Total
2199 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2013-2165 | 1 Redhat | 9 Jboss Enterprise Application Platform, Jboss Enterprise Brms Platform, Jboss Enterprise Portal Platform and 6 more | 2025-04-11 | N/A |
| ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data. | ||||
| CVE-2013-4271 | 2 Redhat, Restlet | 6 Fuse Esb Enterprise, Fuse Management Console, Fuse Mq Enterprise and 3 more | 2025-04-11 | N/A |
| The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources, which allows remote attackers to execute arbitrary Java code via a serialized object, a different vulnerability than CVE-2013-4221. | ||||
| CVE-2013-3567 | 5 Canonical, Novell, Puppet and 2 more | 7 Ubuntu Linux, Suse Linux Enterprise Desktop, Suse Linux Enterprise Server and 4 more | 2025-04-11 | N/A |
| Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call. | ||||
| CVE-2013-1640 | 3 Canonical, Puppet, Redhat | 4 Ubuntu Linux, Puppet, Puppet Enterprise and 1 more | 2025-04-11 | N/A |
| The (1) template and (2) inline_template functions in the master server in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote authenticated users to execute arbitrary code via a crafted catalog request. | ||||
| CVE-2013-0156 | 5 Cloudforms Cloudengine, Debian, Redhat and 2 more | 6 1, Debian Linux, Openshift and 3 more | 2025-04-11 | N/A |
| active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion. | ||||
| CVE-2012-4406 | 3 Fedoraproject, Openstack, Redhat | 8 Fedora, Swift, Enterprise Linux Server and 5 more | 2025-04-11 | 9.8 Critical |
| OpenStack Object Storage (swift) before 1.7.0 uses the loads function in the pickle Python module unsafely when storing and loading metadata in memcached, which allows remote attackers to execute arbitrary code via a crafted pickle object. | ||||
| CVE-2013-1800 | 1 John Nunemaker | 1 Crack | 2025-04-11 | N/A |
| The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156. | ||||
| CVE-2012-0911 | 1 Tiki | 1 Tikiwiki Cms\/groupware | 2025-04-11 | 9.8 Critical |
| TikiWiki CMS/Groupware before 6.7 LTS and before 8.4 allows remote attackers to execute arbitrary PHP code via a crafted serialized object in the (1) cookieName to lib/banners/bannerlib.php; (2) printpages or (3) printstructures parameter to (a) tiki-print_multi_pages.php or (b) tiki-print_pages.php; or (4) sendpages, (5) sendstructures, or (6) sendarticles parameter to tiki-send_objects.php, which is not properly handled when processed by the unserialize function. | ||||
| CVE-2024-9052 | 2025-04-10 | N/A | ||
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | ||||
| CVE-2024-57762 | 1 Wangl1989 | 1 Mysiteforme | 2025-04-10 | 7.5 High |
| MSFM before v2025.01.01 was discovered to contain a deserialization vulnerability via the pom.xml configuration file. | ||||
| CVE-2024-57763 | 1 Wangl1989 | 1 Mysiteforme | 2025-04-10 | 9.1 Critical |
| MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/addField. | ||||
| CVE-2024-57764 | 1 Wangl1989 | 1 Mysiteforme | 2025-04-10 | 9.1 Critical |
| MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/add. | ||||
| CVE-2024-57766 | 1 Wangl1989 | 1 Mysiteforme | 2025-04-10 | 9.1 Critical |
| MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/editField. | ||||
| CVE-2024-1950 | 1 Wpwax | 1 Product Carousel Slider \& Grid Ultimate For Woocommerce | 2025-04-09 | 7.5 High |
| The Product Carousel Slider & Grid Ultimate for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.7 via deserialization of untrusted input via shortcode. This makes it possible for authenticated attackers, with contributor access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | ||||
| CVE-2007-1701 | 2 Php, Redhat | 4 Php, Enterprise Linux, Rhel Application Stack and 1 more | 2025-04-09 | N/A |
| PHP 4 before 4.4.5, and PHP 5 before 5.2.1, when register_globals is enabled, allows context-dependent attackers to execute arbitrary code via deserialization of session data, which overwrites arbitrary global variables, as demonstrated by calling session_decode on a string beginning with "_SESSION|s:39:". | ||||
| CVE-2024-30224 | 2 Wholesale Team, Wpxpo | 2 Wholesalex, Wholesalex | 2025-04-08 | 10 Critical |
| Deserialization of Untrusted Data vulnerability in Wholesale Team WholesaleX.This issue affects WholesaleX: from n/a through 1.3.2. | ||||
| CVE-2024-30221 | 1 Sunshinephotocart | 1 Sunshine Photo Cart | 2025-04-08 | 5.4 Medium |
| Deserialization of Untrusted Data vulnerability in WP Sunshine Sunshine Photo Cart.This issue affects Sunshine Photo Cart: from n/a through 3.1.1. | ||||
| CVE-2024-30230 | 1 Acowebs | 1 Pdf Invoices And Packing Slips For Woocommerce | 2025-04-08 | 8.2 High |
| Deserialization of Untrusted Data vulnerability in Acowebs PDF Invoices and Packing Slips For WooCommerce.This issue affects PDF Invoices and Packing Slips For WooCommerce: from n/a through 1.3.7. | ||||
| CVE-2023-22850 | 1 Tiki | 1 Tiki | 2025-04-07 | 8.8 High |
| Tiki before 24.1, when the Spreadsheets feature is enabled, allows lib/sheet/grid.php PHP Object Injection because of an unserialize call. | ||||
| CVE-2022-46478 | 1 Datax-web Project | 1 Datax-web | 2025-04-07 | 9.8 Critical |
| The RPC interface in datax-web v1.0.0 and v2.0.0 to v2.1.2 contains no permission checks by default which allows attackers to execute arbitrary commands via crafted Hessian serialized data. | ||||