Lucene search
K

8126 matches found

CVE
CVE
added 1 hour ago5 views

CVE-2026-12081

The CVE-2026-12081 entry concerns the WordPress plugin family “Database for Contact Form 7, WPforms, Elementor forms,” affected in versions before 1.5.2. The issue arises from not restricting PHP classes during unserialization of attacker-supplied form-field values, which enables unauthenticated ...

6.2AI score
Exploits0References1
Nuclei
Nuclei
added yesterday57 views

SEOPress < 7.9 - Authentication Bypass

The SEOPress WordPress plugin before 7.9 does not properly protect some of its REST API routes, which combined with another Object Injection vulnerability can allow unauthenticated attackers to unserialize malicious gadget chains, compromising the site if a suitable chain is present. id:...

9.8CVSS6.9AI score0.03744EPSS
Exploits1References4
Nuclei
Nuclei
added yesterday30 views

GiveWP Donation Plugin <= 3.16.1 - Unauthenticated PHP Object Injection

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1. This is due to insufficient input validation on user-supplied data. An unauthenticated attacker can inject a serialized PHP object, which...

10CVSS7.3AI score0.28931EPSS
Exploits3References4
Nuclei
Nuclei
added yesterday19 views

Better Search Replace < 1.4.5 - PHP Object Injection

The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.4 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. I...

9.8CVSS7.2AI score0.68047EPSS
Exploits2References2
Nuclei
Nuclei
added yesterday118 views

My Geo Posts Free <= 1.2 - PHP Object Injection

The My Geo Posts Free plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.2 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If ...

9.8CVSS7.2AI score0.0307EPSS
Exploits0References4
Nuclei
Nuclei
added yesterday73 views

SugarCRM - Unauthenticated Remote Code Execution via PHP Object Injection

A PHP object injection vulnerability exists in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 due to improper validation of PHP serialized input in the SugarRestSerialize.php script. The vulnerable code fails to sanitize the restdata parameter before passing it to the...

9.3CVSS6.5AI score0.02971EPSS
Exploits0References5
Nuclei
Nuclei
added yesterday464 views

Revive Adserver 4.2 - Remote Code Execution

Revive Adserver 4.2 is susceptible to remote code execution. An attacker can send a crafted payload to the XML-RPC invocation script and trigger the unserialize call on the "what" parameter in the "openads.spc" RPC method. This can be exploited to perform various types of attacks, e.g...

9.8CVSS7.1AI score0.57022EPSS
Exploits7References5
Nuclei
Nuclei
added 2 days ago153 views

GiveWP - PHP Object Injection

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'givetitle' parameter. id: CVE-2024-5932 info: name: GiveWP - PHP Object Injection author:...

10CVSS7.1AI score0.74283EPSS
Exploits11References7
EUVD
EUVD
added 2 days ago5 views

EUVD-2026-43078

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal ECA: Event - Condition - Action allows Object Injection. This issue affects ECA: Event - Condition - Action versions: from 0.0.0 to 2.1.20, from 3.0.0 to 3.0.12, from 3.1.0 to 3.1.4...

6.1AI score0.002EPSS
Exploits0References2
EUVD
EUVD
added 2 days ago4 views

EUVD-2026-43053

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Flag attendance field allows Object Injection. This issue affects Flag attendance field versions: from 0.0.0 to 1.2...

6.1AI score0.00173EPSS
Exploits0References2
EUVD
EUVD
added 2 days ago5 views

EUVD-2026-43081

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.,...

6.1AI score0.00161EPSS
Exploits0References2
EUVD
EUVD
added 2 days ago4 views

EUVD-2026-43082

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.,...

6.1AI score0.00161EPSS
Exploits0References2
EUVD
EUVD
added 2 days ago5 views

EUVD-2026-43054

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Plotly.js Graphing allows Object Injection. This issue affects Plotly.js Graphing versions: from 0.0.0 to 3.0.2...

6.1AI score0.00161EPSS
Exploits0References2
EUVD
EUVD
added 2 days ago5 views

EUVD-2026-43068

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Tealium iQ Tag Management allows Object Injection. This issue affects Tealium iQ Tag Management versions: from 0.0.0 to 2.4.0...

6.1AI score0.00417EPSS
Exploits0References2
CVE
CVE
added 3 days ago444 views

CVE-2026-55804

CVE-2026-55804 concerns Drupal core and describes an improperly controlled modification of dynamically-determined object attributes, enabling a gadget-chain style vulnerability in the core that could facilitate remote code execution or SQL injection if coupled with another vulnerability. Affected...

6.1AI score0.00161EPSS
Exploits0References1
CVE
CVE
added 3 days ago462 views

CVE-2026-55803

Drupal core is affected by CVE-2026-55803 (and related advisories). The issue is Improperly Controlled Modification of Dynamically-Determined Object Attributes that can enable PHP object injection. Affected Drupal core versions include 0.0.0–11.1.* and 11.2.0–11.2.14, 11.3.0–11.3.12, 10.0.0–10.5....

6.1AI score0.00161EPSS
Exploits0References1
CVE
CVE
added 3 days ago9 views

CVE-2026-15083

The CVE describes an information-disclosure risk in the Drupal ECA (Event - Condition - Action) module due to Improperly Controlled Modification of Dynamically-Determined Object Attributes, enabling Object Injection. Affected are ECA: Event - Condition - Action versions 0.0.0–2.1.20, 3.0.0–3.0.12...

6.1AI score0.002EPSS
Exploits0References1
CVE
CVE
added 3 days ago17 views

CVE-2026-13244

CVE-2026-13244 concerns the Drupal module for Tealium iQ Tag Management. The vulnerability arises from Improperly Controlled Modification of Dynamically-Determined Object Attributes in the module, allowing PHP object injection via data stored as serialized strings in the tealiumiq field. Affected...

6.1AI score0.00417EPSS
Exploits0References1
CVE
CVE
added 3 days ago10 views

CVE-2026-55810

CVE-2026-55810 affects the Drupal Plotly.js Graphing module, where the PHP-serialized data stored in plotly_js_graph fields can be unserialized, enabling PHP object injection. Affected versions are Plotly.js Graphing in Drupal from 0.0.0 to 3.0.2. Root cause is Improperly Controlled Modification ...

6.1AI score0.00161EPSS
Exploits0References1
CVE
CVE
added 3 days ago16 views

CVE-2026-55809

The CVE-2026-55809 entry concerns Drupal’s Flag attendance field module. The root cause is an object injection vulnerability caused by handling PHP-serialized data stored in the flag_attendance_field, which can lead to PHP object injection when data are unserialized. Affected versions are Flag at...

6.1AI score0.00173EPSS
Exploits0References1
Rows per page
Query Builder