WordPress Boost plugin <= 2.0.3 - Unauthenticated PHP Object Injection vulnerability

Unauthenticated PHP Object Injection vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - krei.dev | ogbuilders.io in WordPress Plugin Boost versions = 2.0.3...

PT-2026-44147

GM-374 Summary Multiple locations in Pimcore v11 call PHP's unserialize on data from database columns and filesystem files without the allowed classes restriction, enabling object injection if an attacker can control the serialized data source. Affected Component - Package: pimcore/pimcore and...

PT-2026-44164

Name of the Vulnerable Software and Affected Versions Basket versions prior to 2.1.17 Description The Basket module, which provides e-commerce and checkout functionality for Drupal sites, fails to sufficiently sanitize user-supplied data before it is processed by the PHP unserialize function. Thi...

Drupal AlternativeCommerce (Basket) - Highly critical - Arbitrary PHP code execution - SA-CONTRIB-2026-038

The Basket module enables e-commerce and checkout functionality for Drupal sites. The module does not sufficiently sanitize user-supplied data before passing it to PHP's unserialize. An attacker can supply a crafted payload and trigger PHP Object Injection. If a viable gadget chain exists in the...

CVE-2026-45247

Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted...

CVE-2026-45247 Mirasvit Cache Warmer for Magento < 1.11.12 PHP Object Injection

Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted...

CVE-2026-45247 Mirasvit Cache Warmer for Magento < 1.11.12 PHP Object Injection

Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted...

CVE-2026-45247

Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted...

CVE-2026-45247

Summary: CVE-2026-45247 affects Mirasvit Full Page Cache Warmer for Magento 2 (pre‑1.11.12). The vulnerability arises from an unsafe PHP deserialization: a crafted serialized object placed in the CacheWarmer cookie is passed to PHP’s unserialize() without class restrictions, enabling unauthentica...

WordPress Entrepreneur - Booking for Small Businesses WordPress Theme theme <= 3.1.3 - PHP Object Injection vulnerability

WordPress Entrepreneur - Booking for Small Businesses WordPress Theme theme = 3.1.3 - PHP Object Injection vulnerability discovered by 0xd4rk5id3 in WordPress Theme Entrepreneur - Booking for Small Businesses WordPress Theme versions = 3.1.3...

WordPress Plumbing theme <= 1.6 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Plumbing versions = 1.6...

WordPress Reisen theme <= 1.4.1 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Reisen versions = 1.4.1...

WordPress Hot Coffee theme <= 1.7 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Hot Coffee versions = 1.7...

Exploit for CVE-2026-3296

CVE-2026-3296 CVE-2026-3296 is a CVSS 9.8 Critical unauthentic...

WordPress EventPrime plugin <= 4.3.2.1 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by hhhai in WordPress Plugin EventPrime versions = 4.3.2.1...

BIT-DRUPAL-2026-6366 Drupal core - Moderately critical - Gadget Chain - SA-CORE-2026-002

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7...

CVE-2026-6366

A flaw was found in Drupal core. This vulnerability, categorized as an Improperly Controlled Modification of Dynamically-Determined Object Attributes, allows for object injection. An attacker could exploit this to potentially manipulate application logic or achieve other impacts depending on the...

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview drupal/core is an an open source content management platform powering millions of websites and applications. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes due to Improperly Controlled Modification of...

CVE-2026-7637

The Boost plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.0.3 via deserialization of untrusted input in the STYXKEY-BOOSTUSERLOCATION cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present i...

CVE-2026-7637

The Boost plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.0.3 via deserialization of untrusted input in the STYXKEY-BOOSTUSERLOCATION cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present i...