SEOPress < 7.9 - Authentication Bypass

The SEOPress WordPress plugin before 7.9 does not properly protect some of its REST API routes, which combined with another Object Injection vulnerability can allow unauthenticated attackers to unserialize malicious gadget chains, compromising the site if a suitable chain is present. id:...

CVE-2026-45247 Mirasvit Cache Warmer for Magento < 1.11.12 PHP Object Injection

Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted...

grav-cms-filecache-object-injection

Grav CMS FileCache Object Injection Description The File...

PT-2026-28254

PDF Explorer 1.5.66.2 contains a structured exception handler SEH overflow vulnerability that allows local attackers to execute arbitrary code by overwriting SEH records with malicious data. Attackers can craft a payload with buffer overflow, NSEH jump, and ROP gadget chains that execute when the...

GHSA-V7M3-FPCR-H7M2 Zumba Json Serializer has a potential PHP Object Injection via Unrestricted @type in unserialize()

Description The zumba/json-serializer library allows deserialization of PHP objects from JSON using a special @type field. Prior to version 3.2.3, the deserializer would instantiate any class specified in the @type field without restriction. When processing untrusted JSON input, this behavior may...

Realworld-for-Application_FUGIO_FirstFrameworkFuzzingDetectPOI

FUGIO Production Guide Introduction FUGIO is the firs...

CVE-2026-22187

Bio-Formats versions up to and including 8.3.0 perform unsafe Java deserialization of attacker-controlled memoization cache files .bfmemo during image processing. The loci.formats.Memoizer class automatically loads and deserializes memo files associated with images without validation, integrity...

ysoserial

ysoserial !GitHub releasehttps://img.shields.io/github/do...

CVE-2025-34292

Rox, the software running BeWelcome, contains a PHP object injection vulnerability resulting from deserialization of untrusted data. User-controlled input is passed to PHP's unserialize: the POST parameter formkitmemoryrecovery in \RoxPostHandler::getCallbackAction and the 'memory cookie' read by...

gadgetinspector

This is a Java-based tool for finding deserialization gadget chains in Java applications. The tool is called "Gadget Inspector" and is presented as a project that was showcased at Black Hat USA 2018. The tool is designed to automatically discover possible gadget chains in an application's...

ysoserial

This is a proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. The tool, called ysoserial, is a collection of utilities and property-oriented programming "gadget chains" discovered in common Java libraries that can, under the right conditions, exploit Jav...

ysoserial

This is a Java-based proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. The tool, named ysoserial, is designed to create gadgets that can be used to execute arbitrary commands on a vulnerable application. The gadgets are created by wrapping a...

Exploit for Deserialization of Untrusted Data in Telerik Ui_For_Asp.Net_Ajax

CVE-2019-18935-exploit-study In-depth study of...

Exploit for Deserialization of Untrusted Data in Cisco Identity_Services_Engine

CVE-2025-20124 – Cisco ISE 3.0 Java Deserialization Remote Cod...

Exploit for Deserialization of Untrusted Data in Apache Tomcat

CVE-2025-24813 Exploit Toolkit This is an advanced and automa...

CVE-2025-27818

A possible security vulnerability has been identified in Apache Kafka. This requires access to a alterConfig to the cluster resource, or Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config and a SASL-based security protocol, whic...

Sleeping Giants -- Activating Dormant Java Deserialization Gadget Chains through Stealthy Code Changes

Java deserialization gadget chains are a well-researched critical software weakness. The vast majority of known gadget chains rely on gadgets from software dependencies. Furthermore, it has been shown that small code changes in dependencies have enabled these gadget chains. This makes gadget chai...

CVE-2024-37361

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. CWE-502 Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, deserialize untrusted JSON data without constraining the parser to...

CVE-2024-37361

CVE-2024-37361 affects Hitachi Vantara Pentaho Business Analytics Server. The flaw is deserialization of untrusted JSON data caused by not constraining the parser to approved classes/methods, enabling potentially dangerous gadget chains during deserialization. Affected versions include before 10....

PT-2024-36551 · Unknown · Invoice Ninja

Name of the Vulnerable Software and Affected Versions: Invoice Ninja versions prior to 5.10.43 Description: The issue allows remote code execution from a pre-authenticated route when an attacker knows the APP KEY. This is exacerbated by .env files that have default APP KEY values. The route...