Total
1996 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-28961 | 2025-07-16 | 9.8 Critical | ||
| Deserialization of Untrusted Data vulnerability in Md Yeasin Ul Haider URL Shortener allows Object Injection. This issue affects URL Shortener: from n/a through 3.0.7. | ||||
| CVE-2025-30949 | 2025-07-16 | 9.8 Critical | ||
| Deserialization of Untrusted Data vulnerability in Guru Team Site Chat on Telegram allows Object Injection. This issue affects Site Chat on Telegram: from n/a through 1.0.4. | ||||
| CVE-2025-49838 | 2025-07-16 | N/A | ||
| GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is an unsafe deserialization vulnerability in vr.py AudioPreDeEcho. The model_choose variable takes user input (e.g. a path to a model) and passes it to the uvr function. In uvr, a new instance of AudioPreDeEcho class is created with the model_path attribute containing the aforementioned user input (here called locally model_name). Note that in this step the .pth extension is added to the path. In the AudioPreDeEcho class, the user input, here called model_path, is used to load the model on that path with torch.load, which can lead to unsafe deserialization. At time of publication, no known patched versions are available. | ||||
| CVE-2025-49839 | 2025-07-16 | N/A | ||
| GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is an unsafe deserialization vulnerability in bsroformer.py. The model_choose variable takes user input (e.g. a path to a model) and passes it to the uvr function. In uvr, a new instance of Roformer_Loader class is created with the model_path attribute containing the aformentioned user input (here called locally model_name). Note that in this step the .ckpt extension is added to the path. In the Roformer_Loader class, the user input, here called model_path, is used to load the model on that path with torch.load, which can lead to unsafe deserialization. At time of publication, no known patched versions are available. | ||||
| CVE-2024-4699 | 1 Dlink | 2 Dar-8000-10, Dar-8000-10 Firmware | 2025-07-16 | 6.3 Medium |
| ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, has been found in D-Link DAR-8000-10 up to 20230922. This issue affects some unknown processing of the file /importhtml.php. The manipulation of the argument sql leads to deserialization. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-263747. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced. | ||||
| CVE-2024-35249 | 1 Microsoft | 1 Dynamics 365 Business Central | 2025-07-16 | 8.8 High |
| Microsoft Dynamics 365 Business Central Remote Code Execution Vulnerability | ||||
| CVE-2024-48063 | 2 Linuxfoundation, Pytorch | 2 Pytorch, Pytorch | 2025-07-16 | 9.8 Critical |
| In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. NOTE: this is disputed by multiple parties because this is intended behavior in PyTorch distributed computing. | ||||
| CVE-2022-41137 | 1 Apache | 1 Hive | 2025-07-15 | 8.3 High |
| Apache Hive Metastore (HMS) uses SerializationUtilities#deserializeObjectWithTypeInformation method when filtering and fetching partitions that is unsafe and can lead to Remote Code Execution (RCE) since it allows the deserialization of arbitrary data. In real deployments, the vulnerability can be exploited only by authenticated users/clients that were able to successfully establish a connection to the Metastore. From an API perspective any code that calls the unsafe method may be vulnerable unless it performs additional prerechecks on the input arguments. | ||||
| CVE-2024-52338 | 2 Apache, Apache Software Foundation | 2 Arrow, Apache Arrow R Package | 2025-07-15 | 9.8 Critical |
| Deserialization of untrusted data in IPC and Parquet readers in the Apache Arrow R package versions 4.0.0 through 16.1.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example, user-supplied input files). This vulnerability only affects the arrow R package, not other Apache Arrow implementations or bindings unless those bindings are specifically used via the R package (for example, an R application that embeds a Python interpreter and uses PyArrow to read files from untrusted sources is still vulnerable if the arrow R package is an affected version). It is recommended that users of the arrow R package upgrade to 17.0.0 or later. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to arrow 17.0.0 or later. If using an affected version of the package, untrusted data can read into a Table and its internal to_data_frame() method can be used as a workaround (e.g., read_parquet(..., as_data_frame = FALSE)$to_data_frame()). This issue affects the Apache Arrow R package: from 4.0.0 through 16.1.0. Users are recommended to upgrade to version 17.0.0, which fixes the issue. | ||||
| CVE-2025-53416 | 2025-07-15 | 7.8 High | ||
| Delta Electronics DTN Soft Project File Parsing Deserialization of Untrusted Data Remote Code Execution | ||||
| CVE-2025-30023 | 2025-07-15 | 9 Critical | ||
| The communication protocol used between client and server had a flaw that could lead to an authenticated user performing a remote code execution attack. | ||||
| CVE-2025-7504 | 2025-07-15 | 7.5 High | ||
| The Friends plugin for WordPress is vulnerable to PHP Object Injection in version 3.5.1 via deserialization of untrusted input of the query_vars parameter This makes it possible for authenticated attackers, with subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. This requires access to the sites SALT_NONCE and and SALT_KEY to exploit. | ||||
| CVE-2025-30025 | 2025-07-15 | N/A | ||
| The communication protocol used between the server process and the service control had a flaw that could lead to a local privilege escalation. | ||||
| CVE-2025-47732 | 1 Microsoft | 1 Dataverse | 2025-07-15 | 8.7 High |
| Microsoft Dataverse Remote Code Execution Vulnerability | ||||
| CVE-2025-30384 | 1 Microsoft | 1 Sharepoint Server | 2025-07-15 | 7.4 High |
| Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code locally. | ||||
| CVE-2025-30382 | 1 Microsoft | 1 Sharepoint Server | 2025-07-15 | 7.8 High |
| Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code locally. | ||||
| CVE-2025-30378 | 1 Microsoft | 1 Sharepoint Server | 2025-07-15 | 7 High |
| Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code locally. | ||||
| CVE-2025-2251 | 1 Redhat | 2 Jboss Enterprise Application Platform, Jbosseapxp | 2025-07-14 | 6.2 Medium |
| A security flaw exists in WildFly and JBoss Enterprise Application Platform (EAP) within the Enterprise JavaBeans (EJB) remote invocation mechanism. This vulnerability stems from untrusted data deserialization handled by JBoss Marshalling. This flaw allows an attacker to send a specially crafted serialized object, leading to remote code execution without requiring authentication. | ||||
| CVE-2024-12433 | 1 Infiniflow | 1 Ragflow | 2025-07-14 | N/A |
| A vulnerability in infiniflow/ragflow versions v0.12.0 allows for remote code execution. The RPC server in RagFlow uses a hard-coded AuthKey 'authkey=b'infiniflow-token4kevinhu'' which can be easily fetched by attackers to join the group communication without restrictions. Additionally, the server processes incoming data using pickle deserialization via `pickle.loads()` on `connection.recv()`, making it vulnerable to remote code execution. This issue is fixed in version 0.14.0. | ||||
| CVE-2024-11039 | 1 Binary-husky | 1 Gpt Academic | 2025-07-14 | N/A |
| A pickle deserialization vulnerability exists in the Latex English error correction plug-in function of binary-husky/gpt_academic versions up to and including 3.83. This vulnerability allows attackers to achieve remote command execution by deserializing untrusted data. The issue arises from the inclusion of numpy in the deserialization whitelist, which can be exploited by constructing a malicious compressed package containing a merge_result.pkl file and a merge_proofread_en.tex file. The vulnerability is fixed in commit 91f5e6b. | ||||