Lucene search
K

1884 matches found

NCSC
NCSC
added yesterday4 views

Vulnerabilities in SAP-products

SAP has identified vulnerabilities in the following SAP NetWeaver Application Server ABAP, SAP Approuter, SAP Commerce Cloud, SAP NetWeaver Application Server Java, SAProuter, SAP Change and Transport System Attach Tool, SAP NetWeaver Enterprise Portal, SAP S/4HANA modules, SAP Fiori Launchpad, S...

9.9CVSS7.1AI score0.01339EPSS
Exploits7
Nuclei
Nuclei
added yesterday156 views

Wazuh - Unsafe Deserialization Remote Code Execution

A critical Remote Code Execution RCE vulnerability exists in Wazuh server versions = 4.4.0 and = 4.4.0 and 4.9.1. The vulnerability occurs due to unsafe deserialization in the wazuh-manager package, specifically in the DistributedAPI where parameters are serialized as JSON and deserialized using...

9.9CVSS7.4AI score0.93027EPSS
Exploits10References3
Cvelist
Cvelist
added 5 days ago33 views

CVE-2026-44795 Spinnaker: Non-safe yaml deserialization allowing RCE when using specific types

Spinnaker is an open source, multi-cloud continuous delivery platform. Prior to 2026.1.0, 2026.0.3, 2025.4.4, and 2025.3.3, unsafe YAML processing bypasses safe deserialization when using CloudFormation deployments or CloudFoundry baking. The use of a non-safe constructor allows arbitrary loading...

8.8CVSS0.01001EPSS
Exploits0References4
CVE
CVE
added 6 days ago13 views

CVE-2026-59827

Metabase (open-source BI/analytics) prior to versions 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4 is vulnerable when using an H2 database connection (including the default sample DB). The flaw allows an authenticated user who can run native H2 queries to deserialize arbitrary Java objects from H2 qu...

9.9CVSS6.2AI score0.00457EPSS
Exploits1References6Affected Software1
Cvelist
Cvelist
added 6 days ago33 views

CVE-2026-59827 Metabase: Unsafe Deserialization of H2 Query Results

Metabase is an open-source business intelligence and embedded analytics tool. Prior to 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4, Metabase instances with an H2 database connection, including the default sample database, deserialize arbitrary Java objects returned in H2 native query result columns ...

9.9CVSS0.00457EPSS
Exploits1References6
RedhatCVE
RedhatCVE
added 6 days ago6 views

CVE-2026-54499

A flaw was found in Stanza, a Stanford NLP Python library. Stanza model loaders, such as stanza.models.common.pretrain.Pretrain.load, attempt to safely load PyTorch checkpoint files. However, if this safe load fails due to an attacker-controllable pickle.UnpicklingError, the loaders fall back to ...

7.5CVSS6.5AI score0.00317EPSS
Exploits1References7
Cvelist
Cvelist
added last week35 views

CVE-2026-54499 Stanza: Remote Code Execution via Unsafe Pickle Deserialization in Model Loaders

Stanza is a Stanford NLP Python library for tokenization, sentence segmentation, NER, and parsing of many human languages. Prior to 1.12.2, Stanza model loaders such as stanza.models.common.pretrain.Pretrain.load attempt torch.load..., weightsonly=True but fall back to torch.load...,...

7.5CVSS0.00317EPSS
Exploits1References4
RedhatCVE
RedhatCVE
added 2026/07/07 3:16 p.m.5 views

CVE-2026-14534

A flaw was found in the fickling library, which is designed to safely handle Python pickle data. The library's security checks in versions up to and including 0.1.10 fail to properly identify and block certain dangerous Python standard library modules during deserialization. This oversight allows...

8.8CVSS6.2AI score0.00342EPSS
Exploits1References7
OSV
OSV
added 2026/07/06 3:42 p.m.3 views

CVE-2026-43825 Apache OpenNLP :: Core :: ML :: LibSVM: Unsafe Java Deserialization in SvmDoccatModel

Untrusted Java Deserialization in Apache OpenNLP SvmDoccatModel Versions Affected: before 3.0.0-M4 libsvm document categorization module; introduced in OPENNLP-1808 and only present on the 3.x line Description: SvmDoccatModel.deserializeInputStream reads an attacker-controlled stream with...

7.3CVSS6.6AI score0.08786EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/07/06 3:42 p.m.30 views

CVE-2026-43825 Apache OpenNLP :: Core :: ML :: LibSVM: Unsafe Java Deserialization in SvmDoccatModel

Untrusted Java Deserialization in Apache OpenNLP SvmDoccatModel Versions Affected: before 3.0.0-M4 libsvm document categorization module; introduced in OPENNLP-1808 and only present on the 3.x line Description: SvmDoccatModel.deserializeInputStream reads an attacker-controlled stream with...

0.08786EPSS
Exploits0References1
CVE
CVE
added 2026/07/06 3:42 p.m.11 views

CVE-2026-43825

The CVE concerns Apache OpenNLP’s SvmDoccatModel (libsvm document categorization module), with impact on 3.x releases before 3.0.0-M4. The vulnerability arises in SvmDoccatModel.deserialize(InputStream), which uses java.io.ObjectInputStream.readObject() on an attacker-controlled stream without an...

7.3CVSS6.7AI score0.08786EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/07/06 7:54 a.m.35 views

CVE-2026-40859 Apache Camel: Camel-Vertx-Http: Unsafe Java deserialization of HTTP response bodies via a raw ObjectInputStream when transferException is enabled

Deserialization of Untrusted Data vulnerability in Apache Camel. The camel-vertx-http component deserializes HTTP response bodies carrying the Content-Type application/x-java-serialized-object using a raw java.io.ObjectInputStream, without applying any ObjectInputFilter...

0.00724EPSS
Exploits1References1
OSV
OSV
added 2026/07/06 7:54 a.m.4 views

CVE-2026-40859 Apache Camel: Camel-Vertx-Http: Unsafe Java deserialization of HTTP response bodies via a raw ObjectInputStream when transferException is enabled

Deserialization of Untrusted Data vulnerability in Apache Camel. The camel-vertx-http component deserializes HTTP response bodies carrying the Content-Type application/x-java-serialized-object using a raw java.io.ObjectInputStream, without applying any ObjectInputFilter...

8.1CVSS6.5AI score0.00724EPSS
Exploits1References5
CVE
CVE
added 2026/07/06 7:54 a.m.19 views

CVE-2026-40859

CVE-2026-40859 – Apache Camel Camel-Vertx-Http deserialization vulnerability : The camel-vertx-http component deserializes HTTP response bodies with Content-Type application/x-java-serialized-object using a raw java.io.ObjectInputStream without an ObjectInputFilter, when transferException=true (o...

8.1CVSS6.7AI score0.00724EPSS
Exploits1References2Affected Software1
Debian
Debian
added 2026/07/05 6:56 p.m.8 views

[SECURITY] [DSA 6380-1] mediawiki security update

------------------------------------------------------------------------- Debian Security Advisory DSA-6380-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff July 05, 2026 https://www.debian.org/security/faq -...

9.8CVSS6AI score0.00503EPSS
Exploits0
NVD
NVD
added 2026/07/04 2:16 p.m.8 views

CVE-2026-14534

Trail of Bits fickling versions up to and including 0.1.10 do not include the Python standard library modules posixsubprocess, site, and atexit in the UNSAFEIMPORTS denylist fickle.py. Because these modules are absent from the denylist, fickling's checksafety function returns LIKELYSAFE with zero...

8.8CVSS0.00342EPSS
Exploits1References4
NVD
NVD
added 2026/07/04 2:16 a.m.10 views

CVE-2025-71362

picklescan before 0.0.33 fails to detect unsafe deserialization when numpy.f2py.crackfortran functions call eval on arbitrary strings. Attackers can embed malicious code in pickle files that executes when loaded from untrusted sources...

8.1CVSS0.003EPSS
Exploits0References2
CVE
CVE
added 2026/07/04 1:23 a.m.19 views

CVE-2025-71369

CVE-2025-71369 affects the Python utility picklescan (versions prior to 0.0.28). The vulnerability arises when pickle files leverage torch.utils.data.datapipes.utils.decoder.basichandlers in reduce methods, enabling bypass of safety checks and allowing remote code execution during deserialization...

8.1CVSS6.3AI score0.00445EPSS
Exploits0References2
OSV
OSV
added 2026/07/04 1:23 a.m.6 views

CVE-2025-71369 picklescan - Unsafe Deserialization via torch.utils.data.datapipes.utils.decoder.basichandlers

picklescan before 0.0.28 fails to detect malicious pickle files that use torch.utils.data.datapipes.utils.decoder.basichandlers in reduce methods, allowing attackers to bypass safety checks. Remote attackers can embed undetected malicious code in pickle files that executes during deserialization,...

7.6CVSS6.3AI score0.00445EPSS
Exploits0References4
OSV
OSV
added 2026/07/04 1:23 a.m.2 views

CVE-2025-71362 picklescan - Arbitrary Code Execution via Unsafe Deserialization in numpy.f2py.crackfortran

picklescan before 0.0.33 fails to detect unsafe deserialization when numpy.f2py.crackfortran functions call eval on arbitrary strings. Attackers can embed malicious code in pickle files that executes when loaded from untrusted sources...

7.6CVSS6.1AI score0.003EPSS
Exploits0References4
Rows per page
Query Builder