SEOPress < 7.9 - Authentication Bypass

The SEOPress WordPress plugin before 7.9 does not properly protect some of its REST API routes, which combined with another Object Injection vulnerability can allow unauthenticated attackers to unserialize malicious gadget chains, compromising the site if a suitable chain is present. id:...

CVE-2026-11860

Quick.CMS deserializes user-controlled data received over plaintext HTTP without ensuring integrity or authenticity. This allows attackers to tamper with serialized payloads in transit and inject malicious objects. Because deserialization is performed without proper validation or class...

EUVD-2026-36703

Quick.CMS deserializes user-controlled data received over plaintext HTTP without ensuring integrity or authenticity. This allows attackers to tamper with serialized payloads in transit and inject malicious objects. Because deserialization is performed without proper validation or class...

PT-2026-49188

Quick.CMS deserializes user-controlled data received over plaintext HTTP without ensuring integrity or authenticity. This allows attackers to tamper with serialized payloads in transit and inject malicious objects. Because deserialization is performed without proper validation or class...

Deserialization of Untrusted Data

Overview org.springframework:spring-jms is a maven plugin for Spring JMS. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via deserialization in MappingJackson2MessageConverter and JacksonJsonMessageConverter within an untrusted JMS environment. An attacker c...

CVE-2026-45247 Mirasvit Cache Warmer for Magento < 1.11.12 PHP Object Injection

Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted...

grav-cms-filecache-object-injection

Grav CMS FileCache Object Injection Description The File...

PT-2026-28254

PDF Explorer 1.5.66.2 contains a structured exception handler SEH overflow vulnerability that allows local attackers to execute arbitrary code by overwriting SEH records with malicious data. Attackers can craft a payload with buffer overflow, NSEH jump, and ROP gadget chains that execute when the...

GHSA-V7M3-FPCR-H7M2 Zumba Json Serializer has a potential PHP Object Injection via Unrestricted @type in unserialize()

Description The zumba/json-serializer library allows deserialization of PHP objects from JSON using a special @type field. Prior to version 3.2.3, the deserializer would instantiate any class specified in the @type field without restriction. When processing untrusted JSON input, this behavior may...

Realworld-for-Application_FUGIO_FirstFrameworkFuzzingDetectPOI

FUGIO Production Guide Introduction FUGIO is the firs...

CVE-2026-22187

Bio-Formats versions up to and including 8.3.0 perform unsafe Java deserialization of attacker-controlled memoization cache files .bfmemo during image processing. The loci.formats.Memoizer class automatically loads and deserializes memo files associated with images without validation, integrity...

ysoserial

ysoserial !GitHub releasehttps://img.shields.io/github/do...

CVE-2025-34292

Rox, the software running BeWelcome, contains a PHP object injection vulnerability resulting from deserialization of untrusted data. User-controlled input is passed to PHP's unserialize: the POST parameter formkitmemoryrecovery in \RoxPostHandler::getCallbackAction and the 'memory cookie' read by...

gadgetinspector

This is a Java-based tool for finding deserialization gadget chains in Java applications. The tool is called "Gadget Inspector" and is presented as a project that was showcased at Black Hat USA 2018. The tool is designed to automatically discover possible gadget chains in an application's...

ysoserial

This is a proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. The tool, called ysoserial, is a collection of utilities and property-oriented programming "gadget chains" discovered in common Java libraries that can, under the right conditions, exploit Jav...

ysoserial

This is a Java-based proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. The tool, named ysoserial, is designed to create gadgets that can be used to execute arbitrary commands on a vulnerable application. The gadgets are created by wrapping a...

Exploit for Deserialization of Untrusted Data in Telerik Ui_For_Asp.Net_Ajax

CVE-2019-18935-exploit-study In-depth study of...

Exploit for Deserialization of Untrusted Data in Cisco Identity_Services_Engine

CVE-2025-20124 – Cisco ISE 3.0 Java Deserialization Remote Cod...

Exploit for Deserialization of Untrusted Data in Apache Tomcat

CVE-2025-24813 Exploit Toolkit This is an advanced and automa...

CVE-2025-27818

A possible security vulnerability has been identified in Apache Kafka. This requires access to a alterConfig to the cluster resource, or Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config and a SASL-based security protocol, whic...