Lucene search
K

26796 matches found

CVE
CVE
added 1 hour ago5 views

CVE-2026-15529

A vulnerability was detected in yzhao062 pyod 3.5.0/3.5.1/3.5.2. Affected is the function pyod.utils.persistence.load of the file pyod/utils/persistence.py. Performing a manipulation of the argument path results in deserialization. The attack can be initiated remotely. The pull request to fix thi...

6.5CVSS6.5AI score
Exploits0References7
Nuclei
Nuclei
added yesterday83 views

IBM Operational Decision Manager - Java Deserialization

IBM Operational Decision Manager 8.10.3, 8.10.4, 8.10.5.1, 8.11, 8.11.0.1, and 8.12.0.1 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization. By sending specially crafted request, an attacker could exploit this vulnerability to...

9.8CVSS7.3AI score0.73398EPSS
Exploits0References2
Nuclei
Nuclei
added yesterday73 views

Cacti < 1.2.25 Insecure Deserialization

Cacti is an open source operational monitoring and fault management framework. There are two instances of insecure deserialization in Cacti version 1.2.24. id: CVE-2023-30534 info: name: Cacti 1.2.25 Insecure Deserialization author: k0pak4 severity: medium description: | Cacti is an open source...

4.3CVSS6.7AI score0.02569EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday16 views

Apache Tomcat Tribes EncryptInterceptor Bypass - Remote Code Execution

Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116. id: CVE-2026-34486 info: name: Apache Tomcat Tribes EncryptInterceptor Bypass - Remote...

7.5CVSS7AI score0.21691EPSS
Exploits6References3
Nuclei
Nuclei
added yesterday31 views

Qwik - Unauthenticated RCE via server$ Deserialization

Qwik =1.19.0 contains an insecure deserialization vulnerability in the server$ RPC mechanism, letting unauthenticated attackers execute arbitrary code remotely, exploit requires require availability at runtime. id: CVE-2026-27971 info: name: Qwik - Unauthenticated RCE via server$ Deserialization...

9.8CVSS6.3AI score0.04632EPSS
Exploits0References2
Nuclei
Nuclei
added yesterday168 views

Apache Shiro 1.2.4 Cookie RememberME - Deserial Remote Code Execution Vulnerability

Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter. id: CVE-2016-4437 info: name: Apache Shiro 1.2.4 Cookie RememberME -...

9.8CVSS7.2AI score0.92988EPSS
Exploits9References5
Nuclei
Nuclei
added yesterday19 views

Better Search Replace < 1.4.5 - PHP Object Injection

The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.4 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. I...

9.8CVSS7.2AI score0.68047EPSS
Exploits2References2
Nuclei
Nuclei
added yesterday21 views

TYPO3 ceselector Extension - Insecure Deserialization

TYPO3 extension contains a PHP Object Injection caused by passing attacker-controlled cookie to unserialize without validation, letting remote unauthenticated attackers achieve remote code execution, exploit requires Persistent Mode: Static configuration. id: CVE-2026-46725 info: name: TYPO3...

9.2CVSS6.2AI score0.02306EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday21 views

OpenAM <= 16.0.5 - Pre-Auth RCE via jato.clientSession Deserialization

Open Access Management OpenAM is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution RCE via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream...

10CVSS7.2AI score0.99999EPSS
Exploits10References2
Nuclei
Nuclei
added yesterday43 views

Veeam Backup & Replication - Unauthenticated

A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution RCE. id: CVE-2024-40711 info: name: Veeam Backup & Replication - Unauthenticated author: rootxharsh,iamnoooob,DhiyaneshDK severity: critical description: | A deserializati...

9.8CVSS7.5AI score0.88193EPSS
Exploits3References3
Nuclei
Nuclei
added yesterday63 views

XStream 1.4.18 - Remote Code Execution

XStream 1.4.18 is susceptible to remote code execution. An attacker can execute commands of the host by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the...

8.5CVSS7AI score0.16118EPSS
Exploits2References5
Nuclei
Nuclei
added yesterday86 views

XStream 1.4.18 - Arbitrary Code Execution

XStream 1.4.18 is susceptible to remote code execution. An attacker can execute commands of the host by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the...

8.5CVSS7AI score0.143EPSS
Exploits0References5
Nuclei
Nuclei
added yesterday55 views

XStream <1.4.14 - Remote Code Execution

XStream before 1.4.14 is susceptible to remote code execution. An attacker can run arbitrary shell commands by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of...

9.3CVSS7AI score0.85001EPSS
Exploits7References5
Nuclei
Nuclei
added yesterday18 views

QVIS NVR/DVR - Remote Code Execution

QVIS NVR DVR before 2021-12-13 is vulnerable to Remote Code Execution via Java deserialization. id: CVE-2021-41419 info: name: QVIS NVR/DVR - Remote Code Execution author: me9187 severity: critical description: | QVIS NVR DVR before 2021-12-13 is vulnerable to Remote Code Execution via Java...

9.8CVSS7.2AI score0.06757EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday16 views

Zoho ManageEngine OpManager < 12.5.329 - Remote Code Execution

Zoho ManageEngine OpManager before 12.5.329 contains a remote code execution caused by a general bypass in the deserialization class, letting unauthenticated attackers execute arbitrary code, exploit requires no authentication id: CVE-2021-3287 info: name: Zoho ManageEngine OpManager 12.5.329 -...

9.8CVSS7.6AI score0.51332EPSS
Exploits4References2
Nuclei
Nuclei
added yesterday193 views

Adobe ColdFusion WDDX Deserialization Gadgets

Adobe ColdFusion versions 2023.5 and earlier and 2021.11 and earlier are affected by an Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction. id: CVE-2023-44353 info: name: Adobe ColdFusion WDDX...

9.8CVSS7.2AI score0.80178EPSS
Exploits0References5
Nuclei
Nuclei
added yesterday16 views

Apache Dubbo 2.5.x-2.7.4 - Insecure Deserialization

Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. This issue affected Apache Dubbo 2.7.0 to 2.7.4,...

9.8CVSS7AI score0.35564EPSS
Exploits2References4
Nuclei
Nuclei
added yesterday97 views

SolarWinds Web Help Desk < 2026.1 - Unauthenticated JNDI Injection RCE

SolarWinds Web Help Desk before version 2026.1 contains an insecure deserialization vulnerability in the jabsorb JSON-RPC library. When chained with a CSRF whitelist bypass CVE-2025-40536, remote unauthenticated attackers can exploit JNDI injection via the Apache Xalan JNDIConnectionPool class to...

9.8CVSS7.3AI score0.8413EPSS
Exploits4References4
Nuclei
Nuclei
added yesterday44 views

Apache Solr - Deserialization of Untrusted Data

In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP POST request. By pointing it to a malicious RMI server, an attacker could take advantage of Solr's unsafe deserialization to trigger remote code execution on the Solr side. id:...

9.8CVSS7.5AI score0.77508EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday1452 views

Roundcube Webmail - Remote Code Execution

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. id: CVE-2025-49113 info: name: Roundcube Webmail - Remote...

9.9CVSS7.5AI score0.94741EPSS
Exploits29References8
Rows per page
Query Builder