462 matches found
CVE-2026-12081
The Database for Contact Form 7, WPforms, Elementor forms WordPress plugin before 1.5.2 does not restrict the PHP classes allowed when unserializing an attacker-supplied form-field value, allowing unauthenticated users to inject arbitrary PHP objects that are instantiated when an administrator...
CVE-2026-12081
CVE-2026-12081 affects the Database for Contact Form 7, WPforms, and Elementor forms WordPress plugin (versions before 1.5.2). The issue arises from unserializing an attacker-supplied form-field value without restricting PHP classes, allowing unauthenticated users to inject arbitrary PHP objects ...
PYSEC-2026-540 Shinken Solutions Shinken Monitoring vulnerable to Incorrect Access Control
Shinken Solutions Shinken Monitoring Version 2.4.3 affected is vulnerable to Incorrect Access Control. The SafeUnpickler class found in shinken/safepickle.py implements a weak authentication scheme when unserializing objects passed from monitoring nodes to the Shinken monitoring server...
CVE-2026-46491
SimpleSAMLphp-casserver is a CAS 1.0 and 2.0 compliant CAS server in the form of a SimpleSAMLphp module. Prior to version 7.0.3, simplesamlphp-module-casserver builds file paths for the file-based CAS ticket store by directly concatenating the configured ticket directory with an attacker-controll...
EUVD-2026-35871
SimpleSAMLphp-casserver is a CAS 1.0 and 2.0 compliant CAS server in the form of a SimpleSAMLphp module. Prior to version 7.0.3, simplesamlphp-module-casserver builds file paths for the file-based CAS ticket store by directly concatenating the configured ticket directory with an attacker-controll...
Fedora 44 : php-zumba-json-serializer (2026-ce5f5c292d)
The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-ce5f5c292d advisory. Version 3.2.4 - Fix serialization of parent class private properties by @Copilot in 71 - Fix fatal error when serializing objects with uninitialized typed...
Fedora 42 : php-zumba-json-serializer (2026-d781fd2f6b)
The remote Fedora 42 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-d781fd2f6b advisory. Version 3.2.4 - Fix serialization of parent class private properties by @Copilot in 71 - Fix fatal error when serializing objects with uninitialized typed...
Fedora 43 : php-zumba-json-serializer (2026-5ff99e948e)
The remote Fedora 43 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-5ff99e948e advisory. Version 3.2.4 - Fix serialization of parent class private properties by @Copilot in 71 - Fix fatal error when serializing objects with uninitialized typed...
EUVD-2026-9099
The Super Stage WP WordPress plugin through 1.0.1 unserializes user input via REQUEST, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog...
CVE-2026-1542
The Super Stage WP WordPress plugin through 1.0.1 unserializes user input via REQUEST, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog...
CVE-2026-1542
The CVE-2026-1542 entry concerns the WordPress plugin Simple Stage WP (Super Stage WP) versions up to 1.0.1. The vulnerability arises from unserializing user input via REQUEST, enabling unauthenticated PHP Object Injection when a suitable gadget is present on the blog. Affected component: WordPre...
CVE-2026-1235
The WP eCommerce WordPress plugin through 3.15.1 unserializes user input via ajax actions, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog...
CVE-2026-1235 WP eCommerce <= 3.15.1 - Unauthenticated PHP Object Injection
The WP eCommerce WordPress plugin through 3.15.1 unserializes user input via ajax actions, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog...
CVE-2026-1235 WP eCommerce <= 3.15.1 - Unauthenticated PHP Object Injection
The WP eCommerce WordPress plugin through 3.15.1 unserializes user input via ajax actions, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog...
MiracleLinux 8 : php:7.4 (AXSA:2022-3857:01)
The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2022-3857:01 advisory. ArchiveTar: allows an unserialization attack because phar: is blocked but PHAR: is not blocked CVE-2020-28948 ArchiveTar: improper filename...
MiracleLinux 7 : php-pear-1.9.4-23.el7 (AXSA:2022-4004:01)
The remote MiracleLinux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2022-4004:01 advisory. ArchiveTar: allows an unserialization attack because phar: is blocked but PHAR: is not blocked CVE-2020-28948 ArchiveTar: improper filename...
Taiga tribe_gig authenticated unserialize remote code execution
This module exploits an unserialization flaw by creating a userstory in a project. Module Options msf use exploit/multi/http/taigatribegigunserial msf exploittaigatribegigunserial show targets ...targets... msf exploittaigatribegigunserial set TARGET msf exploittaigatribegigunserial show options...
CVE-2025-65035
pluginsGLPI's Database Inventory Plugin "manages" the Teclib' inventory agents in order to perform an inventory of the databases present on the workstation. Prior to version 1.1.2, in certain conditions database write access must first be obtained through another vulnerability or misconfiguration...
CVE-2025-65035
pluginsGLPI's Database Inventory Plugin "manages" the Teclib' inventory agents in order to perform an inventory of the databases present on the workstation. Prior to version 1.1.2, in certain conditions database write access must first be obtained through another vulnerability or misconfiguration...
CVE-2025-65035 GLPI Database Inventory Plugin Vulnerable to Stored Object Injection
pluginsGLPI's Database Inventory Plugin "manages" the Teclib' inventory agents in order to perform an inventory of the databases present on the workstation. Prior to version 1.1.2, in certain conditions database write access must first be obtained through another vulnerability or misconfiguration...