CVE-2019-7725

includes/core/isuser.php in NukeViet before 4.3.04 deserializes the untrusted nvloginhash cookie i.e., the code relies on PHP's serialization format when JSON can be used to eliminate the risk...

PT-2026-2136

Name of the Vulnerable Software and Affected Versions Preact versions 10.26.5 through 10.26.9 Preact versions 10.27.0 through 10.27.2 Preact versions 10.28.0 through 10.28.1 Description Preact, a lightweight web development framework, has an issue with JSON serialization protection. A regression...

CVE-2026-21493

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are vulnerable to Type Confusion in its CIccSingleSampledeCurveXml class during XML Curve Serialization. This issue is fixed in version 2.3.1.2...

CVE-2026-21493 iccDEV has Type Confusion during XML Curve Serialization

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are vulnerable to Type Confusion in its CIccSingleSampledeCurveXml class during XML Curve Serialization. This issue is fixed in version 2.3.1.2...

CVE-2026-21493 iccDEV has Type Confusion during XML Curve Serialization

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are vulnerable to Type Confusion in its CIccSingleSampledeCurveXml class during XML Curve Serialization. This issue is fixed in version 2.3.1.2...

CVE-2026-21493 iccDEV has Type Confusion during XML Curve Serialization

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are vulnerable to Type Confusion in its CIccSingleSampledeCurveXml class during XML Curve Serialization. This issue is fixed in version 2.3.1.2...

CVE-2026-21493

CVE-2026-21493 (iccDEV) affects the iccDEV library/tools used for ICC color management profiles. The vulnerability is a Type Confusion in the CIccSingleSampledeCurveXml class during XML Curve Serialization. Affected versions are 2.3.1.1 and earlier; the issue is fixed in version 2.3.1.2. The Red ...

EUVD-2026-1156

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are vulnerable to Type Confusion in its CIccSingleSampledeCurveXml class during XML Curve Serialization. This issue is fixed in version 2.3.1.2...

PT-2026-1434

Name of the Vulnerable Software and Affected Versions iccDEV versions prior to 2.3.1.2 Description iccDEV, a set of libraries and tools for working with ICC color management profiles, contains a Type Confusion issue within its CIccSingleSampledeCurveXml class during XML Curve Serialization...

Remote Code Execution (RCE)

Overview Affected versions of this package are vulnerable to Remote Code Execution RCE over the /expr endpoint. An authenticated user can execute code or disrupt service by sending malicious serialized data as the code parameter, which is passed to expr.Exec and executed as an expression without...

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2025-993107)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-993107 advisory. In the Linux kernel, the following vulnerability has been resolved: perf/aux: Fix AUX buffer serialization Ole reported that event-mmapmutex is strictly insufficient...

CVE-2025-15117

A weakness has been identified in Dromara Sa-Token up to 1.44.0. This affects the function ObjectInputStream.readObject of the file SaJdkSerializer.java. Executing manipulation can lead to deserialization. The attack may be launched remotely. This attack is characterized by high complexity. It is...

Exploit for CVE-2025-68664

--- 📑 Table of Contents - 🎯 Executive Summary-executive...

Critical LangChain Core Vulnerability Exposes Secrets via Serialization Injection

A critical security flaw has been disclosed in LangChain Core that could be exploited by an attacker to steal sensitive secrets and even influence large language model LLM responses through prompt injection. LangChain Core i.e., langchain-core is a core Python package that's part of the LangChain...

CVE-2025-68664

A flaw was found in LangChain, a framework for building agents and LLM-powered applications. A remote attacker can exploit a serialization injection vulnerability in LangChain's dumps and dumpd functions. This occurs because the functions do not properly escape dictionaries containing the interna...

CVE-2025-68665

A flaw was found in LangChain. A remote attacker could exploit a serialization injection vulnerability in the toJSON method. This occurs because the method fails to properly escape objects containing 'lc' keys during serialization of free-form data. When user-controlled data includes this key...

CVE-2025-68665

LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON method and subsequently when string-ifying objects using...

CVE-2025-68664

LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps and dumpd functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries...

CVE-2025-68665 LangChain serialization injection vulnerability enables secret extraction

LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON method and subsequently when string-ifying objects using...

CVE-2025-68665

CVE-2025-68665 (LangChain JS) has a serialization-injection vulnerability in LangChain JS toJSON() and JSON.stringify() paths that fails to escape objects with the internal 'lc' key, causing user-controlled data to be mistaken for LangChain objects during deserialization. Affected: LangChain JS b...