Lucene search
K

1320 matches found

Snyk
Snyk
added 2026/05/20 3:35 p.m.16 views

Deserialization of Untrusted Data

Overview symfony/monolog-bridge is a Provides integration for Monolog with various Symfony components Affected versions of this package are vulnerable to Deserialization of Untrusted Data via deserialization of network input in Symfony\Bridge\Monolog\Command\ServerLogCommand. An attacker can...

9.8CVSS6.4AI score0.01261EPSS
Exploits0References2
NVD
NVD
added 2026/05/19 10:16 a.m.24 views

CVE-2026-46725

The extension passes an attacker-controlled cookie directly to PHP's unserialize without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server. Exploitation...

9.2CVSS0.02306EPSS
Exploits1References1
NVD
NVD
added 2026/05/19 10:16 a.m.13 views

CVE-2026-8727

The Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize. An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution on the TYPO3 server. Exploitation requires administrative...

7.1CVSS0.00389EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/19 9:25 a.m.11 views

CVE-2026-46725

The extension passes an attacker-controlled cookie directly to PHP's unserialize without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server. Exploitation...

9.2CVSS5.8AI score0.02306EPSS
Exploits1References2Affected Software1
EUVD
EUVD
added 2026/05/19 9:25 a.m.16 views

EUVD-2026-30865

The extension passes an attacker-controlled cookie directly to PHP's unserialize without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server. Exploitation...

9.2CVSS5.8AI score0.02306EPSS
Exploits1References1
CVE
CVE
added 2026/05/19 9:25 a.m.27 views

CVE-2026-46725

The CVE-2026-46725 vulnerability affects the TYPO3 extension Content Element Selector (ceselector). The issue arises when an attacker-controlled cookie is passed directly to PHP unserialize() without safe input handling, enabling PHP Object Injection that can lead to Remote Code Execution on the ...

9.2CVSS5.8AI score0.02306EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/05/19 9:25 a.m.53 views

CVE-2026-46725 Remote Code Execution in extension "Content Element Selector" (ceselector)

The extension passes an attacker-controlled cookie directly to PHP's unserialize without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server. Exploitation...

9.2CVSS0.02306EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/05/19 9:16 a.m.9 views

CVE-2026-8727 Remote Code Execution in extension "Site Crawler" (crawler)

The Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize. An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution on the TYPO3 server. Exploitation requires administrative...

7.1CVSS6AI score0.00389EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/19 9:16 a.m.10 views

CVE-2026-8727

The Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize. An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution on the TYPO3 server. Exploitation requires administrative...

7.1CVSS6AI score0.00389EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/05/19 9:16 a.m.11 views

EUVD-2026-30854

The Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize. An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution on the TYPO3 server. Exploitation requires administrative...

7.1CVSS6AI score0.00389EPSS
Exploits0References1
CVE
CVE
added 2026/05/19 9:16 a.m.24 views

CVE-2026-8727

The CVE-2026-8727 affects the TYPO3 Crawler extension (Site Crawler). The root cause is that the Crawler extension forwards the X-T3Crawler-Meta response header directly to PHP’s unserialize(), allowing an attacker-controlled crawled endpoint to inject arbitrary serialized PHP objects, leading to...

7.1CVSS6AI score0.00389EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/19 9:16 a.m.43 views

CVE-2026-8727 Remote Code Execution in extension "Site Crawler" (crawler)

The Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize. An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution on the TYPO3 server. Exploitation requires administrative...

7.1CVSS0.00389EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/19 12:0 a.m.14 views

PT-2026-41867

The Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize. An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution on the TYPO3 server. Exploitation requires administrative...

7.1CVSS6AI score0.00389EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/19 12:0 a.m.20 views

PT-2026-41865

Name of the Vulnerable Software and Affected Versions Content Element Selector ceselector affected versions not specified Description The extension passes an attacker-controlled cookie directly to the unserialize function without safe processing. A remote, unauthenticated attacker can provide a...

9.2CVSS6.1AI score0.02306EPSS
Exploits1References8
CNNVD
CNNVD
added 2026/05/19 12:0 a.m.17 views

TYPO3 Extension Content Element Selector 代码问题漏洞

TYPO3 Extension Content Element Selector is an open-source extension for TYPO3 that allows users to select content elements. This extension has a code vulnerability that stems from the extension directly passing cookies controlled by the attacker to the PHP’s unserialize function without proper...

9.2CVSS6.1AI score0.02306EPSS
Exploits1References1
NVD
NVD
added 2026/05/18 9:16 p.m.21 views

CVE-2026-26978

FreePBX is an open source IP PBX. In versions below 16.0.71 and 17.0.6, the backup module does not properly sanitize data during restore operations, potentially leading to compromise if the backup contains carefully crafted hostile data. During backup restore operations, FreePBX extracts selected...

8.6CVSS0.00896EPSS
Exploits0References3
EUVD
EUVD
added 2026/05/18 8:49 p.m.14 views

EUVD-2026-30810

FreePBX is an open source IP PBX. In versions below 16.0.71 and 17.0.6, the backup module does not properly sanitize data during restore operations, potentially leading to compromise if the backup contains carefully crafted hostile data. During backup restore operations, FreePBX extracts selected...

8.6CVSS5.8AI score0.00896EPSS
Exploits0References3
OSV
OSV
added 2026/05/15 6:7 p.m.7 views

GHSA-JRRG-99XH-5J2Q SimpleSAMLphp casserver FileSystemTicketStore path traversal allows out-of-ticket-directory read/unserialize and conditional deletion

Summary simplesamlphp-module-casserver builds file paths for the file-based CAS ticket store by directly concatenating the configured ticket directory with an attacker-controlled ticket identifier. Public CAS validation/proxy endpoints pass attacker-controlled ticket / pgt query parameters into...

8.6CVSS5.8AI score0.00422EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/05/15 6:7 p.m.17 views

SimpleSAMLphp casserver FileSystemTicketStore path traversal allows out-of-ticket-directory read/unserialize and conditional deletion

Summary simplesamlphp-module-casserver builds file paths for the file-based CAS ticket store by directly concatenating the configured ticket directory with an attacker-controlled ticket identifier. Public CAS validation/proxy endpoints pass attacker-controlled ticket / pgt query parameters into...

8.6CVSS5.8AI score0.00422EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/05/05 9:29 p.m.4 views

GHSA-GWFR-JFJF-92VV Grav has Insecure Deserialization in File Cache

Insecure Deserialization in File Cache - Severity: High - CWE: CWE-502 - Location: system/src/Grav/Framework/Cache/Adapter/FileCache.php - Sink: unserialize$value, 'allowedclasses' = true Affected versions - Affected: = 1.7.44 and true allows object instantiation and does not constrain classes. P...

5CVSS5.8AI score0.00224EPSS
Exploits0References9
Rows per page
Query Builder