3574 matches found
WordPress Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin <= 1.4.3 - PHP Object Injection vulnerability
PHP Object Injection vulnerability discovered by Frissi0n in WordPress Plugin Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms versions = 1.4.3...
WordPress Integration for Contact Form 7 HubSpot plugin <= 1.3.7 - PHP Object Injection vulnerability
PHP Object Injection vulnerability discovered by Frissi0n in WordPress Plugin Integration for Contact Form 7 HubSpot versions = 1.3.7...
WordPress Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms plugin <= 1.1.8 - PHP Object Injection vulnerability
PHP Object Injection vulnerability discovered by Frissi0n in WordPress Plugin Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms versions = 1.1.8...
WordPress wpForo Forum plugin <= 3.1.0 - PHP Object Injection vulnerability
PHP Object Injection vulnerability discovered by daroo in WordPress Plugin wpForo Forum versions = 3.1.0...
WordPress WP Travel Engine plugin <= 6.7.12 - PHP Object Injection vulnerability
PHP Object Injection vulnerability discovered by daroo in WordPress Plugin WP Travel Engine versions = 6.7.12...
WordPress Integration for Contact Form 7 and Constant Contact plugin <= 1.1.6 - PHP Object Injection vulnerability
PHP Object Injection vulnerability discovered by Frissi0n in WordPress Plugin Integration for Contact Form 7 and Constant Contact versions = 1.1.6...
CVE-2026-45247
Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted...
EUVD-2026-34164
Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize calls in the Workflow, Form block, and File/Set components that lack the allowedclasses restriction. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been...
CVE-2026-7888 Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components that lack the allowed_classes restriction.
Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize calls in the Workflow, Form block, and File/Set components that lack the allowedclasses restriction. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been...
CVE-2026-7888
CVE-2026-7888 affects Concrete CMS versions below 9.5.2. The vulnerability arises from PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components that do not enforce allowed_classes. An unauthenticated attacker could trigger arbitrary PHP object instantiatio...
CVE-2026-7888 Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components that lack the allowed_classes restriction.
Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize calls in the Workflow, Form block, and File/Set components that lack the allowedclasses restriction. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been...
Better Search Replace < 1.4.5 - PHP Object Injection
The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.4 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. I...
PT-2026-46047
Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 9.5.2 Description PHP Object Injection occurs due to the use of unserialize calls within the Workflow, Form block, and File/Set components that do not implement the allowed classes restriction. This allows an...
CVE-2026-39555
The CVE-2026-39555 entry concerns the WordPress Askka theme (versions up to 1.3.1). The vulnerability is a PHP Object Injection via a deserialization of untrusted data in the Askka plugin/theme, allowing object injection. Affected component: WordPress Askka theme
CVE-2026-39555 WordPress Askka theme <= 1.3.1 - PHP Object Injection vulnerability
Deserialization of Untrusted Data vulnerability in Elated-Themes Askka allows Object Injection. This issue affects Askka: from n/a through 1.3.1...
CVE-2026-39551
The CVE-2026-39551 entry concerns the WordPress Töbel theme (versions <= 1.8.1) with a PHP Object Injection /deserialization vulnerability in Töbel. Affected component: Töbel theme; root cause: deserialization of untrusted data enabling object injection. Impact metrics from Patchstack indicate...
CVE-2026-39551 WordPress Töbel theme <= 1.8.1 - PHP Object Injection vulnerability
Deserialization of Untrusted Data vulnerability in Elated-Themes Töbel allows Object Injection. This issue affects Töbel: from n/a through 1.8.1...
CVE-2026-39550 WordPress Aperitif theme <= 1.6 - PHP Object Injection vulnerability
Deserialization of Untrusted Data vulnerability in Elated-Themes Aperitif allows Object Injection. This issue affects Aperitif: from n/a through 1.6...
CVE-2026-39550
CVE-2026-39550 affects the WordPress Aperitif theme (versions up to 1.6). The issue is a PHP Object Injection caused by deserialization of untrusted data in Aperitif, enabling exploitation via a network vector with no user interaction and no privileges required. The CVSSv3.1 base score is 8.1 (HI...
[SECURITY] [DSA 6317-1] symfony security update
------------------------------------------------------------------------- Debian Security Advisory DSA-6317-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff June 01, 2026 https://www.debian.org/security/faq -...