SUSE SLES15 Security Update : redis (SUSE-SU-2026:2098-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2026:2098-1 advisory. This update for redis fixes the following issue - CVE-2026-25243: invalid memory access in RESTORE command via a specially crafted serialize...

CVE-2026-44660

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.12.1, when ujson.dump writes to a file-like object and the write operation raises an exception, the serialized JSON string object is not decremented, leaking memory. Each failed write operatio...

Security update for redis7

This update for redis7 fixes the following issues CVE-2026-23631: Lua use-after-free via the master-replica synchronization mechanism may lead to remote code execution bsc1264165. CVE-2026-25243: invalid memory access in RESTORE command via a specially crafted serialized payload may lead to remot...

SUSE-SU-2026:2100-1 Security update for redis7

This update for redis7 fixes the following issues - CVE-2026-23631: Lua use-after-free via the master-replica synchronization mechanism may lead to remote code execution bsc1264165. - CVE-2026-25243: invalid memory access in RESTORE command via a specially crafted serialized payload may lead to...

CVE-2026-46725 Remote Code Execution in extension "Content Element Selector" (ceselector)

The extension passes an attacker-controlled cookie directly to PHP's unserialize without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server. Exploitation...

OPENSUSE-SU-2026:20776-1 Security update for valkey

This update for valkey fixes the following issues - CVE-2025-67733: data tampering and denial of service via improper null character handling in Lua scripts bsc1258746. - CVE-2026-21863: denial of service via invalid clusterbus packet bsc1258788. - CVE-2026-23479: use-after-free in unblock client...

Security update for valkey

This update for valkey fixes the following issues CVE-2026-23479: use-after-free in unblock client flow may lead to remote code execution bsc1264164. CVE-2026-23631: Lua use-after-free via the master-replica synchronization mechanism may lead to remote code execution bsc1264165. CVE-2026-25243:...

SUSE-SU-2026:1949-1 Security update for valkey

This update for valkey fixes the following issues - CVE-2026-23479: use-after-free in unblock client flow may lead to remote code execution bsc1264164. - CVE-2026-23631: Lua use-after-free via the master-replica synchronization mechanism may lead to remote code execution bsc1264165. -...

CVE-2026-7635

The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0. This is due to the plugin failing to validate or strip PHP serialization syntax from the User-Agent HTTP header before storing it in the logmeta...

BIT-KEYDB-2026-25589 RedisBloom RESTORE invalid memory access may allow remote code execution

RedisBloom is a probabilistic data structures module for Redis. In all versions of RedisBloom before 2.8.20, the module does not properly validate serialized values processed through the Redis RESTORE command. An authenticated attacker with permission to execute RESTORE on a server with the...

CVE-2026-25589 RedisBloom RESTORE invalid memory access may allow remote code execution

RedisBloom is a probabilistic data structures module for Redis. In all versions of RedisBloom before 2.8.20, the module does not properly validate serialized values processed through the Redis RESTORE command. An authenticated attacker with permission to execute RESTORE on a server with the...

CVE-2026-25589 RedisBloom RESTORE invalid memory access may allow remote code execution

RedisBloom is a probabilistic data structures module for Redis. In all versions of RedisBloom before 2.8.20, the module does not properly validate serialized values processed through the Redis RESTORE command. An authenticated attacker with permission to execute RESTORE on a server with the...

PT-2026-37093

Name of the Vulnerable Software and Affected Versions RedisBloom versions prior to 2.8.20 Description RedisBloom, a probabilistic data structures module for Redis, fails to properly validate serialized values processed via the 'RESTORE' command. An authenticated attacker with permissions to execu...

EUVD-2026-20020

The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry metadata. This is due to the html-admin-page-entries-view.php file calling PHP's native unserialize on stored entry meta...

CVE-2026-33993

A flaw was found in Locutus, a library that integrates standard libraries from other programming languages into JavaScript. The unserialize function, which converts serialized PHP data into JavaScript objects, fails to filter the proto key during deserialization. A remote attacker can exploit thi...

CVE-2026-2471

The WP Mail Logging plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.15.0 via deserialization of untrusted input from the email log message field. This is due to the BaseModel class constructor calling maybeunserialize on all properties retrieved...

CVE-2026-2471

The WP Mail Logging plugin for WordPress (up to version 1.15.0) is vulnerable to PHP Object Injection via deserialization of untrusted input in the email log message field. The BaseModel constructor calls maybe_unserialize() on all properties from the database without validation, allowing an unau...

📄 Apache Tomcat 11.0.3 Remote Session Injection

A vulnerability in Apache Tomcat version 11.0.3 allows attackers to upload a .session file containing a malicious Java serialized payload and then trigger it through a forged JSESSIONID cookie...

📄 Microsoft Windows Server Update Services Remote Code Execution

This is a proof of concept exploit for Microsoft Windows Server Update Services that leverages an unsafe deserialization of untrusted data in WSUS's AuthorizationCookie handling. This file demonstrates payload generation in C. using System; using System.IO; using System.Security.Cryptography; usi...

EUVD-2016-4714

Malware in sbrugna...