Lucene search
K

1319 matches found

EUVD
EUVD
added 2026/06/03 6:10 p.m.15 views

EUVD-2026-34164

Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize calls in the Workflow, Form block, and File/Set components that lack the allowedclasses restriction. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been...

8.4CVSS5.9AI score0.00175EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/03 6:10 p.m.11 views

CVE-2026-7888 Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components that lack the allowed_classes restriction.

Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize calls in the Workflow, Form block, and File/Set components that lack the allowedclasses restriction. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been...

8.4CVSS5.9AI score0.00175EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/03 6:10 p.m.8 views

CVE-2026-7888

Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize calls in the Workflow, Form block, and File/Set components that lack the allowedclasses restriction. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been...

8.4CVSS5.9AI score0.00175EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/06/03 6:10 p.m.35 views

CVE-2026-7888 Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components that lack the allowed_classes restriction.

Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize calls in the Workflow, Form block, and File/Set components that lack the allowedclasses restriction. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been...

8.4CVSS0.00175EPSS
Exploits0References1
CVE
CVE
added 2026/06/03 6:10 p.m.22 views

CVE-2026-7888

CVE-2026-7888 affects Concrete CMS versions below 9.5.2. The vulnerability arises from PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components that do not enforce allowed_classes. An unauthenticated attacker could trigger arbitrary PHP object instantiatio...

8.4CVSS5.9AI score0.00175EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/03 12:0 a.m.19 views

PT-2026-46047

Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 9.5.2 Description PHP Object Injection occurs due to the use of unserialize calls within the Workflow, Form block, and File/Set components that do not implement the allowed classes restriction. This allows an...

8.4CVSS5.9AI score0.00175EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/06/03 12:0 a.m.10 views

concretecms 安全漏洞

ConcreteCMS is an open-source content management system developed by Concrete. Versions of ConcreteCMS prior to 9.5.2 contained security vulnerabilities. These vulnerabilities stemmed from the unserialize method calls in Workflow, Form blocks, and File/Set components, which lacked a allowedclasse...

8.4CVSS5.4AI score0.00175EPSS
Exploits0References1
OSV
OSV
added 2026/05/27 9:13 p.m.9 views

GHSA-M7V2-7GXM-VC2V Symfony has Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener

Description Symfony\Bridge\Monolog\Command\ServerLogCommand the server:log console command is a development-time helper that opens a TCP listener and displays log records pushed to it by the application's logging pipeline. Two unsafe defaults combine into a remotely reachable PHP...

9.3CVSS6.4AI score0.01261EPSS
Exploits0References6
OSV
OSV
added 2026/05/27 6:32 p.m.12 views

DRUPAL-CONTRIB-2026-038

The Basket module enables e-commerce and checkout functionality for Drupal sites. The module does not sufficiently sanitize user-supplied data before passing it to PHP's unserialize. An attacker can supply a crafted payload and trigger PHP Object Injection. If a viable gadget chain exists in the...

6AI score
Exploits0References1
Snyk
Snyk
added 2026/05/27 4:57 p.m.10 views

Deserialization of Untrusted Data

Overview pimcore/pimcore is a content & product management framework CMS/PIM/E-Commerce. Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the unserialize process. An attacker can achieve arbitrary code execution by injecting malicious serialized PHP objects...

8CVSS6.3AI score0.00202EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/27 4:57 p.m.23 views

Pimcore has Unsafe PHP Deserialization in Multiple Locations Without allowed_classes Restriction

GM-374 Summary Multiple locations in Pimcore v11 call PHP's unserialize on data from database columns and filesystem files without the allowedclasses restriction, enabling object injection if an attacker can control the serialized data source. Affected Component - Package: pimcore/pimcore and...

6.3AI score0.00202EPSS
Exploits0References5Affected Software1
SUSE CVE
SUSE CVE
added 2026/05/27 4:17 a.m.7 views

SUSE CVE-2023-30534

Cacti is an open source operational monitoring and fault management framework. There are two instances of insecure deserialization in Cacti version 1.2.24. While a viable gadget chain exists in Cacti's vendor directory phpseclib, the necessary gadgets are not included, making them inaccessible an...

4.3CVSS6.8AI score0.02569EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/05/27 12:0 a.m.19 views

PT-2026-44164

Name of the Vulnerable Software and Affected Versions Basket versions prior to 2.1.17 Description The Basket module, which provides e-commerce and checkout functionality for Drupal sites, fails to sufficiently sanitize user-supplied data before it is processed by the PHP unserialize function. Thi...

5.9AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/27 12:0 a.m.11 views

PT-2026-44147

GM-374 Summary Multiple locations in Pimcore v11 call PHP's unserialize on data from database columns and filesystem files without the allowed classes restriction, enabling object injection if an attacker can control the serialized data source. Affected Component - Package: pimcore/pimcore and...

8CVSS6.3AI score0.00202EPSS
Exploits0References6
Drupal
Drupal
added 2026/05/27 12:0 a.m.24 views

Drupal AlternativeCommerce (Basket) - Highly critical - Arbitrary PHP code execution - SA-CONTRIB-2026-038

The Basket module enables e-commerce and checkout functionality for Drupal sites. The module does not sufficiently sanitize user-supplied data before passing it to PHP's unserialize. An attacker can supply a crafted payload and trigger PHP Object Injection. If a viable gadget chain exists in the...

6AI score
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/27 12:0 a.m.11 views

PT-2026-44145

Name of the Vulnerable Software and Affected Versions symfony/monolog-bridge versions prior to 5.4.52 symfony/monolog-bridge versions prior to 6.4.40 symfony/monolog-bridge versions prior to 7.4.12 symfony/monolog-bridge versions prior to 8.0.12 symfony/symfony versions prior to 5.4.52...

9.3CVSS6.5AI score0.01261EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/05/27 12:0 a.m.15 views

PT-2026-43629

GitHub Security Advisory Draft — GM-369 Summary SQL injection in Pimcore's translation grid date filter — the user-supplied property field from the filter JSON is interpolated directly into a UNIX TIMESTAMPDATEFROM UNIXTIME... SQL expression without parameterization or allowlist validation...

8.8CVSS6.1AI score0.00457EPSS
Exploits1References6
CNNVD
CNNVD
added 2026/05/26 12:0 a.m.10 views

Mirasvit Full Page Cache Warmer for Magento 2 代码问题漏洞

Mirasvit Full Page Cache Warmer for Magento 2 is a caching preheating extension developed by the American company Mirasvit for Magento 2. Versions prior to 1.11.12 of Mirasvit Full Page Cache Warmer for Magento 2 contained a code vulnerability. This vulnerability stemmed from the lack of...

9.8CVSS6.2AI score0.27546EPSS
Exploits1References3
Snyk
Snyk
added 2026/05/24 8:48 p.m.12 views

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the extension failing to safely process untrusted client input of an attacker-controlled cookie directly to PHP's unserialize. A remote, unauthenticated attacker can supply a crafted serialized...

9.2CVSS5.8AI score0.02306EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/20 3:35 p.m.16 views

Deserialization of Untrusted Data

Overview symfony/monolog-bridge is a Provides integration for Monolog with various Symfony components Affected versions of this package are vulnerable to Deserialization of Untrusted Data via deserialization of network input in Symfony\Bridge\Monolog\Command\ServerLogCommand. An attacker can...

9.8CVSS6.4AI score0.01261EPSS
Exploits0References2
Rows per page
Query Builder