Total
1811 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-45084 | 2025-02-19 | 8 High | ||
| IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 could allow an authenticated attacker to conduct formula injection. An attacker could execute arbitrary commands on the system, caused by improper validation of file contents. | ||||
| CVE-2024-28777 | 2025-02-19 | 8.8 High | ||
| IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 is vulnerable to unrestricted deserialization. This vulnerability allows users to execute arbitrary code, escalate privileges, or cause denial of service attacks by exploiting the unrestricted deserialization of types in the application. | ||||
| CVE-2023-26547 | 1 Huawei | 2 Emui, Harmonyos | 2025-02-19 | 7.8 High |
| The InputMethod module has a vulnerability of serialization/deserialization mismatch. Successful exploitation of this vulnerability may cause privilege escalation. | ||||
| CVE-2023-26548 | 1 Huawei | 2 Emui, Harmonyos | 2025-02-19 | 7.5 High |
| The pgmng module has a vulnerability in serialization/deserialization. Successful exploitation of this vulnerability may affect availability. | ||||
| CVE-2022-36978 | 1 Ivanti | 1 Avalanche | 2025-02-18 | 9.8 Critical |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the Notification Server service. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-15448. | ||||
| CVE-2022-36977 | 1 Ivanti | 1 Avalanche | 2025-02-18 | 9.8 Critical |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the Certificate Management Server service. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-15449. | ||||
| CVE-2022-36974 | 1 Ivanti | 1 Avalanche | 2025-02-18 | 9.8 Critical |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the Web File Server service. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-15330. | ||||
| CVE-2022-36971 | 1 Ivanti | 1 Avalanche | 2025-02-18 | 8.8 High |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the JwtTokenUtility class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-15301. | ||||
| CVE-2023-28462 | 2 Oracle, Payara | 2 Jdk, Payara Server | 2025-02-18 | 9.8 Critical |
| A JNDI rebind operation in the default ORB listener in Payara Server 4.1.2.191 (Enterprise), 5.20.0 and newer (Enterprise), and 5.2020.1 and newer (Community), when Java 1.8u181 and earlier is used, allows remote attackers to load malicious code on the server once a JNDI directory scan is performed. | ||||
| CVE-2025-1186 | 2025-02-18 | 6.3 Medium | ||
| A vulnerability was found in dayrui XunRuiCMS up to 4.6.4. It has been declared as critical. This vulnerability affects unknown code of the file /Control/Api/Api.php. The manipulation of the argument thumb leads to deserialization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2022-2561 | 1 Opclabs | 1 Quickopc | 2025-02-18 | 7.8 High |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of OPC Labs QuickOPC 2022.1. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of XML files in Connectivity Explorer. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-16596. | ||||
| CVE-2020-29312 | 1 Zend | 1 Zend Framework | 2025-02-18 | 9.8 Critical |
| An issue found in Zend Framework v.3.1.3 and before allow a remote attacker to execute arbitrary code via the unserialize function. Note: This has been disputed by third parties as incomplete and incorrect. The framework does not have a version that surpasses 2.x.x and was deprecated in early 2020. | ||||
| CVE-2022-28685 | 1 Aveva | 1 Aveva Edge | 2025-02-18 | 7.8 High |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of AVEVA Edge 2020 SP2 Patch 0(4201.2111.1802.0000). User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of APP files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-17212. | ||||
| CVE-2024-56180 | 2025-02-18 | 9.8 Critical | ||
| CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft plugin module in Apache EventMesh master branch without release version on windows\linux\mac os e.g. platforms allows attackers to send controlled message and remote code execute via hessian deserialization rpc protocol. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue. | ||||
| CVE-2021-39144 | 6 Debian, Fedoraproject, Netapp and 3 more | 22 Debian Linux, Fedora, Snapmanager and 19 more | 2025-02-18 | 8.5 High |
| XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. | ||||
| CVE-2024-52577 | 2025-02-14 | 9.8 Critical | ||
| In Apache Ignite versions from 2.6.0 and before 2.17.0, configured Class Serialization Filters are ignored for some Ignite endpoints. The vulnerability could be exploited if an attacker manually crafts an Ignite message containing a vulnerable object whose class is present in the Ignite server classpath and sends it to Ignite server endpoints. Deserialization of such a message by the Ignite server may result in the execution of arbitrary code on the Apache Ignite server side. | ||||
| CVE-2020-2555 | 1 Oracle | 9 Access Manager, Coherence, Commerce Platform and 6 more | 2025-02-14 | 9.8 Critical |
| Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation). Supported versions that are affected are 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | ||||
| CVE-2022-1463 | 1 Booking Calendar Project | 1 Booking Calendar | 2025-02-13 | 8.8 High |
| The Booking Calendar plugin for WordPress is vulnerable to PHP Object Injection via the [bookingflextimeline] shortcode in versions up to, and including, 9.1. This could be exploited by subscriber-level users and above to call arbitrary PHP objects on a vulnerable site. | ||||
| CVE-2024-27322 | 1 R Project | 1 R | 2025-02-13 | 8.8 High |
| Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user’s system when interacted with. | ||||
| CVE-2024-26580 | 1 Apache | 1 Inlong | 2025-02-13 | 9.1 Critical |
| Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.8.0 through 1.10.0, the attackers can use the specific payload to read from an arbitrary file. Users are advised to upgrade to Apache InLong's 1.11.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/9673 | ||||