Lucene search
K

155 matches found

Cvelist
Cvelist
added 2026/07/06 8:35 a.m.33 views

CVE-2026-43866 Apache Camel, Apache Camel: Camel JMS - CVE-2026-40860 fix bypass via DefaultExchangeHolder

Deserialization of Untrusted Data vulnerability in Apache Camel, Apache Camel JMS component. JmsBinding.extractBodyFromJms in camel-jms - and the equivalent JmsBinding in camel-sjms - deserializes the payload of an incoming JMS ObjectMessage via jakarta.jms.ObjectMessage.getObject whenever the...

0.00504EPSS
Exploits2References1
Positive Technologies
Positive Technologies
added 2026/07/06 12:0 a.m.8 views

PT-2026-55884

Name of the Vulnerable Software and Affected Versions Apache Camel versions 4.0.0 through 4.14.7 Apache Camel versions 4.15.0 through 4.18.2 Apache Camel versions 4.19.0 through 4.20.9 Description The camel-hazelcast component manages Hazelcast instances using a default configuration that lacks a...

8.1CVSS6.5AI score0.00804EPSS
Exploits1References5
ATTACKERKB
ATTACKERKB
added 2026/07/01 2:57 p.m.7 views

CVE-2026-24249

NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure...

7.8CVSS5.9AI score0.00164EPSS
Exploits0References4Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/06/22 1:11 p.m.4 views

Security Bulletin: Vulnerability in node-tar affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge.

Summary Potential vulnerability in node-tar has been identified that affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge - Assistant Builder Component. . The vulnerability have been addressed. Refer to details for additional information...

8.9CVSS7.4AI score0.00534EPSS
Exploits0Affected Software2
Tenable Nessus
Tenable Nessus
added 2026/06/18 12:0 a.m.8 views

Drupal 10.5.x < 10.5.12 / 10.6.x < 10.6.11 / 11.2.x < 11.2.14 / 11.3.x < 11.3.12 Multiple Vulnerabilities (drupal-2026-06-17)

According to its self-reported version, the instance of Drupal running on the remote web server is 10.5.x prior to 10.5.12, 10.6.x prior to 10.6.11, 11.2.x prior to 11.2.14, or 11.3.x prior to 11.3.12. It is, therefore, affected by multiple vulnerabilities. - Drupal core contains a chain of metho...

6.3AI score0.00161EPSS
Exploits0References19
Tenable Nessus
Tenable Nessus
added 2026/06/12 12:0 a.m.251 views

Spring Framework 5.3.x < 5.3.49 / 6.1.x < 6.1.28 / 6.2.x < 6.2.18.1 / 7.0.x < 7.0.7.1 Multiple Vulnerabilities

The version of Spring Framework installed on the remote host is 5.3.x prior to 5.3.49, 6.1.x prior to 6.1.28, 6.2.x prior to 6.2.18.1, or 7.0.x prior to 7.0.7.1. It is, therefore, affected by multiple vulnerabilities: - IDs for WebSocket sessions in the spring-websocket module are not...

9.8CVSS5.6AI score0.00399EPSS
Exploits0References30
Github Security Blog
Github Security Blog
added 2026/06/11 8:34 p.m.12 views

GeoServer DB2 DataStore Extension has a JNDI Vulnerability via Store Connection

Summary Administrator can perform JNDI attack through specially crafted DB2 jdbc url leading to Remote Code Execution RCE. Impact If GeoServer has DB2 extension installed, this vulnerability can lead to executing arbitrary code. Details Authenticated users can access Vector Data Sources page to...

8.8CVSS7.2AI score0.01628EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/10 12:0 a.m.16 views

PT-2026-48382

An attacker who intercepts and tampers with traffic between the client application and the API Gateway server could potentially deserialize arbitrary objects. This vulnerability could lead to broken security expectations or remote code execution...

5.3CVSS6AI score0.00317EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/09 11:49 p.m.10 views

CVE-2026-41732 In Spring for Apache Pulsar, overly broad trusted-package matching in header mapper exposes JDK classes to deserialization

JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a safe default...

8.1CVSS5.4AI score0.00347EPSS
Exploits0References1
Spring Security Advisories
Spring Security Advisories
added 2026/06/09 12:0 a.m.6 views

CVE-2026-41731: In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization

JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean deserialization, a producer could supply crafted...

8.1CVSS5.9AI score0.00489EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2026/06/03 11:16 a.m.9 views

DEBIAN-CVE-2026-47065

ZDRES-232: resolveProxyClass Not Overridden - acceptMatchers Filter Bypass via java.lang.reflect.Proxy Assessment: Fully addressed. When the serialised stream contains a TCPROXYCLASSDESC the marker for a java.lang.reflect.Proxy , JDK’s ObjectInputStream.readProxyDesc is dispatched. JDK then calls...

9.8CVSS5.5AI score0.00468EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/06/03 12:0 a.m.9 views

Apache MINA 代码问题漏洞

Apache MINA is a web application framework developed by the Apache Foundation in the United States. This product is primarily used for developing high-performance and highly scalable web applications. Apache MINA has code vulnerabilities that arise from issues with the resolveProxyClass method no...

9.8CVSS5.6AI score0.00468EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/01 5:59 p.m.13 views

EUVD-2026-33737

IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to potential remote code execution due to deserialization of untrusted data via JAX-WS endpoints with WS-Security...

9CVSS6.5AI score0.00458EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/29 5:32 a.m.16 views

CVE-2025-11993

The WooCommerce Infinite Scroll and Ajax Pagination plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.8 via the 'settings' parameter in the 'importsettings' function. This is due to deserialization of untrusted data supplied via the import...

8.8CVSS6AI score0.00378EPSS
Exploits0References3
CVE
CVE
added 2026/05/27 7:35 p.m.38 views

CVE-2026-45134

LangSmith CVE-2026-45134 affects LangSmith Client SDKs with prompt-pull methods that fetch/deserialize prompt manifests from LangSmith Hub. The issue allows manifest content to be influenced by external parties when pulling a public prompt (owner/name), because prior SDKs did not distinguish such...

7.1CVSS5.8AI score0.00199EPSS
Exploits0References1
CVE
CVE
added 2026/05/22 6:12 p.m.25 views

CVE-2026-9291

Summary: CVE-2026-9291 describes an insecure deserialization flaw in the Amazon Braket SDK’s job results processing. Affected software: Amazon Braket SDK (job results processing component) before version 1.117.0. Impact (as stated): A remote authenticated user with S3 write access to the job outp...

7.5CVSS6.4AI score0.0038EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/18 10:39 a.m.8 views

CVE-2026-7304

SGLangs multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled, as Python objects loaded via dill.loads will be deserialized without validation...

9.8CVSS6.4AI score0.00585EPSS
Exploits0References3Affected Software1
Snyk
Snyk
added 2026/05/16 3:26 p.m.10 views

Deserialization of Untrusted Data

Overview jsonpickle is a Python library for serializing any arbitrary object graph into JSON. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the loadrepr function in Unpickler. An attacker can execute arbitrary system commands by supplying malicious JSON...

9.8CVSS6.2AI score0.00696EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/13 4:26 a.m.9 views

CVE-2026-7635 coreActivity: Activity Logging for WordPress <= 3.0 - Unauthenticated PHP Object Injection via 'user_agent' Log Meta Field

The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0. This is due to the plugin failing to validate or strip PHP serialization syntax from the User-Agent HTTP header before storing it in the logmeta...

8.1CVSS5.8AI score0.00481EPSS
Exploits0References12
Positive Technologies
Positive Technologies
added 2026/05/13 12:0 a.m.18 views

PT-2026-40723

Name of the Vulnerable Software and Affected Versions LangSmith SDK Python versions prior to 0.8.0 LangSmith SDK JS/TS versions prior to 0.6.0 Description The prompt pull methods pull prompt and pull prompt commit in Python, and pullPrompt and pullPromptCommit in JS/TS, fetch and deserialize prom...

7.1CVSS5.7AI score0.00199EPSS
Exploits0References7
Rows per page
Query Builder