Total
1926 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-17485 | 4 Debian, Fasterxml, Netapp and 1 more | 15 Debian Linux, Jackson-databind, E-series Santricity Os Controller and 12 more | 2025-05-01 | 9.8 Critical |
| FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath. | ||||
| CVE-2019-12814 | 3 Debian, Fasterxml, Redhat | 12 Debian Linux, Jackson-databind, Amq Streams and 9 more | 2025-05-01 | 5.9 Medium |
| A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server. | ||||
| CVE-2020-10673 | 5 Debian, Fasterxml, Netapp and 2 more | 41 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 38 more | 2025-05-01 | 8.8 High |
| FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus). | ||||
| CVE-2020-14061 | 5 Debian, Fasterxml, Netapp and 2 more | 20 Debian Linux, Jackson-databind, Active Iq Unified Manager and 17 more | 2025-05-01 | 8.1 High |
| FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms). | ||||
| CVE-2021-20190 | 6 Apache, Debian, Fasterxml and 3 more | 10 Nifi, Debian Linux, Jackson-databind and 7 more | 2025-05-01 | 8.1 High |
| A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | ||||
| CVE-2020-35728 | 5 Debian, Fasterxml, Netapp and 2 more | 42 Debian Linux, Jackson-databind, Service Level Manager and 39 more | 2025-05-01 | 8.1 High |
| FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl). | ||||
| CVE-2020-11113 | 5 Debian, Fasterxml, Netapp and 2 more | 41 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 38 more | 2025-05-01 | 8.8 High |
| FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa). | ||||
| CVE-2023-36035 | 1 Microsoft | 1 Exchange Server | 2025-04-29 | 8 High |
| Microsoft Exchange Server Spoofing Vulnerability | ||||
| CVE-2023-36039 | 1 Microsoft | 1 Exchange Server | 2025-04-29 | 8 High |
| Microsoft Exchange Server Spoofing Vulnerability | ||||
| CVE-2023-36050 | 1 Microsoft | 1 Exchange Server | 2025-04-29 | 8 High |
| Microsoft Exchange Server Spoofing Vulnerability | ||||
| CVE-2023-36439 | 1 Microsoft | 1 Exchange Server | 2025-04-29 | 8 High |
| Microsoft Exchange Server Remote Code Execution Vulnerability | ||||
| CVE-2023-38177 | 1 Microsoft | 2 Sharepoint Enterprise Server, Sharepoint Server | 2025-04-29 | 6.1 Medium |
| Microsoft SharePoint Server Remote Code Execution Vulnerability | ||||
| CVE-2025-46481 | 2025-04-29 | 7.2 High | ||
| Deserialization of Untrusted Data vulnerability in Michael Cannon Flickr Shortcode Importer allows Object Injection. This issue affects Flickr Shortcode Importer: from n/a through 2.2.3. | ||||
| CVE-2025-46473 | 2025-04-29 | 7.2 High | ||
| Deserialization of Untrusted Data vulnerability in djjmz Social Counter allows Object Injection. This issue affects Social Counter: from n/a through 2.0.5. | ||||
| CVE-2022-36964 | 1 Solarwinds | 1 Orion Platform | 2025-04-25 | 8.8 High |
| SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to execute arbitrary commands. | ||||
| CVE-2022-3525 | 1 Librenms | 1 Librenms | 2025-04-24 | 8.8 High |
| Deserialization of Untrusted Data in GitHub repository librenms/librenms prior to 22.10.0. | ||||
| CVE-2022-32224 | 2 Activerecord Project, Redhat | 2 Activerecord, Satellite | 2025-04-24 | 9.8 Critical |
| A possible escalation to RCE vulnerability exists when using YAML serialized columns in Active Record < 7.0.3.1, <6.1.6.1, <6.0.5.1 and <5.2.8.1 which could allow an attacker, that can manipulate data in the database (via means like SQL injection), the ability to escalate to an RCE. | ||||
| CVE-2024-24926 | 1 Unitedthemes | 2 Brooklyn, Brooklyn Creativie Multi Purpose Responsive Wordpress Theme | 2025-04-24 | 7.5 High |
| Deserialization of Untrusted Data vulnerability in UnitedThemes Brooklyn | Creative Multi-Purpose Responsive WordPress Theme.This issue affects Brooklyn | Creative Multi-Purpose Responsive WordPress Theme: from n/a through 4.9.7.6. | ||||
| CVE-2023-49778 | 1 Dmry | 1 Sayfa Sayac | 2025-04-24 | 10 Critical |
| Deserialization of Untrusted Data vulnerability in Hakan Demiray Sayfa Sayac.This issue affects Sayfa Sayac: from n/a through 2.6. | ||||
| CVE-2025-3162 | 1 Internlm | 1 Lmdeploy | 2025-04-23 | 5.3 Medium |
| A vulnerability was found in InternLM LMDeploy up to 0.7.1. It has been classified as critical. Affected is the function load_weight_ckpt of the file lmdeploy/lmdeploy/vl/model/utils.py of the component PT File Handler. The manipulation leads to deserialization. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. | ||||