EUVD-2026-20020

The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry metadata. This is due to the html-admin-page-entries-view.php file calling PHP's native unserialize on stored entry meta...

CVE-2026-3296 Everest Forms <= 3.4.3 - Unauthenticated PHP Object Injection via Form Entry Metadata

The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry metadata. This is due to the html-admin-page-entries-view.php file calling PHP's native unserialize on stored entry meta...

CVE-2026-3296

The Everest Forms WordPress plugin ( 3.4.3 (e.g., 3.4.4 or later) to fix the issue. If upgrading is not immediate, disable or audit admin entry views to avoid triggering deserialization.

PT-2026-31067

Name of the Vulnerable Software and Affected Versions Everest Forms plugin for WordPress versions up to and including 3.4.3 Description The Everest Forms plugin for WordPress is susceptible to PHP Object Injection due to the unsafe deserialization of untrusted input from form entry metadata. The...

WordPress plugin Everest Forms 代码问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...

grav-cms-filecache-object-injection

Grav CMS FileCache Object Injection Description The File...

WordPress CTX Feed plugin <= 6.6.26 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by daroo in WordPress Plugin CTX Feed versions = 6.6.26...

Elastic OTel Java 1.10.0 Security Update (ESA-2026-22 / GHSA-xw7x-h9fj-p2c7)

Dependency on Vulnerable Third-Party Component in Elastic OTel Java Leading to Remote Code Execution Dependency on Vulnerable Third-Party Component CWE-1395 exists in Elastic OTel Java via a dependency on OpenTelemetry Java instrumentation library. This vulnerability could allow an attacker to...

WordPress Frontend Admin by DynamiApps plugin <= 3.28.31 - Authenticated (Editor+) PHP Object Injection via 'post_content' of Admin Form Posts vulnerability

Authenticated Editor+ PHP Object Injection via 'postcontent' of Admin Form Posts vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - krei.dev | ogbuilders.io in WordPress Plugin Frontend Admin by DynamiApps versions = 3.28.31...

EUVD-2026-16070

Saloon has insecure deserialization in AccessTokenAuthenticator...

GHSA-RF88-776R-RCQ9 Saloon has insecure deserialization in AccessTokenAuthenticator

Impact Users of the OAuth2 utilities in Saloon, specifically the AccessTokenAuthenticator class. Patches Upgrade to Saloon v4+ Upgrade guide: https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4 Description The Saloon PHP library used PHP's unserialize in AccessTokenAuthenticator::unserialize ...

Saloon has insecure deserialization in AccessTokenAuthenticator

Impact Users of the OAuth2 utilities in Saloon, specifically the AccessTokenAuthenticator class. Patches Upgrade to Saloon v4+ Upgrade guide: https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4 Description The Saloon PHP library used PHP's unserialize in AccessTokenAuthenticator::unserialize ...

Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()

Summary The unserialize function in locutus/php/var/unserialize assigns deserialized keys to plain objects via bracket notation without filtering the proto key. When a PHP serialized payload contains proto as an array or object key, JavaScript's proto setter is invoked, replacing the deserialized...

CVE-2026-3328

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via deserialization of the 'postcontent' of adminform posts in all versions up to, and including, 3.28.31. This is due to the use of WordPress's maybeunserialize function without class restrictions on...

CVE-2026-33942

Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize in AccessTokenAuthenticator::unserialize to restore OAuth token state from cache or storage, with allowedclasses = true. An attacker who can control the serialized...

CVE-2026-25031

Deserialization of Untrusted Data vulnerability in parkofideas Tasty Daily tastydaily allows Object Injection.This issue affects Tasty Daily: from n/a through 1.27...

CVE-2026-25400

Deserialization of Untrusted Data vulnerability in thememount Apicona apicona allows Object Injection.This issue affects Apicona: from n/a through = 24.1.0...

CVE-2026-25358

Deserialization of Untrusted Data vulnerability in rascals Meloo meloo allows Object Injection.This issue affects Meloo: from n/a through 2.8.2...

CVE-2026-25360

Deserialization of Untrusted Data vulnerability in rascals Vex vex allows Object Injection.This issue affects Vex: from n/a through 1.2.9...

CVE-2026-25359

Deserialization of Untrusted Data vulnerability in rascals Pendulum pendulum allows Object Injection.This issue affects Pendulum: from n/a through 3.1.5...