8126 matches found
CVE-2026-12081
The CVE-2026-12081 entry concerns the WordPress plugin family “Database for Contact Form 7, WPforms, Elementor forms,” affected in versions before 1.5.2. The issue arises from not restricting PHP classes during unserialization of attacker-supplied form-field values, which enables unauthenticated ...
SEOPress < 7.9 - Authentication Bypass
The SEOPress WordPress plugin before 7.9 does not properly protect some of its REST API routes, which combined with another Object Injection vulnerability can allow unauthenticated attackers to unserialize malicious gadget chains, compromising the site if a suitable chain is present. id:...
GiveWP Donation Plugin <= 3.16.1 - Unauthenticated PHP Object Injection
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1. This is due to insufficient input validation on user-supplied data. An unauthenticated attacker can inject a serialized PHP object, which...
Better Search Replace < 1.4.5 - PHP Object Injection
The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.4 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. I...
My Geo Posts Free <= 1.2 - PHP Object Injection
The My Geo Posts Free plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.2 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If ...
SugarCRM - Unauthenticated Remote Code Execution via PHP Object Injection
A PHP object injection vulnerability exists in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 due to improper validation of PHP serialized input in the SugarRestSerialize.php script. The vulnerable code fails to sanitize the restdata parameter before passing it to the...
Revive Adserver 4.2 - Remote Code Execution
Revive Adserver 4.2 is susceptible to remote code execution. An attacker can send a crafted payload to the XML-RPC invocation script and trigger the unserialize call on the "what" parameter in the "openads.spc" RPC method. This can be exploited to perform various types of attacks, e.g...
GiveWP - PHP Object Injection
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'givetitle' parameter. id: CVE-2024-5932 info: name: GiveWP - PHP Object Injection author:...
EUVD-2026-43078
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal ECA: Event - Condition - Action allows Object Injection. This issue affects ECA: Event - Condition - Action versions: from 0.0.0 to 2.1.20, from 3.0.0 to 3.0.12, from 3.1.0 to 3.1.4...
EUVD-2026-43053
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Flag attendance field allows Object Injection. This issue affects Flag attendance field versions: from 0.0.0 to 1.2...
EUVD-2026-43081
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.,...
EUVD-2026-43082
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.,...
EUVD-2026-43054
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Plotly.js Graphing allows Object Injection. This issue affects Plotly.js Graphing versions: from 0.0.0 to 3.0.2...
EUVD-2026-43068
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Tealium iQ Tag Management allows Object Injection. This issue affects Tealium iQ Tag Management versions: from 0.0.0 to 2.4.0...
CVE-2026-55804
CVE-2026-55804 concerns Drupal core and describes an improperly controlled modification of dynamically-determined object attributes, enabling a gadget-chain style vulnerability in the core that could facilitate remote code execution or SQL injection if coupled with another vulnerability. Affected...
CVE-2026-55803
Drupal core is affected by CVE-2026-55803 (and related advisories). The issue is Improperly Controlled Modification of Dynamically-Determined Object Attributes that can enable PHP object injection. Affected Drupal core versions include 0.0.0–11.1.* and 11.2.0–11.2.14, 11.3.0–11.3.12, 10.0.0–10.5....
CVE-2026-15083
The CVE describes an information-disclosure risk in the Drupal ECA (Event - Condition - Action) module due to Improperly Controlled Modification of Dynamically-Determined Object Attributes, enabling Object Injection. Affected are ECA: Event - Condition - Action versions 0.0.0–2.1.20, 3.0.0–3.0.12...
CVE-2026-13244
CVE-2026-13244 concerns the Drupal module for Tealium iQ Tag Management. The vulnerability arises from Improperly Controlled Modification of Dynamically-Determined Object Attributes in the module, allowing PHP object injection via data stored as serialized strings in the tealiumiq field. Affected...
CVE-2026-55810
CVE-2026-55810 affects the Drupal Plotly.js Graphing module, where the PHP-serialized data stored in plotly_js_graph fields can be unserialized, enabling PHP object injection. Affected versions are Plotly.js Graphing in Drupal from 0.0.0 to 3.0.2. Root cause is Improperly Controlled Modification ...
CVE-2026-55809
The CVE-2026-55809 entry concerns Drupal’s Flag attendance field module. The root cause is an object injection vulnerability caused by handling PHP-serialized data stored in the flag_attendance_field, which can lead to PHP object injection when data are unserialized. Affected versions are Flag at...