PT-2026-45977

Apache Airflow's scheduler-side deadline-reference decoder SerializedCustomReference.deserialize reference imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialized state without an allowlist or plugin-registry gate. A DAG author whose code reaches the scheduler —...

CVE-2026-48917

Jenkins LDAP Plugin 807.v7d7de30930cf and earlier deserializes data from LDAP referrals without validation...

PT-2026-29565

An unauthenticated remote code execution RCE vulnerability exists in applications that use the Replicator node package manager npm version 1.0.5 to deserialize untrusted user input and execute the resulting object...

CVE-2026-24165

NVIDIA BioNeMo contains a vulnerability where a user could cause a deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering...

CVE-2026-1323

The extension fails to properly define allowed classes used when deserializing transport failure metadata. An attacker may exploit this to execute untrusted serialized code. Note that an active exploit requires write access to the directory configured at...

CVE-2026-3060

SGLang' encoder parallel disaggregation system is vulnerable to unauthenticated remote code execution through the disaggregation module, which deserializes untrusted data using pickle.loads without authentication...

sglang 安全漏洞

SGLang is a programming language and runtime system developed by SGL-project, aimed at accelerating large model inference. SGLang has a security vulnerability that stems from the multi-modal generation module deserializing unvalidated data through the ZMQ proxy, potentially allowing remote code...

CVE-2025-60210 WordPress Everest Forms - Frontend Listing plugin <= 1.0.5 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in wpeverest Everest Forms - Frontend Listing everest-forms-frontend-listing allows Object Injection.This issue affects Everest Forms - Frontend Listing: from n/a through = 1.0.5...

CVE-2025-58662

CVE-2025-58662 (Awesome Support, WordPress) Deserialization of untrusted data in the Awesome Support plugin can lead to PHP object injection. The vulnerability affects versions up to 6.3.4 (per initial description) and is corroborated in vulnerability databases with the same CVE. According to pat...

CVE-2025-54053 WordPress Groundhogg <= 4.2.2 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in Adrian Tobey Groundhogg allows Object Injection. This issue affects Groundhogg: from n/a through 4.2.2...

CVE-2023-37227

Loftware Spectrum before 4.6 HF13 Deserializes Untrusted Data...

CVE-2023-37227

Loftware Spectrum before 4.6 HF13 Deserializes Untrusted Data...

CVE-2023-37227

Loftware Spectrum is affected by a deserialization vulnerability in versions before 4.6 HF13. The issue involves deserializing untrusted data and, per CVSS data in the initial records, could allow a network-exposed attacker to achieve high impact on confidentiality, integrity, and availability (b...

CVE-2023-1967 CVE-2023-1967

Keysight N8844A Data Analytics Web Service deserializes untrusted data without sufficiently verifying the resulting data will be valid...

WordPress plugin The Analyticator 代码问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A code issue vulnerability exists in the...

GHSA-92J2-5R7P-6HJW Restlet is vulnerable to Arbitrary Java Code Execution via crafted XML

The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources using the Java XMLDecoder, which allows remote attackers to execute arbitrary Java code via crafted XML...

PT-2018-14320 · Citrix · Xen Mobile

Name of the Vulnerable Software and Affected Versions: Xen Mobile versions prior to 10.8.0 Description: The issue arises from a service listening on port 5001 within the firewall of Xen Mobile, which accepts unauthenticated input. This service deserializes raw serialized Java objects into Java...

PT-2018-5047 · Red Hat · Red Hat Jboss Fuse 6 +1

Name of the Vulnerable Software and Affected Versions: Red Hat JBoss Fuse 6 Red Hat A-MQ 6 Description: A flaw was discovered in the JMX endpoint, allowing it to deserialize credentials passed to it. This could be exploited by an attacker to launch a denial of service attack. Recommendations: For...

Remote Code Execution (RCE)

Tablib is vulnerable to remote code execution RCE. The Databook functionality within Tablib deserializes untrusted data from yaml files when importing books, allowing attackers to execute python commands...