Lucene search
+L

100 matches found

Cvelist
Cvelist
added yesterday9 views

CVE-2026-45162 Pimcore: Unsafe PHP Deserialization in Multiple Locations Without allowed_classes Restriction

Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 LTS and 12.3.7, multiple Pimcore locations call PHP's unserialize on data from database columns and filesystem files without the allowedclasses restriction, including lib/Tool/Authentication.php, models/Site/Dao.php...

8CVSS0.00202EPSS
Exploits0References4
CVE
CVE
added yesterday21 views

CVE-2026-45162

Pimcore is affected by unsafe PHP deserialization across multiple locations. Prior to versions 11.5.17 (LTS) and 12.3.7, several Pimcore code paths call unserialize() on data from database columns and filesystem files without restricting allowed_classes, enabling object injection and potential re...

8CVSS6.3AI score0.00202EPSS
Exploits0References4
Nuclei
Nuclei
added 2 days ago1524 views

Roundcube Webmail - Remote Code Execution

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. id: CVE-2025-49113 info: name: Roundcube Webmail - Remote...

9.9CVSS7.5AI score0.94741EPSS
Exploits29References8
CVE
CVE
added 5 days ago11 views

CVE-2026-57738

CVE-2026-57738 affects WordPress Theme 777 (axiomthemes) up to version 1.13.0. The issue is a PHP object‑injection via deserialization of untrusted data in the 777 plugin/theme, enabling arbitrary object injection with high impact (CVSS 3.1: 9.8, Network attack, no user interaction). Connected so...

9.8CVSS6.1AI score0.00386EPSS
Exploits0References1
NVD
NVD
added 2026/07/08 7:16 a.m.9 views

CVE-2026-12378

The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin through 1.1.28 does not validate data before passing it to a PHP deserialization function, allowing unauthenticated attackers to inject arbitrary PHP objects; where a suitable gadget chain is present on the site this c...

8.1CVSS0.00389EPSS
Exploits0References1
EUVD
EUVD
added 2026/07/08 6:0 a.m.7 views

EUVD-2026-42178

The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin through 1.1.28 does not validate data before passing it to a PHP deserialization function, allowing unauthenticated attackers to inject arbitrary PHP objects; where a suitable gadget chain is present on the site this c...

8.1CVSS6.2AI score0.00389EPSS
Exploits0References1
Packet Storm
Packet Storm
added 2026/05/29 12:0 a.m.69 views

📄 MixPHP Framework 2.2.17 Deserialization / Arbitrary Code Execution

MixPHP Framework versions 2.x through 2.2.17 suffer from an insecure deserialization vulnerability that allows for remote code execution. Exploit Title: MixPHP Framework 2.2.17 - Unsafe Deserialization Remote Code Execution Date: 2026-05-14 Exploit Author: cardosource Vendor Homepage:...

8.1CVSS6.1AI score0.01757EPSS
Exploits2
ATTACKERKB
ATTACKERKB
added 2026/03/26 2:25 a.m.3 views

CVE-2026-3328

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via deserialization of the 'postcontent' of adminform posts in all versions up to, and including, 3.28.31. This is due to the use of WordPress's maybeunserialize function without class restrictions on...

7.2CVSS6.2AI score0.00533EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/03/25 4:14 p.m.27 views

CVE-2026-32484 WordPress weForms plugin <= 1.6.26 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in BoldGrid weForms weforms allows Object Injection.This issue affects weForms: from n/a through = 1.6.26...

8.8CVSS0.0028EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/25 4:14 p.m.26 views

CVE-2026-25429 WordPress Nexa Blocks plugin <= 1.1.1 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in wpdive Nexa Blocks nexa-blocks allows Object Injection.This issue affects Nexa Blocks: from n/a through = 1.1.1...

9.8CVSS0.00375EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/03/05 5:53 a.m.1 views

CVE-2026-22475 WordPress Estate theme <= 1.3.4 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in axiomthemes Estate estate allows Object Injection.This issue affects Estate: from n/a through = 1.3.4...

5.8AI score0.00389EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/03/05 5:53 a.m.4 views

CVE-2026-22454 WordPress Solaris theme <= 2.5 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in ThemeREX Solaris solaris allows Object Injection.This issue affects Solaris: from n/a through = 2.5...

5.8AI score0.0051EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/03/05 5:53 a.m.6 views

CVE-2026-22453 WordPress Pets Club theme <= 2.3 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in ThemeREX Pets Club petclub allows Object Injection.This issue affects Pets Club: from n/a through = 2.3...

5.8AI score0.0051EPSS
Exploits0References1
CVE
CVE
added 2026/02/20 5:23 p.m.23 views

CVE-2026-24891

openITCOCKPIT prior to 5.4.0 contains an unsafe deserialization sink in the Gearman worker (oitc_gearman) that calls PHP’s unserialize() on job payloads without class restrictions or origin validation. This enables PHP Object Injection when Gearman is exposed to untrusted systems or network acces...

7.5CVSS5.9AI score0.00359EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/02/20 5:23 p.m.25 views

CVE-2026-24891 openITCOCKPIT has Unsafe PHP Deserialization in Gearman Worker Allowing Conditional Object Injection

openITCOCKPIT is an open source monitoring tool built for different monitoring engines like Nagios, Naemon and Prometheus. Versions 5.3.1 and below contain an unsafe deserialization sink in the Gearman worker implementation. The worker function registered as oitcgearman calls PHP's unserialize on...

7.5CVSS0.00359EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/02/20 5:23 p.m.7 views

CVE-2026-24891 openITCOCKPIT has Unsafe PHP Deserialization in Gearman Worker Allowing Conditional Object Injection

openITCOCKPIT is an open source monitoring tool built for different monitoring engines like Nagios, Naemon and Prometheus. Versions 5.3.1 and below contain an unsafe deserialization sink in the Gearman worker implementation. The worker function registered as oitcgearman calls PHP's unserialize on...

7.5CVSS5.9AI score0.00359EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/02/19 8:26 a.m.4 views

CVE-2026-23549 WordPress WpEvently plugin <= 5.1.1 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.This issue affects WpEvently: from n/a through = 5.1.1...

9.8CVSS5.5AI score0.00383EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2025/11/06 3:54 p.m.2 views

CVE-2025-58619 WordPress Falang multilanguage Plugin <= 1.3.65 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in sbouey Falang multilanguage falang allows Object Injection.This issue affects Falang multilanguage: from n/a through = 1.3.65...

8.8CVSS6.6AI score0.00368EPSS
Exploits0References1
CVE
CVE
added 2025/11/06 3:54 p.m.10 views

CVE-2025-53586

CVE-2025-53586 describes a deserialization of untrusted data vulnerability in the WordPress WordPress theme Noi? NooTheme WeMusic (noo-wemusic) affecting versions from n/a through ≤ 1.9.1. The underlying issue is PHP object injection due to deserializing untrusted data in the WeMusic plugin/theme...

8.8CVSS6.6AI score0.00421EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2025/10/28 12:0 a.m.8 views

PT-2025-44222

Name of the Vulnerable Software and Affected Versions Contact Form CFDB7 versions up to and including 1.3.2 Description The Contact Form CFDB7 plugin for WordPress is affected by a pre-authentication SQL injection that can lead to insecure deserialization PHP Object Injection. Insufficient...

9.6CVSS7.3AI score0.00316EPSS
Exploits0References10
Rows per page
Query Builder