Lucene search
+L

785 matches found

nuclei
nuclei
added yesterday19 views

QVIS NVR/DVR - Remote Code Execution

QVIS NVR DVR before 2021-12-13 is vulnerable to Remote Code Execution via Java deserialization. id: CVE-2021-41419 info: name: QVIS NVR/DVR - Remote Code Execution author: me9187 severity: critical description: | QVIS NVR DVR before 2021-12-13 is vulnerable to Remote Code Execution via Java...

9.8CVSS7.2AI score0.08517EPSS
Exploits1References2
nuclei
nuclei
added 3 days ago13 views

ManageEngine OpManager SumPDU 12.1 - 12.5.232 - Java Deserialization

Zoho ManageEngine OpManager Stable build before 125203 and Released build before 125233 allows Remote Code Execution via the Smart Update Manager SUM servlet. id: CVE-2020-28653 info: name: ManageEngine OpManager SumPDU 12.1 - 12.5.232 - Java Deserialization author: iamnoooob,pdresearch severity:...

9.8CVSS6.8AI score0.787EPSS
Exploits5References1
nvd
nvd
added last week8 views

CVE-2026-59827

Metabase is an open-source business intelligence and embedded analytics tool. Prior to 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4, Metabase instances with an H2 database connection, including the default sample database, deserialize arbitrary Java objects returned in H2 native query result columns ...

9.9CVSS0.00457EPSS
Exploits1References6
euvd
euvd
added 2026/07/06 3:42 p.m.4 views

EUVD-2026-41885

Untrusted Java Deserialization in Apache OpenNLP SvmDoccatModel Versions Affected: before 3.0.0-M4 libsvm document categorization module; introduced in OPENNLP-1808 and only present on the 3.x line Description: SvmDoccatModel.deserializeInputStream reads an attacker-controlled stream with...

7.3CVSS6.7AI score0.08786EPSS
Exploits0References1
cve
cve
added 2026/07/06 7:55 a.m.14 views

CVE-2026-43865

CVE-2026-43865 — Apache Camel Hazelcast deserialization risk The Camel Hazelcast component, when using default configuration, does not enable a Java deserialization filter, causing objects received over the Hazelcast cluster protocol to be deserialized inside Hazelcast before Camel processes them...

8.1CVSS6.3AI score0.00804EPSS
Exploits1References2Affected Software1
ptsecurity
ptsecurity
added 2026/07/06 12:0 a.m.14 views

PT-2026-55955

Name of the Vulnerable Software and Affected Versions Apache OpenNLP versions prior to 3.0.0-M4 Description Untrusted Java deserialization occurs in the SvmDoccatModel.deserializeInputStream function. The function uses java.io.ObjectInputStream to read an attacker-controlled stream and calls...

7.3CVSS6.3AI score0.08786EPSS
Exploits0References5
nvd
nvd
added 2026/06/30 11:17 p.m.14 views

CVE-2026-55223

c3p0 is a JDBC Connection pooling library. In versions prior to 0.14.0, c3p0 in combination with other libraries, can compose to a "sink" for deserialization gadgets. The JDBC spec's DataSource.getConnection and ConnectionPoolDataSource.getPooledConnection match the getXXX form, so JavaBean...

6.3CVSS0.00284EPSS
Exploits0References2
cve
cve
added 2026/06/30 7:20 p.m.25 views

CVE-2026-13773

CVE-2026-13773 affects IBM WebSphere eXtreme Scale 8.6.1.0–8.6.1.6. Approximately 50 generated CORBA stub classes in ogclient.jar deserialize an attacker-controlled IOR via ObjectInputStream, using ORB.string_to_object() to perform outbound IIOP SSRF to a chosen host. When combined with IBM ORB g...

10CVSS6.4AI score0.03415EPSS
Exploits0References1Affected Software1
osv
osv
added 2026/06/23 9:24 p.m.3 views

GHSA-5HH8-Q8HV-FR38 jackson-databind has @JsonView bypass for setterless creator properties

Summary In BeanDeserializer.deserializeUsingPropertyBased, the active-view @JsonView filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInViewactiveView check. A change making SetterlessProperty.isMerging return true routed setterless...

5.3CVSS5.8AI score0.00237EPSS
Exploits0References6
osv
osv
added 2026/06/23 9:22 p.m.10 views

GHSA-HGJ6-7826-R7M5 jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)

Summary JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddresshost, port, which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an...

5.3CVSS5.9AI score0.00219EPSS
Exploits0References4
ibm
ibm
added 2026/06/22 1:11 p.m.4 views

Security Bulletin: Vulnerability in node-tar affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge.

Summary Potential vulnerability in node-tar has been identified that affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge - Assistant Builder Component. . The vulnerability have been addressed. Refer to details for additional information...

8.9CVSS7.4AI score0.00534EPSS
Exploits0Affected Software2
nessus
nessus
added 2026/06/17 12:0 a.m.15 views

Oracle PeopleSoft Unauthenticated Java Deserialization SSRF / RCE (CVE-2026-35273)

Binary data oraclepeoplesoftssrfcve202635273.nbin...

9.8CVSS5.6AI score0.9233EPSS
Exploits3References3
nuclei
nuclei
added 2026/06/16 7:13 a.m.254 views

ManageEngine Desktop Central Java Deserialization

Zoho ManageEngine Desktop Central before 10.0.474 is vulnerable to a deserialization of untrusted data, which permits remote code execution. id: CVE-2020-10189 info: name: ManageEngine Desktop Central Java Deserialization author: king-alexander severity: critical description: | Zoho ManageEngine...

10CVSS9.2AI score0.99941EPSS
Exploits6References5
osv
osv
added 2026/06/09 11:46 p.m.3 views

CVE-2026-40993 Unfiltered Java Native Deserialization of SAML 2.0 Asserting Party Credentials BLOB Database Entry

An attacker with write permissions to the database table managed by JdbcAssertingPartyMetadataRepository saml2assertingpartymetadata may be able to store malicious serialized payloads in the columns containing the collection of verification or encryption credentials verificationcredentials and...

7.3CVSS5.9AI score0.00198EPSS
Exploits0References3
spring
spring
added 2026/06/09 12:0 a.m.13 views

cve-2026-40993 - HIGH - Unfiltered Java Native Deserialization of SAML 2.0 Asserting Party Credentials BLOB Database Entry

cve-2026-40993 - HIGH - Unfiltered Java Native Deserialization of SAML 2.0 Asserting Party Credentials BLOB Database Entry...

7.3CVSS6.1AI score0.00198EPSS
Exploits0
redhatcve
redhatcve
added 2026/06/05 7:17 p.m.14 views

CVE-2026-6009

Java Deserialisation Vulnerability in Jaspersoft Reports Library leads to Remote Code Execution RCE, potentially allowing code execution on the affected system...

8.7CVSS6.2AI score0.00476EPSS
Exploits0References1
osv
osv
added 2026/06/03 11:16 a.m.9 views

DEBIAN-CVE-2026-47065

ZDRES-232: resolveProxyClass Not Overridden - acceptMatchers Filter Bypass via java.lang.reflect.Proxy Assessment: Fully addressed. When the serialised stream contains a TCPROXYCLASSDESC the marker for a java.lang.reflect.Proxy , JDK’s ObjectInputStream.readProxyDesc is dispatched. JDK then calls...

9.8CVSS5.5AI score0.00468EPSS
Exploits0References1
nvd
nvd
added 2026/05/19 6:16 p.m.31 views

CVE-2026-6009

Java Deserialisation Vulnerability in Jaspersoft Reports Library leads to Remote Code Execution RCE, potentially allowing code execution on the affected system...

8.7CVSS0.00476EPSS
Exploits0References1
osv
osv
added 2026/05/19 6:16 p.m.8 views

UBUNTU-CVE-2026-6009

Java Deserialisation Vulnerability in Jaspersoft Reports Library leads to Remote Code Execution RCE, potentially allowing code execution on the affected system...

8.7CVSS6.4AI score0.00476EPSS
Exploits0References2
attackerkb
attackerkb
added 2026/05/19 5:23 p.m.10 views

CVE-2026-6009

Java Deserialisation Vulnerability in Jaspersoft Reports Library leads to Remote Code Execution RCE, potentially allowing code execution on the affected system...

8.7CVSS6.2AI score0.00476EPSS
Exploits0References2
Rows per page
Query Builder