Lucene search
K

582 matches found

OSV
OSV
added 2026/07/07 6:19 p.m.8 views

CVE-2026-59800 9Router < 0.4.44 - OS Command Injection via sudoPassword Parameter in Tailscale Install Endpoint

9Router before 0.4.44 contains an OS command injection vulnerability in the unauthenticated POST /api/tunnel/tailscale-install endpoint this route is not covered by the dashboard middleware matcher, so no authorization check is applied. The sudoPassword field from the request body is written to t...

9.2CVSS6.3AI score0.01372EPSS
Exploits0References5
NVD
NVD
added 2026/07/06 9:16 a.m.9 views

CVE-2026-46590

Deserialization of Untrusted Data vulnerability in Apache Camel PQC component. The camel-pqc component persists post-quantum key metadata KeyMetadata through pluggable KeyLifecycleManager implementations. HashicorpVaultKeyLifecycleManager and AwsSecretsManagerKeyLifecycleManager read that metadat...

8.8CVSS0.00485EPSS
Exploits0References1
NVD
NVD
added 2026/07/06 9:16 a.m.8 views

CVE-2026-40859

Deserialization of Untrusted Data vulnerability in Apache Camel. The camel-vertx-http component deserializes HTTP response bodies carrying the Content-Type application/x-java-serialized-object using a raw java.io.ObjectInputStream, without applying any ObjectInputFilter...

8.1CVSS0.00724EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/07/06 8:3 a.m.34 views

CVE-2026-46590 Apache Camel: Camel-PQC: The HashiCorp Vault and AWS Secrets Manager key-lifecycle managers deserialize persisted key metadata with java.io.ObjectInputStream and no ObjectInputFilter (incomplete remediation of CVE-2026-40048)

Deserialization of Untrusted Data vulnerability in Apache Camel PQC component. The camel-pqc component persists post-quantum key metadata KeyMetadata through pluggable KeyLifecycleManager implementations. HashicorpVaultKeyLifecycleManager and AwsSecretsManagerKeyLifecycleManager read that metadat...

0.00485EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/07/06 8:3 a.m.7 views

CVE-2026-46590

Deserialization of Untrusted Data vulnerability in Apache Camel PQC component. The camel-pqc component persists post-quantum key metadata KeyMetadata through pluggable KeyLifecycleManager implementations. HashicorpVaultKeyLifecycleManager and AwsSecretsManagerKeyLifecycleManager read that metadat...

6.4AI score0.00485EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/07/06 8:3 a.m.14 views

CVE-2026-46590

CVE-2026-46590 (Apache Camel-PQC) describes a deserialization of untrusted data issue in the camel-pqc component. Hashicorp Vault and AWS Secrets Manager key lifecycle managers deserialize a Base64-wrapped value via java.io.ObjectInputStream.readObject() without an ObjectInputFilter or class allo...

8.8CVSS6.4AI score0.00485EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/07/06 12:0 a.m.14 views

PT-2026-55882

Name of the Vulnerable Software and Affected Versions Apache Camel versions 4.0.0 through 4.14.7 Apache Camel versions 4.15.0 through 4.18.2 Apache Camel versions 4.19.0 through 4.19.9 Description The camel-vertx-http component deserializes HTTP response bodies with the...

8.1CVSS6.5AI score0.00724EPSS
Exploits1References7
OSV
OSV
added 2026/06/30 10:27 a.m.5 views

SUSE-SU-2026:2702-1 Security update for libsoup

This update for libsoup fixes the following issue - CVE-2026-1801: HTTP Request Smuggling in soupfilterinputstreamreadline bsc1257649...

6.5CVSS6.6AI score0.00376EPSS
Exploits0References3
CVE
CVE
added 2026/06/28 2:45 p.m.28 views

CVE-2026-13502

The CVE-2026-13502 entry concerns antlr ANTLR4 up to 4.13.2. It affects the function ObjectInputStream.readObject in the antlr4-maven-plugin’s GrammarDependencies.java, indicating a time-of-check time-of-use issue. The attack is restricted to local execution and requires a high degree of complexi...

4.5CVSS5.2AI score0.00091EPSS
Exploits0References5
CVE
CVE
added 2026/06/26 2:43 p.m.12 views

CVE-2026-57527

CVE-2026-57527 affects the Zed Attack Proxy (ZAP) ViewState add-on prior to version 4. The vulnerability arises in the JSFViewState.decode() path, which base64-decodes the javax.faces.ViewState value and passes it directly to ObjectInputStream.readObject() without a deserialization filter, allowl...

8.8CVSS6.4AI score0.00463EPSS
Exploits0References5
SUSE Linux
SUSE Linux
added 2026/06/09 12:51 p.m.7 views

Security update for libsoup

This update for libsoup fixes the following issues CVE-2026-1801: HTTP Request Smuggling in soupfilterinputstreamreadline bsc1257649. CVE-2026-4271: use-after-free in the HTTP/2 server when user signal handlers disconnect connections during callback execution bsc1259767. Patch Instructions: To...

8.8CVSS5.7AI score0.00829EPSS
Exploits1References8
RedhatCVE
RedhatCVE
added 2026/06/07 2:58 p.m.16 views

CVE-2026-9828

A flaw was found in logback. An attacker able to influence serialized data sent to SimpleSocketServer or SimpleSSLSocketServer could exploit a deserialization of untrusted data vulnerability, allowing for object injection. This could enable the instantiation of objects from certain Java classes...

6.3CVSS6.4AI score0.0037EPSS
Exploits0References2
OSV
OSV
added 2026/06/05 3:23 p.m.4 views

SUSE-SU-2026:22061-1 Security update for libsoup

This update for libsoup fixes the following issue - CVE-2026-1801: HTTP Request Smuggling in soupfilterinputstreamreadline bsc1257649...

6.5CVSS5.2AI score0.00376EPSS
Exploits0References3
OSV
OSV
added 2026/06/03 9:39 a.m.2 views

CVE-2026-47065 Apache MINA: Critical Deserialization Allow-list Bypass via resolveProxyClass - ZDRES-232

ZDRES-232: resolveProxyClass Not Overridden - acceptMatchers Filter Bypass via java.lang.reflect.Proxy Assessment: Fully addressed. When the serialised stream contains a TCPROXYCLASSDESC the marker for a java.lang.reflect.Proxy , JDK’s ObjectInputStream.readProxyDesc is dispatched. JDK then calls...

9.8CVSS5.9AI score0.00468EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2026/06/02 12:0 a.m.20 views

Linux Distros Unpatched Vulnerability : CVE-2026-10532

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Deserialization of untrusted data vulnerability in QOS.CH Sarl logback logback-core HardenedObjectInputStream logback-core modules allows Object Injection, albe...

6.3CVSS6.3AI score0.00342EPSS
Exploits0References3
NVD
NVD
added 2026/06/01 1:16 p.m.18 views

CVE-2026-10532

Deserialization of untrusted data vulnerability in QOS.CH Sarl logback logback-core HardenedObjectInputStream logback-core modules allows Object Injection, albeit heavily restricted. More precisely, an attacker able to influence serialized data sent to SimpleSocketServer or SimpleSSLSocketServer...

6.3CVSS0.00342EPSS
Exploits0References1
OSV
OSV
added 2026/06/01 11:30 a.m.3 views

CVE-2026-10532 Logback deserialization whitelist bypass for Proxy objects

Deserialization of untrusted data vulnerability in QOS.CH Sarl logback logback-core HardenedObjectInputStream logback-core modules allows Object Injection, albeit heavily restricted. More precisely, an attacker able to influence serialized data sent to SimpleSocketServer or SimpleSSLSocketServer...

6.3CVSS6.6AI score0.00342EPSS
Exploits0References4
CVE
CVE
added 2026/06/01 11:30 a.m.164 views

CVE-2026-10532

The CVE-2026-10532 issue concerns deserialization of untrusted data in QOS.CH Sarl logback-logback-core’s HardenedObjectInputStream module, allowing Object Injection when serialized data is directed at SimpleSocketServer or SimpleSSLSocketServer to instantiate Proxy objects. The vulnerability is ...

6.3CVSS6.4AI score0.00342EPSS
Exploits0References1
Debian CVE
Debian CVE
added 2026/06/01 11:30 a.m.11 views

CVE-2026-10532

Deserialization of untrusted data vulnerability in QOS.CH Sarl logback logback-core HardenedObjectInputStream logback-core modules allows Object Injection, albeit heavily restricted. More precisely, an attacker able to influence serialized data sent to SimpleSocketServer or SimpleSSLSocketServer...

6.3CVSS6.4AI score0.00342EPSS
Exploits0
Vulnrichment
Vulnrichment
added 2026/06/01 11:30 a.m.10 views

CVE-2026-10532 Logback deserialization whitelist bypass for Proxy objects

Deserialization of untrusted data vulnerability in QOS.CH Sarl logback logback-core HardenedObjectInputStream logback-core modules allows Object Injection, albeit heavily restricted. More precisely, an attacker able to influence serialized data sent to SimpleSocketServer or SimpleSSLSocketServer...

6.3CVSS6.4AI score0.00342EPSS
Exploits0References1
Rows per page
Query Builder