Total
1847 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2015-7450 | 1 Ibm | 7 Sterling B2b Integrator, Sterling Integrator, Tivoli Common Reporting and 4 more | 2025-04-12 | 9.8 Critical |
| Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the InvokerTransformer class in the Apache Commons Collections library. | ||||
| CVE-2016-7124 | 2 Php, Redhat | 2 Php, Rhel Software Collections | 2025-04-12 | N/A |
| ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call. | ||||
| CVE-2016-7065 | 1 Redhat | 1 Jboss Enterprise Application Platform | 2025-04-12 | N/A |
| The JMX servlet in Red Hat JBoss Enterprise Application Platform (EAP) 4 and 5 allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object. | ||||
| CVE-2015-5344 | 2 Apache, Redhat | 2 Camel, Jboss Fuse | 2025-04-12 | N/A |
| The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request. | ||||
| CVE-2015-5254 | 3 Apache, Fedoraproject, Redhat | 5 Activemq, Fedora, Jboss Amq and 2 more | 2025-04-12 | N/A |
| Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object. | ||||
| CVE-2015-6420 | 1 Apache | 1 Commons Collections | 2025-04-12 | N/A |
| Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. | ||||
| CVE-2016-5019 | 1 Apache | 1 Myfaces Trinidad | 2025-04-12 | N/A |
| CoreResponseStateManager in Apache MyFaces Trinidad 1.0.0 through 1.0.13, 1.2.x before 1.2.15, 2.0.x before 2.0.2, and 2.1.x before 2.1.2 might allow attackers to conduct deserialization attacks via a crafted serialized view state string. | ||||
| CVE-2016-4974 | 1 Apache | 2 Amqp 0-x Jms Client, Jms Client Amqp | 2025-04-12 | N/A |
| Apache Qpid AMQP 0-x JMS client before 6.0.4 and JMS (AMQP 1.0) before 0.10.0 does not restrict the use of classes available on the classpath, which might allow remote authenticated users with permission to send messages to deserialize arbitrary objects and execute arbitrary code by leveraging a crafted serialized object in a JMS ObjectMessage that is handled by the getObject function. | ||||
| CVE-2015-4852 | 1 Oracle | 3 Storagetek Tape Analytics Sw Tool, Virtual Desktop Infrastructure, Weblogic Server | 2025-04-12 | 9.8 Critical |
| The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product. | ||||
| CVE-2016-9865 | 1 Phpmyadmin | 1 Phpmyadmin | 2025-04-12 | N/A |
| An issue was discovered in phpMyAdmin. Due to a bug in serialized string parsing, it was possible to bypass the protection offered by PMA_safeUnserialize() function. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. | ||||
| CVE-2014-8165 | 2 Powerpc-utils Project, Redhat | 2 Powerpc-utils, Enterprise Linux | 2025-04-12 | N/A |
| scripts/amsvis/powerpcAMS/amsnet.py in powerpc-utils-python uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object. | ||||
| CVE-2025-32143 | 2025-04-11 | 8.8 High | ||
| Deserialization of Untrusted Data vulnerability in PickPlugins Accordion allows Object Injection. This issue affects Accordion: from n/a through 2.3.10. | ||||
| CVE-2025-31932 | 2025-04-11 | N/A | ||
| Deserialization of untrusted data issue exists in BizRobo! all versions. If this vulnerability is exploited, an arbitrary code is executed on the Management Console. The vendor provides the workaround information and recommends to apply it to the deployment environment. | ||||
| CVE-2025-32145 | 2025-04-11 | 8.8 High | ||
| Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently allows Object Injection. This issue affects WpEvently: from n/a through 4.3.5. | ||||
| CVE-2025-32569 | 2025-04-11 | 9.8 Critical | ||
| Deserialization of Untrusted Data vulnerability in RealMag777 TableOn – WordPress Posts Table Filterable allows Object Injection. This issue affects TableOn – WordPress Posts Table Filterable: from n/a through 1.0.2. | ||||
| CVE-2025-32568 | 2025-04-11 | 9.8 Critical | ||
| Deserialization of Untrusted Data vulnerability in empik EmpikPlace for Woocommerce allows Object Injection. This issue affects EmpikPlace for Woocommerce: from n/a through 1.4.2. | ||||
| CVE-2025-32607 | 2025-04-11 | 9.8 Critical | ||
| Deserialization of Untrusted Data vulnerability in magepeopleteam WpBookingly allows Object Injection. This issue affects WpBookingly: from n/a through 1.2.0. | ||||
| CVE-2025-32144 | 2025-04-11 | 8.8 High | ||
| Deserialization of Untrusted Data vulnerability in PickPlugins Job Board Manager allows Object Injection. This issue affects Job Board Manager: from n/a through 2.1.60. | ||||
| CVE-2022-41966 | 2 Redhat, Xstream Project | 10 Camel Quarkus, Camel Spring Boot, Jboss Enterprise Bpms Platform and 7 more | 2025-04-11 | 8.2 High |
| XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version 1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or set, is to change the default implementation of java.util.Map and java.util per the code example in the referenced advisory. However, this implies that your application does not care about the implementation of the map and all elements are comparable. | ||||
| CVE-2023-30534 | 2 Cacti, Fedoraproject | 2 Cacti, Fedora | 2025-04-11 | 4.3 Medium |
| Cacti is an open source operational monitoring and fault management framework. There are two instances of insecure deserialization in Cacti version 1.2.24. While a viable gadget chain exists in Cacti’s vendor directory (phpseclib), the necessary gadgets are not included, making them inaccessible and the insecure deserializations not exploitable. Each instance of insecure deserialization is due to using the unserialize function without sanitizing the user input. Cacti has a “safe” deserialization that attempts to sanitize the content and check for specific values before calling unserialize, but it isn’t used in these instances. The vulnerable code lies in graphs_new.php, specifically within the host_new_graphs_save function. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||