Lucene search
+L

30 matches found

NVD
NVD
added 2026/06/23 9:16 p.m.10 views

CVE-2026-41862

Spring Statemachine's Kryo-based persistence backends JPA, MongoDB, Redis and ZooKeeper deserialise persisted state-machine contexts without enforcing a class allowlist CWE-502, deserialisation of untrusted data, which can lead to remote code execution inside the application JVM. Affected version...

8.8CVSS0.00423EPSS
Exploits0References1
CVE
CVE
added 2026/06/23 8:59 p.m.37 views

CVE-2026-41862

CVE-2026-41862 affects Spring Statemachine Kryo-based persistence backends (JPA, MongoDB, Redis and ZooKeeper) which deserialize persisted StateMachineContext without a class allowlist. This can enable a gadget chain leading to remote code execution inside the application JVM. Affected versions a...

8.8CVSS6.5AI score0.00423EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/23 8:59 p.m.9 views

CVE-2026-41862

Spring Statemachine's Kryo-based persistence backends JPA, MongoDB, Redis and ZooKeeper deserialise persisted state-machine contexts without enforcing a class allowlist CWE-502, deserialisation of untrusted data, which can lead to remote code execution inside the application JVM. Affected version...

8.8CVSS6.5AI score0.00423EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/06/23 8:59 p.m.32 views

CVE-2026-41862

Spring Statemachine's Kryo-based persistence backends JPA, MongoDB, Redis and ZooKeeper deserialise persisted state-machine contexts without enforcing a class allowlist CWE-502, deserialisation of untrusted data, which can lead to remote code execution inside the application JVM. Affected version...

8.8CVSS0.00423EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/23 8:59 p.m.12 views

EUVD-2026-38596

Spring Statemachine's Kryo-based persistence backends JPA, MongoDB, Redis and ZooKeeper deserialise persisted state-machine contexts without enforcing a class allowlist CWE-502, deserialisation of untrusted data, which can lead to remote code execution inside the application JVM. Affected version...

8.8CVSS6.5AI score0.00423EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.18 views

PT-2026-51593

Name of the Vulnerable Software and Affected Versions Spring Statemachine versions 4.0.0 through 4.0.1 Spring Statemachine versions 3.2.0 through 3.2.4 Description Kryo-based persistence backends, including JPA, MongoDB, Redis, and ZooKeeper, deserialize persisted state-machine contexts without...

8.8CVSS6.4AI score0.00423EPSS
Exploits0References6
Snyk
Snyk
added 2026/06/18 2:28 p.m.4 views

Eval Injection

Overview python-statemachine is a Python Finite State Machines made easy. Affected versions of this package are vulnerable to Eval Injection via the SCXMLProcessor.parsescxmlfile process. An attacker can execute arbitrary code in the context of the hosting process by supplying a crafted SCXML...

9.8CVSS6.1AI score0.01188EPSS
Exploits1References2
EUVD
EUVD
added 2026/06/18 2:28 p.m.15 views

EUVD-2026-37730

python-statemachine SCXML Eval Injection...

9.8CVSS5.2AI score0.01188EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/06/18 2:28 p.m.11 views

python-statemachine SCXML <data expr> Eval Injection

Summary python-statemachine 3.1.2 evaluates attributes in SCXML documents using Python's eval. Any application that passes attacker-controlled SCXML content to SCXMLProcessor is vulnerable to arbitrary code execution in the context of the hosting process. Details SCXMLProcessor.parsescxmlfile...

9.8CVSS6.2AI score0.01188EPSS
Exploits1References5Affected Software1
CVE
CVE
added 2026/06/17 2:32 p.m.50 views

CVE-2026-47103

Python StateMachine 3.0.0 before 3.2.0 has a remote code execution flaw: crafted SCXML documents with are unsafely evaluated via eval() in the SCXMLProcessor, enabling arbitrary code execution in the hosting process. Affected versions are 3.0.0 up to (but not including) 3.2.0. The CVSS metrics i...

9.8CVSS6.7AI score0.01188EPSS
Exploits1References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/06/17 2:32 p.m.11 views

CVE-2026-47103 Python StateMachine 3.0.0 < 3.2.0 RCE via SCXML eval() Injection

Python StateMachine versions 3.0.0 before 3.2.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary code by supplying malicious SCXML documents containing crafted attributes evaluated unsafely. The SCXMLProcessor passes attacker-controlled expression strings...

9.8CVSS6.6AI score0.01188EPSS
Exploits1References3
OSV
OSV
added 2026/06/17 2:32 p.m.3 views

CVE-2026-47103 Python StateMachine 3.0.0 < 3.2.0 RCE via SCXML eval() Injection

Python StateMachine versions 3.0.0 before 3.2.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary code by supplying malicious SCXML documents containing crafted attributes evaluated unsafely. The SCXMLProcessor passes attacker-controlled expression strings...

9.3CVSS6.8AI score0.01188EPSS
Exploits1References6
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.27 views

PT-2026-50440

Name of the Vulnerable Software and Affected Versions Python StateMachine versions 3.0.0 through 3.1.x Description An issue exists where the library evaluates expressions from SCXML documents unsafely. The SCXMLProcessor passes attacker-controlled expression strings from attributes through a call...

9.8CVSS6.2AI score0.01188EPSS
Exploits1References15
Spring Security Advisories
Spring Security Advisories
added 2026/06/11 12:0 a.m.23 views

cve-2026-41862 - HIGH - Kryo deserialization of persisted context without class allowlist

cve-2026-41862 - HIGH - Kryo deserialization of persisted context without class allowlist...

8.8CVSS6.1AI score0.00423EPSS
Exploits0Affected Software1
RedhatCVE
RedhatCVE
added 2026/01/09 12:27 p.m.10 views

CVE-2018-12290

The Yii2-StateMachine extension v2.x.x for Yii2 has XSS...

6.1CVSS6.9AI score0.00707EPSS
Exploits1References1
UbuntuCve
UbuntuCve
added 2025/12/30 1:16 p.m.5 views

CVE-2023-54235

In the Linux kernel, the following vulnerability has been resolved: PCI/DOE: Fix destroyworkonstack race The following debug object splat was observed in testing: ODEBUG: free active active state 0 object: 0000000097d23782 object type: workstruct hint: doestatemachinework+0x0/0x510 WARNING: CPU: ...

5.8AI score0.00168EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2024/02/24 11:32 a.m.26 views

CVE-2023-52456

A flaw was found in the UART driver handling RS485 communication in the Linux Kernel when an unexpected closure of the TTY port occurs, such as during a userland application crash. In this scenario, the imxuartshutdown function disables the UART interface and the Transmission Complete TC interrup...

5.5CVSS6AI score0.00175EPSS
Exploits0References4
Prion
Prion
added 2024/02/23 3:15 p.m.15 views

Design/Logic Flaw

In the Linux kernel, the following vulnerability has been resolved: serial: imx: fix tx statemachine deadlock When using the serial port as RS485 port, the tx statemachine is used to control the RTS pin to drive the RS485 transceiver TXEN pin. When the TTY port is closed in the middle of a...

7.4AI score0.00175EPSS
Exploits0References6
Debian CVE
Debian CVE
added 2024/02/23 2:46 p.m.32 views

CVE-2023-52456

In the Linux kernel, the following vulnerability has been resolved: serial: imx: fix tx statemachine deadlock When using the serial port as RS485 port, the tx statemachine is used to control the RTS pin to drive the RS485 transceiver TXEN pin. When the TTY port is closed in the middle of a...

5.5CVSS7.6AI score0.00175EPSS
Exploits0
CVE
CVE
added 2024/02/23 2:46 p.m.1679 views

CVE-2023-52456

CVE-2023-52456 affects the Linux kernel, specifically the imx serial driver used for RS-485 when the TX state machine can deadlock if the TTY is closed mid-transmission. In that scenario, imx_uart_shutdown disables the interface and the Transmission Complete interrupt, causing imx_uart_stop_tx to...

5.5CVSS6.3AI score0.00175EPSS
Exploits0References7Affected Software1
Rows per page
Query Builder