Keras | 1 Keras | 2025-08-15 | 7.8 High |
| A safe mode bypass vulnerability in the `Model.load_model` method in Keras versions 3.0.0 through 3.10.0 allows an attacker to achieve arbitrary code execution by convincing a user to load a specially crafted `.keras` model archive. | ||||
| CVE-2025-23303 | 1 Nvidia | 1 Nemo | 2025-08-15 | 7.8 High |
| NVIDIA NeMo Framework for all platforms contains a vulnerability where a user could cause a deserialization of untrusted data by remote code execution. A successful exploit of this vulnerability might lead to code execution and data tampering. | ||||
| CVE-2025-47536 | 2 Keywordrush, Wordpress | 2 Content Egg, Wordpress | 2025-08-14 | 7.2 High |
| Deserialization of Untrusted Data vulnerability in keywordrush Content Egg allows Object Injection. This issue affects Content Egg: from n/a through 7.0.0. | ||||
| CVE-2023-38264 | 2 Ibm, Redhat | 3 Java Software Development Kit, Enterprise Linux, Rhel Extras | 2025-08-14 | 5.9 Medium |
| The IBM SDK, Java Technology Edition's Object Request Broker (ORB) 7.1.0.0 through 7.1.5.21 and 8.0.0.0 through 8.0.8.21 is vulnerable to a denial of service attack in some circumstances due to improper enforcement of the JEP 290 MaxRef and MaxDepth deserialization filters. IBM X-Force ID: 260578. | ||||
| CVE-2025-49869 | 1 Wordpress | 1 Wordpress | 2025-08-14 | 8.8 High |
| Deserialization of Untrusted Data vulnerability in Arraytics Eventin allows Object Injection. This issue affects Eventin: from n/a through 4.0.31. | ||||
| CVE-2025-54686 | 1 Wordpress | 1 Wordpress | 2025-08-14 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in scriptsbundle Exertio allows Object Injection. This issue affects Exertio: from n/a through 1.3.2. | ||||
| CVE-2025-6810 | 1 Mescius | 1 Activereports.net | 2025-08-14 | N/A |
| Mescius ActiveReports.NET ReadValue Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Mescius ActiveReports.NET. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the implementation of the ReadValue method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25246. | ||||
| CVE-2025-6811 | 1 Mescius | 1 Activereports.net | 2025-08-14 | N/A |
| Mescius ActiveReports.NET TypeResolutionService Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Mescius ActiveReports.NET. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the TypeResolutionService class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25397. | ||||
| CVE-2025-2180 | 1 Paloaltonetworks | 1 Checkov | 2025-08-14 | N/A |
| An unsafe deserialization vulnerability in Palo Alto Networks Checkov by Prisma® Cloud allows an authenticated user to execute arbitrary code as a non administrative user by scanning a malicious terraform file when using Checkov in Prisma® Cloud. This issue impacts Checkov 3.0 versions earlier than Checkov 3.2.415. | ||||
| CVE-2025-34153 | 2025-08-14 | N/A | ||
| Hyland OnBase versions prior to 17.0.2.87 (other versions may be affected) are vulnerable to unauthenticated remote code execution via insecure deserialization on the .NET Remoting TCP channel. The service registers a listener on port 6031 with the URI endpoint TimerServer, implemented in Hyland.Core.Timers.dll. This endpoint deserializes untrusted input using the .NET BinaryFormatter, allowing attackers to execute arbitrary code under the context of NT AUTHORITY\SYSTEM. | ||||
| CVE-2025-7384 | 2 Crmperks, Wordpress | 2 Database For Contact Form 7, Wpforms, Elementor Forms, Wordpress | 2025-08-13 | 9.8 Critical |
| The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.3 via deserialization of untrusted input in the get_lead_detail function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted. | ||||
| CVE-2025-55010 | 1 Kanboard | 1 Kanboard | 2025-08-13 | 9.1 Critical |
| Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.47, an unsafe deserialization vulnerability in the ProjectEventActvityFormatter allows admin users the ability to instantiate arbitrary php objects by modifying the event["data"] field in the project_activities table. A malicious actor can update this field to use a php gadget to write a web shell into the /plugins folder, which then gives remote code execution on the host system. This issue has been patched in version 1.2.47. | ||||
| CVE-2025-47277 | 2 Vllm, Vllm-project | 2 Vllm, Vllm | 2025-08-13 | 9.8 Critical |
| vLLM, an inference and serving engine for large language models (LLMs), has an issue in versions 0.6.5 through 0.8.4 that ONLY impacts environments using the `PyNcclPipe` KV cache transfer integration with the V0 engine. No other configurations are affected. vLLM supports the use of the `PyNcclPipe` class to establish a peer-to-peer communication domain for data transmission between distributed nodes. The GPU-side KV-Cache transmission is implemented through the `PyNcclCommunicator` class, while CPU-side control message passing is handled via the `send_obj` and `recv_obj` methods on the CPU side. The intention was that this interface should only be exposed to a private network using the IP address specified by the `--kv-ip` CLI parameter. The vLLM documentation covers how this must be limited to a secured network. The default and intentional behavior from PyTorch is that the `TCPStore` interface listens on ALL interfaces, regardless of what IP address is provided. The IP address given was only used as a client-side address to use. vLLM was fixed to use a workaround to force the `TCPStore` instance to bind its socket to a specified private interface. As of version 0.8.5, vLLM limits the `TCPStore` socket to the private interface as configured. | ||||