CVE-2026-41006

Spring HATEOAS's internal PropertyUtils.createObjectFromProperties method, used by the Collection+JSON and UBER media type deserializers, performs bean property binding via reflection without consulting Jackson access-control annotations. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3...

CVE-2026-45134

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to LangSmith SDK Python 0.8.0 and JS/TS 0.6.0, the LangSmith SDK's prompt pull methods pullprompt / pullpromptcommit in Python, pullPrompt / pullPromptCommit in JS/TS fetch and deserialize prompt manifests from...

ruby:3.3 security update

An update is available for module.ruby, module.rubygem-mysql2, module.rubygem-pg, rubygem-mysql2, ruby, rubygem-pg. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE li...

CVE-2026-8735

A vulnerability was identified in Oinone Pamirs up to 7.2.0. This affects the function JsonUtils.parseMap of the file PamirsParserConfig.java of the component appConfigQuery Interface. Such manipulation leads to deserialization. The attack can be launched remotely. The exploit is publicly availab...

Svelte devalue: DoS via sparse array deserialization

devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when deserializing sparse arrays, leading to excessive memory consumption...

CVE-2026-33082

DataEase is an open source data visualization analysis tool. Versions 2.10.20 and below contain a SQL injection vulnerability in the dataset export functionality. The expressionTree parameter in POST /de2api/datasetTree/exportDataset is deserialized into a filtering object and passed to...

CVE-2026-1462

A vulnerability in the TFSMLayer class of the keras package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of .keras models, even when safemode=True. This bypasses the security guarantees of safemode and enables arbitrary attacker-controlled...

FEDML 代码问题漏洞

FEDML is a unified and scalable machine learning training and deployment library open source by TensorOpera. Versions of FedML 0.8.9 and earlier have code vulnerabilities, which stem from a deserialization issue in the sendMessage function...

CVE-2025-54001

CVE-2025-54001 describes a PHP object injection via deserialization in ThemeREX Classter (WordPress Classter theme) affecting Classter versions up to 2.5. The provided Connected documents confirm the root cause (deserialization of untrusted data) and the affected product as Classter theme; no exp...

Chamilo 代码问题漏洞

Chamilo is an open-source learning management system developed by Chamilo. Versions of Chamilo prior to 1.11.30 had code vulnerabilities. These vulnerabilities stemmed from improper deserialization of POST parameters configurationfile, coursepath, and homepath in the...

WordPress plugin WP Mail Logging 代码问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A code issue...

CVE-2026-25899 Fiber is Vulnerable to Denial of Service via Flash Cookie Unbounded Allocation

Fiber is an Express inspired web framework written in Go. In versions on the v3 branch prior to 3.1.0, the use of the fiberflash cookie can force an unbounded allocation on any server. A crafted 10-character cookie value triggers an attempt to allocate up to 85GB of memory via unvalidated msgpack...

GHSA-H25M-26QC-WCJF Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864. A specially crafted HTTP...

MiracleLinux 8 : java-11-openjdk-11.0.9.11-0.el8 (AXSA:2020-784:09)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2020-784:09 advisory. OpenJDK: Credentials sent over unencrypted LDAP connection JNDI, 8237990 CVE-2020-14781 OpenJDK: Certificate blacklist bypass via alternate certifica...

MiracleLinux 7 : slf4j-1.7.4-4.el7 (AXSA:2018-2646:01)

The remote MiracleLinux 7 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2018-2646:01 advisory. slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution CVE-2018-8088 Tenable has extracted the preceding...

PT-2026-1951

Name of the Vulnerable Software and Affected Versions Broadcom DX NetOps Spectrum versions 24.3.13 and earlier Description A flaw exists in Broadcom DX NetOps Spectrum on Windows and Linux that allows for Object Injection due to deserialization of untrusted data. This issue impacts the software’s...

CVE-2018-18446

dotPDN Paint.NET before 4.1.2 allows Deserialization of Untrusted Data issue 1 of 2...

CVE-2021-33420

A deserialization issue discovered in inikulin replicator before 1.0.4 allows remote attackers to run arbitrary code via the fromSerializable function in TypedArray object...

CVE-2021-28033

An issue was discovered in the bytestruct crate before 0.6.1 for Rust. There can be a drop of uninitialized memory if a certain deserialization method panics...

CVE-2021-31010

A deserialization issue was addressed through improved validation. This issue is fixed in Security Update 2021-005 Catalina, iOS 12.5.5, iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6, watchOS 7.6.2. A sandboxed process may be able to circumvent sandbox restrictions. Apple was aware of a report tha...