Total
2036 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-30973 | 2025-07-16 | 9.8 Critical | ||
| Deserialization of Untrusted Data vulnerability in Codexpert, Inc CoSchool LMS allows Object Injection. This issue affects CoSchool LMS: from n/a through 1.4.3. | ||||
| CVE-2025-30949 | 2025-07-16 | 9.8 Critical | ||
| Deserialization of Untrusted Data vulnerability in Guru Team Site Chat on Telegram allows Object Injection. This issue affects Site Chat on Telegram: from n/a through 1.0.4. | ||||
| CVE-2024-4699 | 1 Dlink | 2 Dar-8000-10, Dar-8000-10 Firmware | 2025-07-16 | 6.3 Medium |
| ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, has been found in D-Link DAR-8000-10 up to 20230922. This issue affects some unknown processing of the file /importhtml.php. The manipulation of the argument sql leads to deserialization. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-263747. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced. | ||||
| CVE-2024-35249 | 1 Microsoft | 1 Dynamics 365 Business Central | 2025-07-16 | 8.8 High |
| Microsoft Dynamics 365 Business Central Remote Code Execution Vulnerability | ||||
| CVE-2024-48063 | 2 Linuxfoundation, Pytorch | 2 Pytorch, Pytorch | 2025-07-16 | 9.8 Critical |
| In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. NOTE: this is disputed by multiple parties because this is intended behavior in PyTorch distributed computing. | ||||
| CVE-2022-41137 | 1 Apache | 1 Hive | 2025-07-15 | 8.3 High |
| Apache Hive Metastore (HMS) uses SerializationUtilities#deserializeObjectWithTypeInformation method when filtering and fetching partitions that is unsafe and can lead to Remote Code Execution (RCE) since it allows the deserialization of arbitrary data. In real deployments, the vulnerability can be exploited only by authenticated users/clients that were able to successfully establish a connection to the Metastore. From an API perspective any code that calls the unsafe method may be vulnerable unless it performs additional prerechecks on the input arguments. | ||||
| CVE-2024-52338 | 2 Apache, Apache Software Foundation | 2 Arrow, Apache Arrow R Package | 2025-07-15 | 9.8 Critical |
| Deserialization of untrusted data in IPC and Parquet readers in the Apache Arrow R package versions 4.0.0 through 16.1.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example, user-supplied input files). This vulnerability only affects the arrow R package, not other Apache Arrow implementations or bindings unless those bindings are specifically used via the R package (for example, an R application that embeds a Python interpreter and uses PyArrow to read files from untrusted sources is still vulnerable if the arrow R package is an affected version). It is recommended that users of the arrow R package upgrade to 17.0.0 or later. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to arrow 17.0.0 or later. If using an affected version of the package, untrusted data can read into a Table and its internal to_data_frame() method can be used as a workaround (e.g., read_parquet(..., as_data_frame = FALSE)$to_data_frame()). This issue affects the Apache Arrow R package: from 4.0.0 through 16.1.0. Users are recommended to upgrade to version 17.0.0, which fixes the issue. | ||||
| CVE-2025-53416 | 2025-07-15 | 7.8 High | ||
| Delta Electronics DTN Soft Project File Parsing Deserialization of Untrusted Data Remote Code Execution | ||||
| CVE-2025-30023 | 2025-07-15 | 9 Critical | ||
| The communication protocol used between client and server had a flaw that could lead to an authenticated user performing a remote code execution attack. | ||||
| CVE-2025-30025 | 2025-07-15 | N/A | ||
| The communication protocol used between the server process and the service control had a flaw that could lead to a local privilege escalation. | ||||
| CVE-2025-47732 | 1 Microsoft | 1 Dataverse | 2025-07-15 | 8.7 High |
| Microsoft Dataverse Remote Code Execution Vulnerability | ||||
| CVE-2025-30384 | 1 Microsoft | 1 Sharepoint Server | 2025-07-15 | 7.4 High |
| Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code locally. | ||||
| CVE-2025-30382 | 1 Microsoft | 1 Sharepoint Server | 2025-07-15 | 7.8 High |
| Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code locally. | ||||
| CVE-2025-30378 | 1 Microsoft | 1 Sharepoint Server | 2025-07-15 | 7 High |
| Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code locally. | ||||
| CVE-2024-12433 | 1 Infiniflow | 1 Ragflow | 2025-07-14 | N/A |
| A vulnerability in infiniflow/ragflow versions v0.12.0 allows for remote code execution. The RPC server in RagFlow uses a hard-coded AuthKey 'authkey=b'infiniflow-token4kevinhu'' which can be easily fetched by attackers to join the group communication without restrictions. Additionally, the server processes incoming data using pickle deserialization via `pickle.loads()` on `connection.recv()`, making it vulnerable to remote code execution. This issue is fixed in version 0.14.0. | ||||
| CVE-2024-11039 | 1 Binary-husky | 1 Gpt Academic | 2025-07-14 | N/A |
| A pickle deserialization vulnerability exists in the Latex English error correction plug-in function of binary-husky/gpt_academic versions up to and including 3.83. This vulnerability allows attackers to achieve remote command execution by deserializing untrusted data. The issue arises from the inclusion of numpy in the deserialization whitelist, which can be exploited by constructing a malicious compressed package containing a merge_result.pkl file and a merge_proofread_en.tex file. The vulnerability is fixed in commit 91f5e6b. | ||||
| CVE-2024-52577 | 1 Apache | 1 Ignite | 2025-07-14 | 9.0 Critical |
| In Apache Ignite versions from 2.6.0 and before 2.17.0, configured Class Serialization Filters are ignored for some Ignite endpoints. The vulnerability could be exploited if an attacker manually crafts an Ignite message containing a vulnerable object whose class is present in the Ignite server classpath and sends it to Ignite server endpoints. Deserialization of such a message by the Ignite server may result in the execution of arbitrary code on the Apache Ignite server side. | ||||
| CVE-2024-10553 | 2 H2o, H2oai | 2 H2o, H2o-3 | 2025-07-14 | N/A |
| A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitrary code via deserialization of untrusted data. The vulnerability exists in the endpoints POST /99/ImportSQLTable and POST /3/SaveToHiveTable, where user-controlled JDBC URLs are passed to DriverManager.getConnection, leading to deserialization if a MySQL or PostgreSQL driver is available in the classpath. This issue is fixed in version 3.47.0. | ||||
| CVE-2024-56180 | 1 Apache | 1 Eventmesh | 2025-07-14 | 9.8 Critical |
| CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft plugin module in Apache EventMesh master branch without release version on windows\linux\mac os e.g. platforms allows attackers to send controlled message and remote code execute via hessian deserialization rpc protocol. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue. | ||||
| CVE-2025-7099 | 1 Boyun | 1 Boyuncms | 2025-07-13 | 5.6 Medium |
| A vulnerability has been found in BoyunCMS up to 1.21 on PHP7 and classified as critical. Affected by this vulnerability is an unknown functionality of the file install/install2.php of the component Installation Handler. The manipulation of the argument db_host leads to deserialization. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. | ||||