191 matches found
EUVD-2026-42659
Metabase is an open-source business intelligence and embedded analytics tool. Prior to 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4, Metabase instances with an H2 database connection, including the default sample database, deserialize arbitrary Java objects returned in H2 native query result columns ...
EUVD-2026-41824
Deserialization of Untrusted Data vulnerability in Apache Camel. The camel-vertx-http component deserializes HTTP response bodies carrying the Content-Type application/x-java-serialized-object using a raw java.io.ObjectInputStream, without applying any ObjectInputFilter...
CVE-2026-44501
DataHub is an open-source metadata platform. Prior to 1.5.0.3, The DataHub frontend datahub-frontend-react deserializes attacker-controlled Java objects from the REDIRECTURL HTTP cookie during the OIDC callback flow, with no integrity protection no HMAC, no encryption. This is a Deserialization o...
Apache Camel 代码问题漏洞
Apache Camel is an open-source integration framework based on the Enterprise Integration Pattern EIP, developed by the Apache Foundation in the United States. This framework provides implementations of Java objects in accordance with the EIP pattern, and routing and mediation rules are configured...
c3p0: c3p0: Arbitrary Code Execution via deserialization of crafted objects
A flaw was found in c3p0, a Java Database Connectivity JDBC Connection pooling library. This vulnerability allows an attacker to achieve arbitrary code execution by providing maliciously crafted Java-serialized objects or javax.naming.Reference instances. By manipulating the userOverridesAsString...
CVE-2026-27830
c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized objects and javax.naming.Reference instances. Several c3p0 ConnectionPoolDataSource implementations have a property called userOverridesAsString which conceptually represents a Map. Prior to...
MiracleLinux 4 : xmlrpc3-3.0-4.17.AXS4 (AXSA:2018-3129:01)
The remote MiracleLinux 4 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2018-3129:01 advisory. xmlrpc: Deserialization of untrusted Java object through tag CVE-2016-5003 Tenable has extracted the preceding description block directly from the MiracleLin...
MiracleLinux 7 : xmlrpc-3.1.3-9.el7 (AXSA:2018-3132:01)
The remote MiracleLinux 7 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2018-3132:01 advisory. xmlrpc: Deserialization of untrusted Java object through tag CVE-2016-5003 Tenable has extracted the preceding description block directly from the MiracleLin...
Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization
A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration. Mitigation Disable LDAP referrals in all LDAP user providers in all realms...
Duplicate Advisory: Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-4hx9-48xh-5mxr. This link is maintained to preserve external references. Original Description A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm...
CVE-2025-13467 Org.keycloak.storage.ldap: keycloak: deserialization of untrusted data in ldap user federation
A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration...
Red Hat build of Keycloak 安全漏洞
Red Hat build of Keycloak is a web application for single sign-on from Red Hat, Inc. A security vulnerability exists in Red Hat build of Keycloak version 26.2, which originates from deserializing untrusted Java objects and could lead to remote code execution...
EUVD-2023-3294
Malicious code in bioql PyPI...
EUVD-2023-24437
Malicious code in bioql PyPI...
EUVD-2023-28958
Malicious code in bioql PyPI...
EUVD-2025-16888
Malicious code in bioql PyPI...
EUVD-2021-28602
Malicious code in bioql PyPI...
CVE-2025-20276
A vulnerability in the web-based management interface of Cisco Unified CCX could allow an authenticated, remote attacker to execute arbitrary code on an affected device. To exploit this vulnerability, the attacker must have valid administrative credentials. This vulnerability is due to insecure...
Cisco Unified CCX 代码问题漏洞
Cisco Unified CCX is a contact center software from Cisco USA. A code issue vulnerability exists in Cisco Unified CCX that stems from insecure deserialization of Java objects, which could lead to the execution of arbitrary code...
CVE-2024-28213
nGrinder before 3.5.9 allows to accept serialized Java objects from unauthenticated users, which could allow remote attacker to execute arbitrary code via unsafe Java objects deserialization...