1322 matches found
Prototype Pollution
Overview locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes Affected versions of this package are vulnerable to Prototype Pollution in the unserialize function. An attacker can inject arbitrary properties into the prototype of deserialized...
Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()
Summary The unserialize function in locutus/php/var/unserialize assigns deserialized keys to plain objects via bracket notation without filtering the proto key. When a PHP serialized payload contains proto as an array or object key, JavaScript's proto setter is invoked, replacing the deserialized...
GHSA-4MPH-V827-F877 Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()
Summary The unserialize function in locutus/php/var/unserialize assigns deserialized keys to plain objects via bracket notation without filtering the proto key. When a PHP serialized payload contains proto as an array or object key, JavaScript's proto setter is invoked, replacing the deserialized...
CVE-2026-33942
Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize in AccessTokenAuthenticator::unserialize to restore OAuth token state from cache or storage, with allowedclasses = true. An attacker who can control the serialized...
Locutus 安全漏洞
Locutus is an open-source JavaScript library developed by Locutus. Versions of Locutus prior to 3.0.25 contained security vulnerabilities. These vulnerabilities stemmed from the unserialize function not filtering the proto key, which could lead to prototype pollution, property injection, and...
PT-2026-28587
Name of the Vulnerable Software and Affected Versions Locutus versions prior to 3.0.25 Description The unserialize function in locutus/php/var/unserialize assigns deserialized keys to plain objects via bracket notation without filtering the proto key. When a PHP serialized payload contains proto ...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the unserialize process of the AccessTokenAuthenticator class when restoring OAuth token state from cache or storage using PHP's unserialize with allowedclasses = true. An attacker can achieve...
CVE-2026-33942
Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize in AccessTokenAuthenticator::unserialize to restore OAuth token state from cache or storage, with allowedclasses = true. An attacker who can control the serialized...
CVE-2026-33942 Saloon has insecure deserialization in AccessTokenAuthenticator (object injection / RCE)
Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize in AccessTokenAuthenticator::unserialize to restore OAuth token state from cache or storage, with allowedclasses = true. An attacker who can control the serialized...
CVE-2026-33942
Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize in AccessTokenAuthenticator::unserialize to restore OAuth token state from cache or storage, with allowedclasses = true. An attacker who can control the serialized...
Saloon 代码问题漏洞
Saloon is a PHP API integration and SDK library developed by Saloon PHP Open Source. Versions of Saloon prior to 4.0.0 had code vulnerabilities. These vulnerabilities stemmed from the use of un serialize in AccessTokenAuthenticator::un serialize, which used PHP’s un serialize method to restore th...
PT-2026-28182
Name of the Vulnerable Software and Affected Versions Saloon versions prior to 4.0.0 Description Saloon is a PHP library used for building API integrations and SDKs. The library used PHP's unserialize function in the AccessTokenAuthenticator::unserialize method, with allowed classes set to true, ...
EUVD-2026-13374
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Versions up to and including 8.9.2 contain an unsafe deserialization vulnerability in the SavedSearch filter processing component that allows an authenticated administrator to execute arbitrary...
PT-2026-26447
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Versions up to and including 8.9.2 contain an unsafe deserialization vulnerability in the SavedSearch filter processing component that allows an authenticated administrator to execute arbitrary...
Exploit for Improper Input Validation in Typo3
TYPO3 CVE-2020-15099 — Unauthenticated RCE PHP Object Injecti...
CVE-2026-2626
The divi-booster WordPress plugin before 5.0.2 does not have authorization and CSRF checks in one of its fixing function, allowing unauthenticated users to modify stored divi-booster WordPress plugin before 5.0.2 options. Furthermore, due to the use of unserialize on the data, this could be furth...
CVE-2026-2626
The divi-booster WordPress plugin before 5.0.2 does not have authorization and CSRF checks in one of its fixing function, allowing unauthenticated users to modify stored divi-booster WordPress plugin before 5.0.2 options. Furthermore, due to the use of unserialize on the data, this could be furth...
CVE-2026-2626 Divi Booster < 5.0.2 - Unauthenticated PHP Object Injection
The divi-booster WordPress plugin before 5.0.2 does not have authorization and CSRF checks in one of its fixing function, allowing unauthenticated users to modify stored divi-booster WordPress plugin before 5.0.2 options. Furthermore, due to the use of unserialize on the data, this could be furth...
EUVD-2026-11096
The divi-booster WordPress plugin before 5.0.2 does not have authorization and CSRF checks in one of its fixing function, allowing unauthenticated users to modify stored divi-booster WordPress plugin before 5.0.2 options. Furthermore, due to the use of unserialize on the data, this could be furth...
PT-2026-24587
The divi-booster WordPress plugin before 5.0.2 does not have authorization and CSRF checks in one of its fixing function, allowing unauthenticated users to modify stored divi-booster WordPress plugin before 5.0.2 options. Furthermore, due to the use of unserialize on the data, this could be furth...