CVE-2025-53572 WordPress WP Easy Contact Plugin <= 4.0.1 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in emarket-design WP Easy Contact wp-easy-contact allows Object Injection.This issue affects WP Easy Contact: from n/a through = 4.0.1...

Linux Distros Unpatched Vulnerability : CVE-2021-29476

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Requests is a HTTP library written in PHP. Requests mishandles deserialization in FilteredIterator. The issue has been patched and users of Requests 1.6.0, 1.6....

Exploit for CVE-2025-49113

CVE-2025-49113 Roundcube Exploit A Python exploit for CVE-202...

CVE-2025-24779 WordPress Yogi theme < 2.9.3 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in NooTheme Yogi yogi allows Object Injection.This issue affects Yogi: from n/a through 2.9.3...

CVE-2025-53990 WordPress JetFormBuilder plugin <= 3.5.1.2 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in jetmonsters JetFormBuilder allows Object Injection. This issue affects JetFormBuilder: from n/a through 3.5.1.2...

CVE-2025-25034 SugarCRM PHP Deserialization RCE

A PHP object injection vulnerability exists in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 due to improper validation of PHP serialized input in the SugarRestSerialize.php script. The vulnerable code fails to sanitize the restdata parameter before passing it to the...

CVE-2025-25034 SugarCRM PHP Deserialization RCE

A PHP object injection vulnerability exists in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 due to improper validation of PHP serialized input in the SugarRestSerialize.php script. The vulnerable code fails to sanitize the restdata parameter before passing it to the...

SUSE CVE-2025-49113

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization...

PT-2025-23470 · Roundcube · Roundcube

Name of the Vulnerable Software and Affected Versions: Roundcube versions prior to 1.6.11 Description: The issue is related to a Post-Auth RCE via PHP Object Deserialization in Roundcube. It is estimated that over 53 million hosts are potentially affected. The bug has existed undetected for 10...

CVE-2024-24725

Gibbon through 26.0.00 allows remote authenticated users to conduct PHP deserialization attacks via columnOrder in a POST request to the modules/System%20Admin/importrun.php=externalAssessment=4 URI...

CVE-2022-23940

SuiteCRM through 7.12.1 and 8.x through 8.0.1 allows Remote Code Execution. Authenticated users with access to the Scheduled Reports module can achieve this by leveraging PHP deserialization in the emailrecipients property. By using a crafted request, they can create a malicious report, containin...

CVE-2025-47581

CVE-2025-47581 describes a Deserialization of Untrusted Data vulnerability in the WordPress plugin WordPress Events Calendar Registration & Tickets (versions n/a through 2.6.0). Root cause: PHP object injection via unauthenticated PHP object injection vector. Affected software: WordPress Events C...

CVE-2025-2244 Insecure PHP deserialization issue in GravityZone Console (VA-12634)

A vulnerability in the sendMailFromRemoteSource method in Emails.php as used in Bitdefender GravityZone Console unsafely uses php unserialize on user-supplied input without validation. By crafting a malicious serialized payload, an attacker can trigger PHP object injection, perform a file write,...

CVE-2025-2244 Insecure PHP deserialization issue in GravityZone Console (VA-12634)

A vulnerability in the sendMailFromRemoteSource method in Emails.php as used in Bitdefender GravityZone Console unsafely uses php unserialize on user-supplied input without validation. By crafting a malicious serialized payload, an attacker can trigger PHP object injection, perform a file write,...

CVE-2025-2244

CVE-2025-2244 affects Bitdefender GravityZone Console, via the vulnerable sendMailFromRemoteSource method in Emails.php that unserializes user input without validation. This enables PHP object injection, leading to a file write and arbitrary command execution on the host, per multiple sources. In...

InvoiceShelf unauthenticated PHP Deserialization Vulnerability

InvoiceShelf is an open-source web & mobile app that helps you track expenses, payments, create professional invoices & estimates and is based on the PHP framework Laravel. InvoiceShelf has a Remote Code Execution vulnerability that allows remote unauthenticated attackers to conduct PHP...

InvoiceShelf 1.3.0 Remote Code Execution

This Metasploit module exploits a PHP deserialization vulnerability in InvoiceShelf versions 1.3.0 and below that results in remote code execution. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModul...

Invoice Ninja unauthenticated PHP Deserialization Vulnerability

Invoice Ninja is a free invoicing software for small businesses, based on the PHP framework Laravel. A Remote Code Execution vulnerability in Invoice Ninja = 5.8.22 which accepts a Laravel ciphered value which is unsafe unserialized, if an attacker has access to the APPKEY. As it allows remote co...

Invoice Ninja 5.10.10 Insecure Deserialization / Remote Code Execution Exploit

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Invoice Ninja unauthenticated PHP Deserialization Vulnerability', 'Description' = %q Invoice Ninja is a free invoicing software for small...

Invoice Ninja 5.10.10 Insecure Deserialization / Remote Code Execution

Invoice Ninja versions 5.8.22 through 5.10.10 allows for remote code execution by leveraging a PHP deserialization vulnerability. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Invoice Ninja...