7654 matches found
CVE-2026-45247
Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted...
CVE-2026-7888
Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize calls in the Workflow, Form block, and File/Set components that lack the allowedclasses restriction. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been...
EUVD-2026-34164
Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize calls in the Workflow, Form block, and File/Set components that lack the allowedclasses restriction. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been...
CVE-2026-7888 Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components that lack the allowed_classes restriction.
Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize calls in the Workflow, Form block, and File/Set components that lack the allowedclasses restriction. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been...
CVE-2026-7888
Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize calls in the Workflow, Form block, and File/Set components that lack the allowedclasses restriction. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been...
CVE-2026-7888 Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components that lack the allowed_classes restriction.
Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize calls in the Workflow, Form block, and File/Set components that lack the allowedclasses restriction. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been...
CVE-2026-7888
CVE-2026-7888 affects Concrete CMS versions below 9.5.2. The vulnerability arises from PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components that do not enforce allowed_classes. An unauthenticated attacker could trigger arbitrary PHP object instantiatio...
SugarCRM - Unauthenticated Remote Code Execution via PHP Object Injection
A PHP object injection vulnerability exists in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 due to improper validation of PHP serialized input in the SugarRestSerialize.php script. The vulnerable code fails to sanitize the restdata parameter before passing it to the...
SEOPress < 7.9 - Authentication Bypass
The SEOPress WordPress plugin before 7.9 does not properly protect some of its REST API routes, which combined with another Object Injection vulnerability can allow unauthenticated attackers to unserialize malicious gadget chains, compromising the site if a suitable chain is present. id:...
Better Search Replace < 1.4.5 - PHP Object Injection
The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.4 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. I...
PT-2026-46047
Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 9.5.2 Description PHP Object Injection occurs due to the use of unserialize calls within the Workflow, Form block, and File/Set components that do not implement the allowed classes restriction. This allows an...
CVE-2026-39555
Deserialization of Untrusted Data vulnerability in Elated-Themes Askka allows Object Injection. This issue affects Askka: from n/a through 1.3.1...
CVE-2026-39555
Deserialization of Untrusted Data vulnerability in Elated-Themes Askka allows Object Injection. This issue affects Askka: from n/a through 1.3.1...
CVE-2026-39555 WordPress Askka theme <= 1.3.1 - PHP Object Injection vulnerability
Deserialization of Untrusted Data vulnerability in Elated-Themes Askka allows Object Injection. This issue affects Askka: from n/a through 1.3.1...
CVE-2026-39555
The CVE-2026-39555 entry concerns the WordPress Askka theme (versions up to 1.3.1). The vulnerability is a PHP Object Injection via a deserialization of untrusted data in the Askka plugin/theme, allowing object injection. Affected component: WordPress Askka theme
EUVD-2026-33924
Deserialization of Untrusted Data vulnerability in Elated-Themes Askka allows Object Injection. This issue affects Askka: from n/a through 1.3.1...
CVE-2026-39555 WordPress Askka theme <= 1.3.1 - PHP Object Injection vulnerability
Deserialization of Untrusted Data vulnerability in Elated-Themes Askka allows Object Injection. This issue affects Askka: from n/a through 1.3.1...
CVE-2026-39550
Deserialization of Untrusted Data vulnerability in Elated-Themes Aperitif allows Object Injection. This issue affects Aperitif: from n/a through 1.6...
CVE-2026-39551
Deserialization of Untrusted Data vulnerability in Elated-Themes Töbel allows Object Injection. This issue affects Töbel: from n/a through 1.8.1...
CVE-2026-39551
The CVE-2026-39551 entry concerns the WordPress Töbel theme (versions <= 1.8.1) with a PHP Object Injection /deserialization vulnerability in Töbel. Affected component: Töbel theme; root cause: deserialization of untrusted data enabling object injection. Impact metrics from Patchstack indicate...