Export limit exceeded: 363318 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (2954 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-69329 2 Jthemes, Wordpress 2 Prestige, Wordpress 2026-04-15 9.8 Critical
Deserialization of Untrusted Data vulnerability in Jthemes Prestige prestige allows Object Injection.This issue affects Prestige: from n/a through < 1.4.1.
CVE-2025-69370 2 Themegoods, Wordpress 2 Capella, Wordpress 2026-04-15 9.8 Critical
Deserialization of Untrusted Data vulnerability in ThemeGoods Capella capella allows Object Injection.This issue affects Capella: from n/a through <= 2.5.5.
CVE-2025-69371 2 Ancorathemes, Wordpress 2 Kindlycare, Wordpress 2026-04-15 9.8 Critical
Deserialization of Untrusted Data vulnerability in AncoraThemes KindlyCare kindlycare allows Object Injection.This issue affects KindlyCare: from n/a through <= 1.6.1.
CVE-2025-69372 2 Ancorathemes, Wordpress 2 Sevenhills, Wordpress 2026-04-15 9.8 Critical
Deserialization of Untrusted Data vulnerability in AncoraThemes SevenHills sevenhills allows Object Injection.This issue affects SevenHills: from n/a through <= 1.6.2.
CVE-2025-69382 2 Themesflat, Wordpress 2 Themesflat Addons For Elementor, Wordpress 2026-04-15 9.8 Critical
Deserialization of Untrusted Data vulnerability in themesflat Themesflat Elementor themesflat-elementor allows Object Injection.This issue affects Themesflat Elementor: from n/a through <= 1.0.1.
CVE-2025-69404 2 Themerex, Wordpress 2 Extreme Store, Wordpress 2026-04-15 9.8 Critical
Deserialization of Untrusted Data vulnerability in ThemeREX Extreme Store extremestore allows Object Injection.This issue affects Extreme Store: from n/a through <= 1.5.10.
CVE-2025-69405 2 Themerex, Wordpress 2 Lorem Ipsum | Books & Media Store, Wordpress 2026-04-15 9.8 Critical
Deserialization of Untrusted Data vulnerability in ThemeREX Lorem Ipsum | Books & Media Store lorem-ipsum-books-media-store allows Object Injection.This issue affects Lorem Ipsum | Books & Media Store: from n/a through <= 1.2.11.
CVE-2025-70559 1 Pdfminer 1 Pdfminer.six 2026-04-15 6.5 Medium
pdfminer.six before 20251230 contains an insecure deserialization vulnerability in the CMap loading mechanism. The library uses Python pickle to deserialize CMap cache files without validation. An attacker with the ability to place a malicious pickle file in a location accessible to the application can trigger arbitrary code execution or privilege escalation when the file is loaded by a trusted process. This is caused by an incomplete patch to CVE-2025-64512.
CVE-2025-7433 2026-04-15 8.8 High
A local privilege escalation vulnerability in Sophos Intercept X for Windows with Central Device Encryption 2025.1 and older allows arbitrary code execution.
CVE-2025-9121 1 Hitachi 2 Vantara Pentaho Business Analytics Server, Vantara Pentaho Data Integration And Analytics 2026-04-15 8.8 High
Pentaho Data Integration and Analytics Community Dashboard Editor plugin versions before 10.2.0.4, including 9.3.0.x and 8.3.x, deserialize untrusted JSON data without constraining the parser to approved classes and methods.
CVE-2025-9571 1 Google 1 Cloud Data Fusion 2026-04-15 N/A
A remote code execution (RCE) vulnerability exists in Google Cloud Data Fusion. A user with permissions to upload artifacts to a Data Fusion instance can execute arbitrary code within the core AppFabric component. This could allow the attacker to gain control over the Data Fusion instance, potentially leading to unauthorized access to sensitive data, modification of data pipelines, and exploration of the underlying infrastructure. The following CDAP versions include the necessary update to protect against this vulnerability: * 6.10.6+ * 6.11.1+  Users must immediately upgrade to them, or greater ones, available at: https://github.com/cdapio/cdap-build/releases .
CVE-2016-15044 2026-04-15 N/A
A remote code execution vulnerability exists in Kaltura versions prior to 11.1.0-2 due to unsafe deserialization of user-controlled data within the keditorservices module. An unauthenticated remote attacker can exploit this issue by sending a specially crafted serialized PHP object in the kdata GET parameter to the redirectWidgetCmd endpoint. Successful exploitation leads to execution of arbitrary PHP code in the context of the web server process.
CVE-2021-27017 1 Puppet 1 Puppet Agent 2026-04-15 6.6 Medium
Utilization of a module presented a security risk by allowing the deserialization of untrusted/user supplied data. This is resolved in the Puppet Agent 7.4.0 release.
CVE-2025-42963 2026-04-15 9.1 Critical
A critical vulnerability in SAP NetWeaver Application server for Java Log Viewer enables authenticated administrator users to exploit unsafe Java object deserialization. Successful exploitation can lead to full operating system compromise, granting attackers complete control over the affected system. This results in a severe impact on the confidentiality, integrity, and availability of the application and host environment.
CVE-2023-27531 2026-04-15 5.3 Medium
There is a deserialization of untrusted data vulnerability in the Kredis JSON deserialization code
CVE-2024-11409 1 Priyajain2802 1 Grid View Gallery 2026-04-15 7.2 High
The Grid View Gallery plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0 via deserialization of untrusted input from cs_all_photos_details parameter. This makes it possible for authenticated attackers, with Editor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
CVE-2024-11501 1 Webdzier 1 Gallery 2026-04-15 8.8 High
The Gallery plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3 via deserialization of untrusted input from wd_gallery_$id parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
CVE-2024-11662 1 Welliamcao 1 Opsmanage 2026-04-15 6.3 Medium
A vulnerability was found in welliamcao OpsManage 3.0.1/3.0.2/3.0.3/3.0.4/3.0.5. It has been rated as critical. This issue affects the function deploy_host_vars of the file /apps/api/views/deploy_api.py of the component API Endpoint. The manipulation leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-12029 2026-04-15 N/A
A remote code execution vulnerability exists in invoke-ai/invokeai versions 5.3.1 through 5.4.2 via the /api/v2/models/install API. The vulnerability arises from unsafe deserialization of model files using torch.load without proper validation. Attackers can exploit this by embedding malicious code in model files, which is executed upon loading. This issue is fixed in version 5.4.3.
CVE-2024-12044 2026-04-15 N/A
A remote code execution vulnerability exists in open-mmlab/mmdetection version v3.3.0. The vulnerability is due to the use of the `pickle.loads()` function in the `all_reduce_dict()` distributed training API without proper sanitization. This allows an attacker to execute arbitrary code by broadcasting a malicious payload to the distributed training network.