13 matches found
CVE-2025-26866
A remote code execution vulnerability exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store. The fix enforces IP-based authentication to restrict cluster membership and implements a strict class whitelist to harden the Hessian serialization process...
Apache HugeGraph-Server: RAFT and deserialization vulnerability
A remote code execution vulnerability exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store. The fix enforces IP-based authentication to restrict cluster membership and implements a strict class whitelist to harden the Hessian serialization process...
GHSA-Q37J-3367-FWV7 Apache HugeGraph-Server: RAFT and deserialization vulnerability
A remote code execution vulnerability exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store. The fix enforces IP-based authentication to restrict cluster membership and implements a strict class whitelist to harden the Hessian serialization process...
CVE-2025-26866
A remote code execution vulnerability exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store. The fix enforces IP-based authentication to restrict cluster membership and implements a strict class whitelist to harden the Hessian serialization process...
CVE-2025-26866
A remote code execution vulnerability exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store. The fix enforces IP-based authentication to restrict cluster membership and implements a strict class whitelist to harden the Hessian serialization process...
CVE-2025-26866 Apache HugeGraph-Server: RAFT and deserialization vulnerability
A remote code execution vulnerability exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store. The fix enforces IP-based authentication to restrict cluster membership and implements a strict class whitelist to harden the Hessian serialization process...
CVE-2025-26866 Apache HugeGraph-Server: RAFT and deserialization vulnerability
A remote code execution vulnerability exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store. The fix enforces IP-based authentication to restrict cluster membership and implements a strict class whitelist to harden the Hessian serialization process...
CVE-2025-26866
CVE-2025-26866 affects Apache HugeGraph-Server (HugeGraph-Server PD store) via insecure Hessian deserialization and RAFT-related manipulation, enabling remote code execution. Multiple sources describe a server-side deserialization vulnerability stemming from Hessian deserialization, with the miti...
EUVD-2025-203068
A remote code execution vulnerability exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store. The fix enforces IP-based authentication to restrict cluster membership and implements a strict class whitelist to harden the Hessian serialization process...
GHSA-7RMP-3G9F-CVQ8 generator-jhipster-entity-audit vulnerable to Unsafe Reflection when having Javers selected as Entity Audit Framework
Summary CWE-470 Use of Externally-Controlled Input to Select Classes or Code 'Unsafe Reflection' when having Javers selected as Entity Audit Framework Details In the following two occurences, user input directly leads to class loading without checking against e.g. a whitelist of allowed classes...
GHSA-W36W-948J-XHFW H2O vulnerable to Deserialization of Untrusted Data
The H2O machine learning platform uses "Iced" classes as the primary means of moving Java Objects around the cluster. The Iced format supports inclusion of serialized Java objects. When a model is deserialized, any class is allowed to be deserialized no class whitelist. An attacker can construct ...
SUSE CVE-2017-0903
RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution...
Deserialization of Untrusted Data
Overview rubygems-update is an inbuilt rubygem for updating rubygems. Affected versions of this package are vulnerable to Deserialization of Untrusted Data when YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to...