Export limit exceeded: 362578 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (2916 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-48853 1 Elixir-grpc 1 Grpc 2026-06-16 N/A
Deserialization of Untrusted Data and Allocation of Resources Without Limits or Throttling vulnerabilities in elixir-grpc grpc allow unauthenticated attackers to crash the BEAM node via atom table exhaustion and, when a decoded term flows into a call site that invokes it, achieve remote code execution on the server. 'Elixir.GRPC.Codec.Erlpack':decode/2 (lib/grpc/codec/erlpack.ex) calls :erlang.binary_to_term/1 on the raw gRPC message body without the :safe option, no size bound, and no type guard. Any unauthenticated peer that sends a request with Content-Type: application/grpc+erlpack can send a crafted payload that mints arbitrary new atoms (which are never garbage-collected, exhausting the bounded atom table and crashing the VM) or that encodes a fun term which, if applied anywhere downstream, executes attacker-controlled code inside the server process. This issue affects grpc from 0.4.0 before 1.0.0.
CVE-2026-39434 2 Webappick, Wordpress 2 Ctx Feed, Wordpress 2026-06-16 7.2 High
Shop manager PHP Object Injection in CTX Feed <= 6.6.26 versions.
CVE-2026-39472 2 Wordpress, Wpovernight 2 Wordpress, Woocommerce Pdf Invoices\& Packing Slips 2026-06-16 7.2 High
Shop manager PHP Object Injection in WooCommerce PDF Invoices & Packing Slips < 5.9.0 versions.
CVE-2026-49768 2 Happyforms, Wordpress 2 Happyforms, Wordpress 2026-06-16 9.8 Critical
Unauthenticated PHP Object Injection in Happyforms <= 1.26.13 versions.
CVE-2026-27333 2 Videowhisper.com, Wordpress 2 Paid Videochat Turnkey Site, Wordpress 2026-06-16 8.1 High
Unauthenticated Deserialization of untrusted data in Paid Videochat Turnkey Site <= 7.3.23 versions.
CVE-2026-49106 2 Crmperks, Wordpress 2 Integration For Contact Form 7 And Constant Contact, Wordpress 2026-06-16 9.8 Critical
Unauthenticated PHP Object Injection in Integration for Contact Form 7 and Constant Contact <= 1.1.6 versions.
CVE-2026-49765 2 Crm Perks, Wordpress 2 Integration For Mailchimp And Contact Form 7, Wpforms, Elementor, Ninja Forms, Wordpress 2026-06-16 9.8 Critical
Unauthenticated PHP Object Injection in Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.8 versions.
CVE-2026-49085 2 Crmperks, Wordpress 2 Wp Insightly For Contact Form 7, Wpforms, Elementor, Formidable And Ninja Forms, Wordpress 2026-06-16 9.8 Critical
Unauthenticated PHP Object Injection in WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 versions.
CVE-2026-49781 2 Brainstorm Force, Wordpress 2 Ottokit, Wordpress 2026-06-16 9.8 Critical
Unauthenticated PHP Object Injection in OttoKit <= 1.1.27 versions.
CVE-2026-49763 2 Crm Perks, Wordpress 2 Integration For Contact Form 7 Hubspot, Wordpress 2026-06-16 9.8 Critical
Unauthenticated PHP Object Injection in Integration for Contact Form 7 HubSpot <= 1.3.7 versions.
CVE-2026-49105 2 Crmperks, Wordpress 2 Wp Zendesk For Contact Form 7, Wpforms, Elementor, Formidable And Ninja Forms, Wordpress 2026-06-16 9.8 Critical
Unauthenticated PHP Object Injection in WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 versions.
CVE-2026-39471 2 Shortpixel, Wordpress 2 Shortpixel Image Optimizer, Wordpress 2026-06-16 7.2 High
Author PHP Object Injection in ShortPixel Image Optimizer <= 6.4.3 versions.
CVE-2026-12191 1 Comma Ai 1 Openpilot 2026-06-15 7.8 High
A vulnerability was found in Comma AI Openpilot 0.11. This issue affects the function pickle.load/pickle.loads of the file selfdrive/modeld/modeld.py of the component Pickle Module. The manipulation results in deserialization. The attack is only possible with local access. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-20251 1 Splunk 4 Splunk, Splunk Cloud Platform, Splunk Enterprise and 1 more 2026-06-15 8.8 High
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, and Splunk Secure Gateway versions below 3.10.6, 3.9.20, and 3.8.67, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could perform a Remote Code Execution (RCE) through the Splunk Secure Gateway app.<br><br>The Remote Code Execution is possible because of unsafe deserialization of App Key Value Store (KV Store) data through the ‘jsonpickle’ Python library, which reconstructs arbitrary Python objects from specially crafted JavaScript Object Notation (JSON) without adequate validation.
CVE-2016-4978 2 Apache, Redhat 3 Artemis, Enterprise Linux Server, Jboss Enterprise Application Platform 2026-06-15 7.2 High
The getObject method of the javax.jms.ObjectMessage class in the (1) JMS Core client, (2) Artemis broker, and (3) Artemis REST component in Apache ActiveMQ Artemis before 1.4.0 might allow remote authenticated users with permission to send messages to the Artemis broker to deserialize arbitrary objects and execute arbitrary code by leveraging gadget classes being present on the Artemis classpath.
CVE-2026-11860 1 Opensolution 1 Quick.cms 2026-06-15 N/A
Quick.CMS deserializes user-controlled data received over plaintext HTTP without ensuring integrity or authenticity. This allows attackers to tamper with serialized payloads in transit and inject malicious objects. Because deserialization is performed without proper validation or class restrictions, crafted payloads can trigger dangerous magic methods (e.g., __wakeup() and __destruct()) and leverage gadget chains, resulting in arbitrary code execution. Exploitation is triggered automatically when an administrator accesses the admin panel. When successfully exploited, this vulnerability allows attackers to execute arbitrary code on the server via manipulated serialized data transmitted over an unprotected channel. This issue was mitigated by limiting the communication to HTTPS in a patch for version 6.8 published on 14.05.2026, deployments without this patch remain vulnerable.
CVE-2026-50632 1 Apache 1 Cxf 2026-06-13 8.1 High
A further incomplete fix for a previous advisory CVE-2026-44417 (Untrusted JMS configuration can lead to RCE) for Apache CXF has been identified, which can allow code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
CVE-2026-50633 1 Apache 1 Cxf 2026-06-13 8.1 High
A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an attacker is able to manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
CVE-2026-41699 2 Spring, Vmware 2 Spring For Graphql, Spring For Graphql 2026-06-12 8.1 High
Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that can lead to Remote Code Execution when the application exposes a paginated (Connection) field and the classpath contains specific classes that can be leveraged during deserialization. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8.
CVE-2026-45484 1 Microsoft 3 Sharepoint Server, Sharepoint Server 2016, Sharepoint Server 2019 2026-06-12 8.8 High
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to elevate privileges over a network.