Total
2221 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-62703 | 2025-11-26 | 8.8 High | ||
| Fugue is a unified interface for distributed computing that lets users execute Python, Pandas, and SQL code on Spark, Dask, and Ray with minimal rewrites. In version 0.9.2 and prior, there is a remote code execution vulnerability by pickle deserialization via FlaskRPCServer. The Fugue framework implements an RPC server system for distributed computing operations. In the core functionality of the RPC server implementation, I found that the _decode() function in fugue/rpc/flask.py directly uses cloudpickle.loads() to deserialize data without any sanitization. This creates a remote code execution vulnerability when malicious pickle data is processed by the RPC server. The vulnerability exists in the RPC communication mechanism where the client can send arbitrary serialized Python objects that will be deserialized on the server side, allowing attackers to execute arbitrary code on the victim's machine. This issue has been patched via commit 6f25326. | ||||
| CVE-2025-51746 | 2025-11-26 | 9.8 Critical | ||
| An issue was discovered in jishenghua JSH_ERP 2.3.1. The /serialNumber/addSerialNumber endpoint is vulnerable to fastjson deserialization attacks. | ||||
| CVE-2025-51745 | 2025-11-26 | 9.8 Critical | ||
| An issue was discovered in jishenghua JSH_ERP 2.3.1. The /role/addcan endpoint is vulnerable to fastjson deserialization attacks. | ||||
| CVE-2025-51744 | 2025-11-26 | 9.8 Critical | ||
| An issue was discovered in jishenghua JSH_ERP 2.3.1. The /user/addUser endpoint is vulnerable to fastjson deserialization attacks. | ||||
| CVE-2025-51743 | 2025-11-26 | 9.8 Critical | ||
| An issue was discovered in jishenghua JSH_ERP 2.3.1. The /materialCategory/addMaterialCategory endpoint is vulnerable to fastjson deserialization attacks. | ||||
| CVE-2025-51742 | 2025-11-26 | 9.8 Critical | ||
| An issue was discovered in jishenghua JSH_ERP 2.3.1. The /material/getMaterialEnableSerialNumberList endpoint passes the search query parameter directly to parseObject(), introducing a Fastjson deserialization vulnerability that can lead to RCE via JDBC payloads. | ||||
| CVE-2025-9191 | 2025-11-26 | 6.3 Medium | ||
| The Houzez theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.1.6 via deserialization of untrusted input in saved-search-item.php. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | ||||
| CVE-2025-59245 | 1 Microsoft | 1 Sharepoint Online | 2025-11-26 | 9.8 Critical |
| Microsoft SharePoint Online Elevation of Privilege Vulnerability | ||||
| CVE-2025-62204 | 1 Microsoft | 5 Office Sharepoint Server, Sharepoint Enterprise Server 2016, Sharepoint Server and 2 more | 2025-11-25 | 8 High |
| Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | ||||
| CVE-2025-13467 | 1 Redhat | 1 Build Keycloak | 2025-11-25 | 5.5 Medium |
| A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration. | ||||
| CVE-2025-61168 | 2025-11-25 | 9.8 Critical | ||
| An issue in the cms_rest.php component of SIGB PMB v8.0.1.14 allows attackers to execute arbitrary code via unserializing an arbitrary file. | ||||
| CVE-2025-64408 | 1 Apache | 1 Causeway | 2025-11-25 | 6.3 Medium |
| Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through user-controllable URL parameters. These vulnerabilities affect all applications using Causeway's ViewModel functionality and can be exploited by authenticated attackers to execute arbitrary code with application privileges. This issue affects all current versions. Users are recommended to upgrade to version 3.5.0, which fixes the issue. | ||||
| CVE-2024-53477 | 1 Jflyfox | 1 Jfinal Cms | 2025-11-25 | 9.8 Critical |
| JFinal CMS 5.1.0 is vulnerable to Command Execution via unauthorized execution of deserialization in the file ApiForm.java | ||||
| CVE-2025-62164 | 1 Vllm-project | 1 Vllm | 2025-11-24 | 8.8 High |
| vLLM is an inference and serving engine for large language models (LLMs). From versions 0.10.2 to before 0.11.1, a memory corruption vulnerability could lead to a crash (denial-of-service) and potentially remote code execution (RCE), exists in the Completions API endpoint. When processing user-supplied prompt embeddings, the endpoint loads serialized tensors using torch.load() without sufficient validation. Due to a change introduced in PyTorch 2.8.0, sparse tensor integrity checks are disabled by default. As a result, maliciously crafted tensors can bypass internal bounds checks and trigger an out-of-bounds memory write during the call to to_dense(). This memory corruption can crash vLLM and potentially lead to code execution on the server hosting vLLM. This issue has been patched in version 0.11.1. | ||||
| CVE-2025-13081 | 1 Drupal | 2 Drupal, Drupal Core | 2025-11-24 | 5.9 Medium |
| Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8. | ||||
| CVE-2025-13145 | 2 Smackcoders, Wordpress | 3 Ultimate Csv Importer, Wp Ultimate Csv Importer, Wordpress | 2025-11-24 | 7.2 High |
| The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.33.1. This is due to deserialization of untrusted data supplied via CSV file imports in the import_single_post_as_csv function within SingleImportExport.php. This makes it possible for authenticated attackers, with administrator-level access or higher, to inject a PHP object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | ||||
| CVE-2025-66055 | 2 Icegram, Wordpress | 2 Email Subscribers & Newsletters, Wordpress | 2025-11-24 | 7.2 High |
| Deserialization of Untrusted Data vulnerability in Icegram Email Subscribers & Newsletters email-subscribers allows Object Injection.This issue affects Email Subscribers & Newsletters: from n/a through <= 5.9.10. | ||||
| CVE-2025-66073 | 1 Wordpress | 1 Wordpress | 2025-11-24 | 6.5 Medium |
| Deserialization of Untrusted Data vulnerability in Cozmoslabs WP Webhooks wp-webhooks allows Object Injection.This issue affects WP Webhooks: from n/a through <= 3.3.8. | ||||
| CVE-2025-59287 | 1 Microsoft | 12 Server, Server Service, Windows Server and 9 more | 2025-11-22 | 9.8 Critical |
| Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network. | ||||
| CVE-2025-59285 | 1 Microsoft | 3 Azure, Azure Monitor, Azure Monitor Agent | 2025-11-22 | 7 High |
| Deserialization of untrusted data in Azure Monitor Agent allows an authorized attacker to elevate privileges locally. | ||||