5372 matches found
PYSEC-2026-510 Qiskit allows arbitrary code execution decoding QPY format versions < 13
Impact A maliciously crafted QPY file can potentially execute arbitrary-code embedded in the payload without privilege escalation when deserializing QPY formats 13. A python process calling Qiskit's qiskit.qpy.load function could potentially execute any arbitrary Python code embedded in the corre...
PYSEC-2026-511 Qiskit allows arbitrary code execution decoding QPY format versions < 13
Impact A maliciously crafted QPY file can potentially execute arbitrary-code embedded in the payload without privilege escalation when deserializing QPY formats 13. A python process calling Qiskit's qiskit.qpy.load function could potentially execute any arbitrary Python code embedded in the corre...
Server-Side Request Forgery
jackson-databind is vulnerable to server-side request forgery SSRF. The vulnerability is due to eager DNS resolution during InetSocketAddress deserialization, where untrusted hostnames are resolved before application-level validation, allowing attackers to trigger arbitrary DNS requests by...
GHSA-W567-GJR2-HM5J MessagePack-CSharp: Unity unsafe blit formatter allocates from unbounded byte length
Summary UnsafeBlitFormatterBase.Deserialize reads an attacker-controlled byteLength from an extension payload and allocates an array based on that value before validating it against the extension header length or remaining payload bytes. The outer extension header is bounded by available input, b...
Dalfox Found-Action Deserialization RCE
When dalfox version use exploit/linux/http/dalfoxserverrcecve202645087 msf exploitdalfoxserverrcecve202645087 show targets ...targets... msf exploitdalfoxserverrcecve202645087 set TARGET msf exploitdalfoxserverrcecve202645087 show options ...show and set options... msf...
ElasticSearch - Remote Code Execution
ElasticSearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script to the Groovy scripting engine. id: CVE-2015-1427 info: name: ElasticSearch - Remote Code Execution author: pikpikcu...
CVE-2026-10043
MosaicML Composer Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MosaicML Composer. User interaction is required to exploit this vulnerability in that the target must visit a...
CVE-2026-10043
Technical details are not publicly available in the provided documents. Monitor for updates.
Incorrect Authorization
Overview com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. Affected versions of this package are vulnerable to Incorrect Authorization in the...
DEBIAN-CVE-2026-54515
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual, per-property @JsonIgnoreProperties exclusions are applied by handleByNameInclusion, producing a...
UBUNTU-CVE-2026-54514
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddresshost, port, which performs eager DNS name resolution fo...
CVE-2026-54513
CVE-2026-54513 affects jackson-databind. A vulnerability in BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allows bypass of per-element allowlists when deserializing arrays, if the array element type is not explicitly allowlisted, potentially enabling dangerous types like EvilType[...
CVE-2026-54516
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, POJOPropertiesCollector.renameProperties allows a property with @JsonProperty"renamed" on the getter and @JsonIgnore on the setter to be renamed...
CVE-2026-48511 MessagePack-CSharp: ExpandoObject formatter can perform quadratic insertion work on untrusted maps
MessagePack for C is a MessagePack serializer for C. Prior to 2.5.301 and 3.1.7, ExpandoObjectFormatter.Deserialize populates System.Dynamic.ExpandoObject by calling IDictionary.Add for each map entry. ExpandoObject internally maintains member names in array-like structures, so inserting many...
CVE-2026-12787 zhilink 智互联(深圳)科技有限公司 ADP Application Developer Platform 应用开发者平台 testConnection Endpoint deserialization
A vulnerability was found in zhilink 智互联深圳科技有限公司 ADP Application Developer Platform 应用开发者平台 1.0.0. This affects an unknown part of the component testConnection Endpoint. The manipulation of the argument jdbcUrl results in deserialization. The attack may be performed from remote. The exploit has...
Astra Linux – Vulnerability in Apache Log4j1.2
In Log4j 1.2, the JMSAppender component is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide configurations for TopicBindingName and TopicConnectionFactoryBindingName, causing the JMSAppender to make JNDI reques...
RHEL 9 : ruby:3.3 (RHSA-2026:26655)
The remote Redhat Enterprise Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2026:26655 advisory. Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management task...
CVE-2026-8024
A remote, unauthenticated attacker may exploit a deserialization of untrusted data vulnerability in ibaPDA or ibaDatCoordinator to gain full access to the affected systems...
CVE-2026-8024
The CVE-2026-8024 entry describes a deserialization vulnerability in the products ibaPDA and ibaDatCoordinator that can be exploited remotely by an unauthenticated attacker to gain full access to affected systems. The assessment notes a high-impact scenario affecting confidentiality, integrity, a...
EUVD-2026-37869
A remote, unauthenticated attacker may exploit a deserialization of untrusted data vulnerability in ibaPDA or ibaDatCoordinator to gain full access to the affected systems...