CVE-2026-41586

Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. From versions 1.0.0 to 2.2.26, Channel.java implements readObject and exposes deSerializeChannel which call ObjectInputStream.readObject on untrusted byte arrays without...

Unsafe Deserialization

Apache MINA is vulnerable to Unsafe Deserialization. The vulnerability is due to delayed enforcement of the classname allowlist in AbstractIoBuffer.getObject, where deserialization via ObjectInputStream.readObject occurs before validation, allowing execution of static initializers in malicious...

GHSA-4XWX-HVV7-7PRJ Apache Camel-Infinispan Component Vulnerable to Deserialization of Untrusted Data

The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data read from a remote Infinispan cache using java.io.ObjectInputStream without applying any ObjectInputFilter. An attacker who can write to the Infinispan cache used by a Camel application can inject a...

CVE-2026-40473

The camel-mina component's MinaConverter.toObjectInputIoBuffer type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. When a Camel route uses camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput f...

PT-2026-35371

The camel-mina component's MinaConverter.toObjectInputIoBuffer type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. When a Camel route uses camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput f...

CVE-2026-3967 Alfresco Activiti Process Variable Serialization System SerializableType.java createObjectInputStream deserialization

A flaw has been found in Alfresco Activiti up to 7.19/8.8.0. Affected by this issue is the function deserialize/createObjectInputStream of the file activiti-core/activiti-engine/src/main/java/org/activiti/engine/impl/variable/SerializableType.java of the component Process Variable Serialization...

Deserialization Of Untrusted Data

Apache Camel is vulnerable to Deserialization of Untrusted Data. The vulnerability is due to the DefaultLevelDBSerializer class deserializing data using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions, which allows an attacker to inject a crafted...

GHSA-429Q-MRC4-38FR Apache Camel Deserializes Untrusted Data in its LevelDB Component

Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. ...

CVE-2026-25747

Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. ...

CVE-2026-25747

CVE-2026-25747 describes a Deserialization of Untrusted Data vulnerability in the Apache Camel LevelDB component. The issue stems from the DefaultLevelDBSerializer using java.io.ObjectInputStream to read from the LevelDB aggregation repository without ObjectInputFilter or class-loading restrictio...

MiracleLinux 8 : java-17-openjdk-17.0.2.0.8-4.el8 (AXSA:2022-2986:01)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2022-2986:01 advisory. OpenJDK: Incomplete deserialization class filtering in ObjectInputStream Serialization, 8264934 CVE-2022-21248 OpenJDK: Incorrect reading of TIFF...

EUVD-2025-205687

A vulnerability has been found in Dromara Sa-Token up to 1.44.0. This issue affects the function ObjectInputStream.readObject of the file SaSerializerTemplateForJdkUseBase64.java. Such manipulation leads to deserialization. The attack can be executed remotely. This attack is characterized by high...

EUVD-2025-205488

A weakness has been identified in Dromara Sa-Token up to 1.44.0. This affects the function ObjectInputStream.readObject of the file SaJdkSerializer.java. Executing manipulation can lead to deserialization. The attack may be launched remotely. This attack is characterized by high complexity. It is...

PT-2025-53632

Name of the Vulnerable Software and Affected Versions Dromara Sa-Token versions up to 1.44.0 Description A weakness exists in Dromara Sa-Token up to version 1.44.0 related to deserialization. The issue affects the ObjectInputStream.readObject function within the SaJdkSerializer.java file...

Sa-Token 代码问题漏洞

Sa-Token is a lightweight Java authentication framework open source by dromara. A code issue vulnerability exists in Sa-Token 1.44.0 and earlier versions, which stems from an incorrect operation of the function ObjectInputStream.readObject in the file SaJdkSerializer.java, which could lead to a...

EUVD-2021-20483

Malware in sbrugna...

EUVD-2020-0304

Malware in sbrugna...

EUVD-2022-1095

Malicious code in bioql PyPI...

Risky Deserialization Calls - benryanconversion ( Office Connector Plugin)

The benryanconversion plugin contains a code path that eventually ends up with a partially user-controlled filename being treated as the input for a call to readObject see FileBackedCache.loadFile. To trigger this, an attacker would need to call the following, with a payload in the sheetName...

[9.0] Fix Risky deserialization calls

h3. Issue Summary fix This is reproducible on Data Center: Yes h3. Steps to Reproduce Cannot be reproduced h3. Expected Results Where possible, restrict the set of classes that can be deserialized. OWASP’s recommendation for readObject calls is to subclass the ObjectInputStream class, and overrid...