Lucene search
+L

5430 matches found

ATTACKERKB
ATTACKERKB
added 2026/06/30 7:20 a.m.6 views

CVE-2026-12578

The affected product is vulnerable to a deserialization of untrusted data, which may allow an attacker to execute arbitrary code...

8.4CVSS6AI score0.00388EPSS
Exploits0References2
Nvidia
Nvidia
added 2026/06/30 12:0 a.m.6 views

Security Bulletin: NVIDIA Megatron Bridge - June 2026

NVIDIA has released a software update for NVIDIA® Megatron Bridge. To protect your system, clone or update this software to version 0.4.1 or later from NVIDIA/Megatron-Bridge on GitHub. Go to NVIDIA Product Security. Details The following table summarizes the potential vulnerabilities that this...

7.8CVSS5.9AI score0.00175EPSS
Exploits0Affected Software1
OSV
OSV
added 2026/06/29 11:50 a.m.6 views

PYSEC-2026-349 H2O affected by a deserialization vulnerability

A deserialization vulnerability exists in h2oai/h2o-3 versions = 3.46.0.7, allowing attackers to read arbitrary system files and execute arbitrary code. The vulnerability arises from improper handling of JDBC connection parameters, which can be exploited by bypassing regular expression checks and...

9.8CVSS7.5AI score0.00847EPSS
Exploits1References6
OSV
OSV
added 2026/06/29 11:50 a.m.6 views

PYSEC-2026-491 Apache Pyfory python is vulnerable to deserialization of untrusted data

Deserialization of untrusted data in python in pyfory versions 0.12.0 through 0.12.2, or the legacy pyfury versions from 0.1.0 through 0.10.3: allows arbitrary code execution. An application is vulnerable if it reads pyfory serialized data from untrusted sources. An attacker can craft a data stre...

9.8CVSS6.2AI score0.41255EPSS
Exploits2References9
OSV
OSV
added 2026/06/29 11:50 a.m.9 views

PYSEC-2026-511 Qiskit allows arbitrary code execution decoding QPY format versions < 13

Impact A maliciously crafted QPY file can potentially execute arbitrary-code embedded in the payload without privilege escalation when deserializing QPY formats 13. A python process calling Qiskit's qiskit.qpy.load function could potentially execute any arbitrary Python code embedded in the corre...

9.8CVSS6AI score0.00741EPSS
Exploits0References6
OSV
OSV
added 2026/06/29 11:50 a.m.6 views

PYSEC-2026-367 Kedro deserialization vulnerability

A Remote Code Execution RCE vulnerability has been identified in the Kedro ShelveStore class version 0.19.8. This vulnerability allows an attacker to execute arbitrary Python code via deserialization of malicious payloads, potentially leading to a full system compromise. The ShelveStore class use...

9.8CVSS7.7AI score0.01035EPSS
Exploits0References6
OSV
OSV
added 2026/06/29 11:50 a.m.6 views

PYSEC-2026-510 Qiskit allows arbitrary code execution decoding QPY format versions < 13

Impact A maliciously crafted QPY file can potentially execute arbitrary-code embedded in the payload without privilege escalation when deserializing QPY formats 13. A python process calling Qiskit's qiskit.qpy.load function could potentially execute any arbitrary Python code embedded in the corre...

9.8CVSS6AI score0.00741EPSS
Exploits0References6
Veracode
Veracode
added 2026/06/26 9:30 a.m.8 views

Server-Side Request Forgery

jackson-databind is vulnerable to server-side request forgery SSRF. The vulnerability is due to eager DNS resolution during InetSocketAddress deserialization, where untrusted hostnames are resolved before application-level validation, allowing attackers to trigger arbitrary DNS requests by...

5.3CVSS5.9AI score0.00219EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/06/25 9:25 p.m.5 views

GHSA-W567-GJR2-HM5J MessagePack-CSharp: Unity unsafe blit formatter allocates from unbounded byte length

Summary UnsafeBlitFormatterBase.Deserialize reads an attacker-controlled byteLength from an extension payload and allocates an array based on that value before validating it against the extension header length or remaining payload bytes. The outer extension header is bounded by available input, b...

6.3CVSS5.9AI score0.00231EPSS
Exploits0References3
Metasploit
Metasploit
added 2026/06/25 7:5 p.m.189 views

Dalfox Found-Action Deserialization RCE

When dalfox version use exploit/linux/http/dalfoxserverrcecve202645087 msf exploitdalfoxserverrcecve202645087 show targets ...targets... msf exploitdalfoxserverrcecve202645087 set TARGET msf exploitdalfoxserverrcecve202645087 show options ...show and set options... msf...

10CVSS6.2AI score0.01051EPSS
Exploits2
Nuclei
Nuclei
added 2026/06/25 1:31 a.m.312 views

ElasticSearch - Remote Code Execution

ElasticSearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script to the Groovy scripting engine. id: CVE-2015-1427 info: name: ElasticSearch - Remote Code Execution author: pikpikcu...

9.8CVSS7.8AI score0.99906EPSS
Exploits19References5
ATTACKERKB
ATTACKERKB
added 2026/06/24 9:36 p.m.5 views

CVE-2026-10043

MosaicML Composer Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MosaicML Composer. User interaction is required to exploit this vulnerability in that the target must visit a...

7.8CVSS6.4AI score0.00294EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/06/24 9:36 p.m.18 views

CVE-2026-10043

Technical details are not publicly available in the provided documents. Monitor for updates.

7.8CVSS7.6AI score0.00294EPSS
Exploits0References2
OSV
OSV
added 2026/06/23 9:17 p.m.6 views

DEBIAN-CVE-2026-54515

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual, per-property @JsonIgnoreProperties exclusions are applied by handleByNameInclusion, producing a...

5.3CVSS5.8AI score0.00345EPSS
Exploits0References1
Snyk
Snyk
added 2026/06/23 9:17 p.m.5 views

Incorrect Authorization

Overview com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. Affected versions of this package are vulnerable to Incorrect Authorization in the...

6.5CVSS5.8AI score0.00211EPSS
Exploits0References2
OSV
OSV
added 2026/06/23 9:17 p.m.5 views

UBUNTU-CVE-2026-54514

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddresshost, port, which performs eager DNS name resolution fo...

5.3CVSS5.9AI score0.00219EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/06/23 8:56 p.m.8 views

CVE-2026-54512

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeValidator PTV is the primary safety mechanism guarding polymorphic deserialization. When polymorphic...

8.1CVSS5.8AI score0.00617EPSS
Exploits1References4Affected Software1
CVE
CVE
added 2026/06/23 8:53 p.m.181 views

CVE-2026-54513

CVE-2026-54513 affects jackson-databind. A vulnerability in BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allows bypass of per-element allowlists when deserializing arrays, if the array element type is not explicitly allowlisted, potentially enabling dangerous types like EvilType[...

8.1CVSS5.8AI score0.00695EPSS
Exploits0References11Affected Software1
OSV
OSV
added 2026/06/23 8:51 p.m.3 views

CVE-2026-54514 jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddresshost, port, which performs eager DNS name resolution fo...

5.3CVSS6AI score0.00219EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/06/23 8:50 p.m.8 views

CVE-2026-54515

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual, per-property @JsonIgnoreProperties exclusions are applied by handleByNameInclusion, producing a...

5.3CVSS5.8AI score0.00345EPSS
Exploits0References5Affected Software1
Rows per page
Query Builder