CVE-2026-46725

The extension passes an attacker-controlled cookie directly to PHP's unserialize without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server. Exploitation...

CVE-2026-46725

The extension passes an attacker-controlled cookie directly to PHP's unserialize without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server. Exploitation...

CVE-2026-8727

The CVE-2026-8727 affects the TYPO3 Crawler extension (Site Crawler). The root cause is that the Crawler extension forwards the X-T3Crawler-Meta response header directly to PHP’s unserialize(), allowing an attacker-controlled crawled endpoint to inject arbitrary serialized PHP objects, leading to...

CVE-2026-33942 Saloon has insecure deserialization in AccessTokenAuthenticator (object injection / RCE)

Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize in AccessTokenAuthenticator::unserialize to restore OAuth token state from cache or storage, with allowedclasses = true. An attacker who can control the serialized...

CVE-2026-33942

Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize in AccessTokenAuthenticator::unserialize to restore OAuth token state from cache or storage, with allowedclasses = true. An attacker who can control the serialized...

PT-2025-52347

Name of the Vulnerable Software and Affected Versions MiczFlor RPi-Jukebox-RFID versions prior to commit 4b2334f0ae0e87c0568876fc41c48c38aa9a7014 2025-10-07 Description An insecure deserialization issue exists in the rss-mp3.php script. The rss GET parameter receives data that is directly passed ...

Exploit for Code Injection in Foxcms

🌐 CVE-2025-29306 Critical Remote Code Execution RCE in Fo...

EUVD-2017-8829

Malware in sbrugna...

EUVD-2023-45175

Malicious code in bioql PyPI...

PT-2025-14874 · Bitdefender · Bitdefender Gravityzone Console

Name of the Vulnerable Software and Affected Versions: Bitdefender GravityZone Console affected versions not specified Description: A vulnerability exists in the sendMailFromRemoteSource method in Emails.php, which unsafely uses the php unserialize function on user-supplied input without...

CVE-2024-54135 Untrusted Deserialization in ClipBucket-v5 Version 2.0 to 5.5.1 Revision 199

ClipBucket V5 provides open source video hosting with PHP. ClipBucket-v5 Version 2.0 to Version 5.5.1 Revision 199 are vulnerable to PHP Deserialization vulnerability. The vulnerability exists in upload/photoupload.php within the decodekey function. User inputs were supplied to this function...

Monster Menus - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-052

This module enables you to group nodes within pages that have a highly-granular, distributed permissions structure. In certain cases the module doesn't sufficiently sanitize data before passing it to PHP's unserialize function, which can result in arbitrary code execution...

UserPro < 5.1.1 - Cross-Site Request Forgery to PHP Object Injection

Description The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.0. This is due to missing or incorrect nonce validation on the 'importsettings' function. This makes it possible for unauthenticated attackers to exploit PHP Object...

Cross site request forgery (csrf)

The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.0. This is due to missing or incorrect nonce validation on the 'importsettings' function. This makes it possible for unauthenticated attackers to exploit PHP Object Injection due to...

K000132775: DOMPDF vulnerabilities CVE-2023-23924 and CVE-2023-24813

Security Advisory Description CVE-2023-23924 Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing tags with uppercase letters. This may lead to arbitrary object unserialize on PHP 8, through the phar URL wrapper. An attacker can exploit...

SUSE CVE-2009-4418

The unserialize function in PHP 5.3.0 and earlier allows context-dependent attackers to cause a denial of service resource consumption via a deeply nested serialized variable, as demonstrated by a string beginning with a:1: followed by many a:1: sequences...

Restrictive composer.json makes Dompdf vulnerable to URI validation failure on SVG parsing

Description The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing tags with uppercase letters. This might lead to arbitrary object unserialize on PHP tags, in src/Image/Cache.php: if $type === "svg" $parser = xmlparsercreate"utf-8"; xmlparsersetoption$parser,...

CVE-2021-21956

A php unserialize vulnerability exists in the Ai-Bolit functionality of CloudLinux Inc Imunify360 5.10.2. A specially-crafted malformed file can lead to potential arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability...

Design/Logic Flaw

A php unserialize vulnerability exists in the Ai-Bolit functionality of CloudLinux Inc Imunify360 5.10.2. A specially-crafted malformed file can lead to potential arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability...

CVE-2021-21956

A php unserialize vulnerability exists in the Ai-Bolit functionality of CloudLinux Inc Imunify360 5.10.2. A specially-crafted malformed file can lead to potential arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability...