CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

102 matches found

OSV•added 2026/06/09 5:16 a.m.•2 views

UBUNTU-CVE-2026-41855

In an untrusted JMS environment, org.springframework.jms.support.converter.MappingJackson2MessageConverter and org.springframework.jms.support.converter.JacksonJsonMessageConverter allow arbitrary class instantiation, which can lead to unauthorized actions via gadget class deserialization. Affect...

8.1CVSS5.6AI score0.00257EPSS

Exploits0References3

Vulnrichment•added 2026/06/09 3:51 a.m.•6 views

CVE-2026-41855 Spring Framework Unsafe Deserialization via Jackson JMS Converters

8.1CVSS5.6AI score0.00257EPSS

Exploits0References1

CNNVD•added 2026/06/09 12:0 a.m.•5 views

VMware Spring Framework 代码问题漏洞

VMware Spring Framework is an open-source Java and JavaEE application framework developed by VMware, Inc. This framework helps developers build high-quality applications. Versions of the VMware Spring Framework prior to 7.0.0, 6.2.0, 6.1.0, and 5.3.0 contain code vulnerabilities. These...

8.1CVSS5.7AI score0.00257EPSS

Exploits0References1

RedhatCVE•added 2026/06/05 7:38 p.m.•6 views

CVE-2026-34216

CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the admin settings update endpoint accepted a fully qualified class name directly from user-supplied request input and used it for dynamic static method calls and object instantiation without any allowli...

6.6CVSS5.7AI score0.00532EPSS

Exploits0References1

Tenable Nessus•added 2026/05/22 12:0 a.m.•5 views

Unity Linux 20.1060e / 20.1070e Security Update: rubygem-kramdown (UTSA-2026-016633)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016633 advisory. Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated. Tenable has extracted th...

9.8CVSS7.4AI score0.02818EPSS

Exploits1References4

Cvelist•added 2026/05/19 8:31 p.m.•31 views

CVE-2026-34216 CtrlPanel: Authenticated Remote Code Execution via Dynamic Class Instantiation in SettingsController.php

6.6CVSS0.00532EPSS

Exploits0References2

CVE•added 2026/05/19 8:31 p.m.•10 views

CVE-2026-34216

CtrlPanel (open-source billing software) has a vulnerability in versions

6.6CVSS6AI score0.00532EPSS

Exploits0References2

Vulnrichment•added 2026/05/19 8:31 p.m.•7 views

CVE-2026-34216 CtrlPanel: Authenticated Remote Code Execution via Dynamic Class Instantiation in SettingsController.php

6.6CVSS6AI score0.00532EPSS

Exploits0References2

OSV•added 2026/05/19 6:32 p.m.•4 views

GHSA-9CFW-F3F9-7MM7 APScheduler's JSONSerializer and CBORSerializer are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization

The JSONSerializer and CBORSerializer in APScheduler all versions including 3.10.x and 4.0.0a5 are vulnerable to Remote Code Execution RCE via Insecure Deserialization. The unmarshalobject function allows for arbitrary class instantiation and state injection by dynamically importing modules and...

9.8CVSS6AI score0.00726EPSS

Exploits0References3

Github Security Blog•added 2026/05/19 6:32 p.m.•5 views

APScheduler's JSONSerializer and CBORSerializer are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization

9.8CVSS6AI score0.00726EPSS

Exploits0References3Affected Software1

NVD•added 2026/05/19 4:16 p.m.•8 views

CVE-2026-31072

9.8CVSS0.00726EPSS

Exploits0References2

EUVD•added 2026/05/19 12:0 a.m.•6 views

EUVD-2026-30947

6AI score0.00726EPSS

Exploits0References2

Positive Technologies•added 2026/05/19 12:0 a.m.•9 views

PT-2026-41945

Name of the Vulnerable Software and Affected Versions APScheduler affected versions not specified Description The JSONSerializer and CBORSerializer are subject to Remote Code Execution RCE through insecure deserialization. The unmarshal object function enables arbitrary class instantiation and...

6AI score0.00726EPSS

Exploits0References4

Debian CVE•added 2026/05/19 12:0 a.m.•5 views

CVE-2026-31072

9.8CVSS6AI score0.00726EPSS

Exploits0

Positive Technologies•added 2026/05/19 12:0 a.m.•11 views

PT-2026-42013

Name of the Vulnerable Software and Affected Versions CtrlPanel versions prior to 1.2.0 Description An authenticated admin-level user can achieve Remote Code Execution by supplying an arbitrary class name available in the Composer autoloader. The admin settings update endpoint accepts a fully...

6.6CVSS6AI score0.00532EPSS

Exploits0References6

OSV•added 2026/05/04 6:30 p.m.•1 views

GHSA-CX4M-2P55-RW7J Apache OpenNLP ExtensionLoader Vulnerable to Arbitrary Class Instantiation via Model Manifest

Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The ExtensionLoader.instantiateExtensionClass, String method loads a class by its fully-qualified name via Class.forName and invokes its no-arg...

9.8CVSS6.1AI score0.00693EPSS

Exploits0References4

EUVD•added 2026/05/04 4:43 p.m.•6 views

EUVD-2026-27005

6.1AI score0.00693EPSS

Exploits0References1

Vulnrichment•added 2026/05/04 4:43 p.m.•3 views

CVE-2026-42027 Apache OpenNLP: Arbitrary Class Instantiation via Model Manifest in ExtensionLoader

6.1AI score0.00693EPSS

Exploits0References1

IBM Security Bulletins•added 2026/05/04 12:51 p.m.•4 views

Security Bulletin:ACE Vulnerability in QOS.CH Logback-core 1.5.24: Class Instantiation via Compromised Configuration File

Summary ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file. The instantiation of a...

1.8CVSS5.8AI score0.00151EPSS

Exploits0Affected Software1