CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

241 matches found

EUVD•added 4 days ago•6 views

EUVD-2026-35401

TYPO3 CMS has Insecure Deserialization via Core API...

6.3CVSS5.2AI score0.00588EPSS

Exploits0References6

RedhatCVE•added 5 days ago•7 views

CVE-2026-52751

Ghidra before 12.1 contains an unsafe deserialization vulnerability in client-side Shared-Project RMI connection code that allows unauthenticated remote code execution. Attackers can craft a malicious project file with a ghidra:// URL that, when opened via File → Open Project, deserializes...

8.8CVSS6.3AI score0.00564EPSS

Exploits1References1

EUVD•added 6 days ago•6 views

EUVD-2026-36009

8.8CVSS6.3AI score0.00564EPSS

Exploits1References3

Vulnrichment•added 6 days ago•3 views

CVE-2026-52751 Ghidra < 12.1 - Remote Code Execution via Unfiltered RMI Deserialization in Shared Project Connection

8.8CVSS6.3AI score0.00564EPSS

Exploits1References3

Positive Technologies•added 6 days ago•8 views

PT-2026-48411

8.8CVSS6.3AI score0.00564EPSS

Exploits1References4

RedHat Linux•added 2026/06/09 11:18 a.m.•6 views

axios: Axios: Remote Code Execution via Prototype Pollution escalation

A flaw was found in Axios, a promise-based HTTP client. This vulnerability, known as Prototype Pollution, can be exploited through a specific "Gadget" attack chain. This allows an attacker to escalate a Prototype Pollution vulnerability in a third-party dependency, potentially leading to remote...

4.8CVSS7.5AI score0.00597EPSS

Exploits5References8

EUVD•added 2026/06/06 12:31 a.m.•6 views

EUVD-2026-34922

The Admin Columns plugin for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution in versions up to and including 7.0.18. This is due to the use of unserialize without an allowedclasses restriction in the IdsToCollection::getidsfromstring function, which processes...

8.8CVSS6.6AI score0.00672EPSS

Exploits0References11

RedhatCVE•added 2026/06/05 7:38 p.m.•6 views

CVE-2026-34216

CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the admin settings update endpoint accepted a fully qualified class name directly from user-supplied request input and used it for dynamic static method calls and object instantiation without any allowli...

6.6CVSS5.7AI score0.00532EPSS

Exploits0References1

RedhatCVE•added 2026/06/05 7:13 p.m.•4 views

CVE-2026-40901

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the InvokerTransformer deserialization gadget chain. Quartz 2.3.2, also bundled in the application, deserializ...

9CVSS6.3AI score0.0063EPSS

Exploits1References1

RedHat Linux•added 2026/06/02 11:27 a.m.•7 views

Apache Camel: camel-jms: camel-sjms: camel-sjms2: camel-amqp: camel-activemq: camel-activemq6: Apache Camel: Remote Code Execution via deserialization of JMS ObjectMessage

A flaw was found in Apache Camel. A remote attacker could exploit a deserialization vulnerability by sending a specially crafted Java Message Service JMS ObjectMessage to a Camel application acting as a JMS consumer. This vulnerability arises because the application deserializes the message paylo...

9.8CVSS6.4AI score0.00693EPSS

Exploits0References6

EUVD•added 2026/06/01 6:1 p.m.•12 views

EUVD-2026-33740

IBM WebSphere Application Server 9.0, and 8.5 is affected by an improper validation of user-supplied data during deserialization using the SAML Web Single Sign-On component. This could result in remote code execution via a crafted HTTP request when combined with a suitable gadget chain...

8.5CVSS6.5AI score0.00382EPSS

Exploits0References1

Positive Technologies•added 2026/06/01 12:0 a.m.•11 views

PT-2026-45545

8.5CVSS6.5AI score0.00382EPSS

Exploits0References4

Packet Storm•added 2026/05/29 12:0 a.m.•36 views

📄 MixPHP Framework 2.2.17 Deserialization / Arbitrary Code Execution

MixPHP Framework versions 2.x through 2.2.17 suffer from an insecure deserialization vulnerability that allows for remote code execution. Exploit Title: MixPHP Framework 2.2.17 - Unsafe Deserialization Remote Code Execution Date: 2026-05-14 Exploit Author: cardosource Vendor Homepage:...

8.1CVSS6.1AI score0.01247EPSS

Exploits2

Positive Technologies•added 2026/05/27 12:0 a.m.•12 views

PT-2026-44164

Name of the Vulnerable Software and Affected Versions Basket versions prior to 2.1.17 Description The Basket module, which provides e-commerce and checkout functionality for Drupal sites, fails to sufficiently sanitize user-supplied data before it is processed by the PHP unserialize function. Thi...

5.9AI score

Exploits0References3

GithubExploit•added 2026/05/26 2:55 p.m.•86 views

Exploit for CVE-2026-46275

CVE-2026-46725 — TYPO3 ceselector Extension RCE PHP Objec...

9.2CVSS5.8AI score0.01562EPSS

Exploits1

OSV•added 2026/05/21 8:39 a.m.•4 views

BIT-DRUPAL-2026-6366 Drupal core - Moderately critical - Gadget Chain - SA-CORE-2026-002

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7...

6.6CVSS5.8AI score0.00399EPSS

Exploits0References2

Vulnrichment•added 2026/05/19 10:27 p.m.•7 views

CVE-2026-6366 Drupal core - Moderately critical - Gadget Chain - SA-CORE-2026-002

5.8AI score0.00399EPSS

Exploits0References1

CVE•added 2026/05/19 10:27 p.m.•1256 views

CVE-2026-6366

CVE-2026-6366 — Drupal core insecure gadget chain leading to object injection Affects Drupal core: 8.0.0–10.5.8, 10.6.0–10.6.6, 11.0.0–11.2.10, 11.3.0–11.3.7. The issue is an improperly controlled modification of dynamically-determined object attributes that enables a gadget chain when deserializ...

6.6CVSS5.8AI score0.00399EPSS

Exploits0References1Affected Software1