132 matches found
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the unserialize function in the sync-invoke client when processing data received from a server response. An attacker can execute arbitrary code by sending crafted serialized data from a malicious...
CVE-2026-33993
A flaw was found in Locutus, a library that integrates standard libraries from other programming languages into JavaScript. The unserialize function, which converts serialized PHP data into JavaScript objects, fails to filter the proto key during deserialization. A remote attacker can exploit thi...
CVE-2026-33993
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the unserialize function in locutus/php/var/unserialize assigns deserialized keys to plain objects via bracket notation without filtering the proto key. When a PHP serialized...
CVE-2026-33993
Locutus (locutus/php/var/unserialize) is affected by prototype pollution via the proto key during PHP unserialize deserialization. Before v3.0.25, unserialize assigns keys into plain objects using bracket notation, which can trigger the proto setter and replace the object prototype with attacker-...
CVE-2026-33993
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the unserialize function in locutus/php/var/unserialize assigns deserialized keys to plain objects via bracket notation without filtering the proto key. When a PHP serialized...
CVE-2026-33993 Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the unserialize function in locutus/php/var/unserialize assigns deserialized keys to plain objects via bracket notation without filtering the proto key. When a PHP serialized...
CVE-2026-33993 Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the unserialize function in locutus/php/var/unserialize assigns deserialized keys to plain objects via bracket notation without filtering the proto key. When a PHP serialized...
Prototype Pollution
Overview locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes Affected versions of this package are vulnerable to Prototype Pollution in the unserialize function. An attacker can inject arbitrary properties into the prototype of deserialized...
PT-2026-28587
Name of the Vulnerable Software and Affected Versions Locutus versions prior to 3.0.25 Description The unserialize function in locutus/php/var/unserialize assigns deserialized keys to plain objects via bracket notation without filtering the proto key. When a PHP serialized payload contains proto ...
CVE-2009-4137
The loadContentFromCookie function in core/Cookie.php in Piwik before 0.5 does not validate strings obtained from cookies before calling the unserialize function, which allows remote attackers to execute arbitrary code or upload arbitrary files via vectors related to the destruct function in the...
PT-2026-1654
Name of the Vulnerable Software and Affected Versions DZS Video Gallery versions through 12.37 Description The software contains a flaw due to deserialization of untrusted data, which allows for object injection. This issue presents a potential for remote code execution. The vulnerable component...
CVE-2025-63950
An insecure deserialization vulnerability exists in the download.php script of the to3k Twittodon application through commit b1c58a7d1dc664b38deb486ca290779621342c0b 2023-02-28. The 'obj' parameter receives base64-encoded data that is passed directly to the unserialize function without validation...
EUVD-2009-4571
Malware in sbrugna...
EUVD-2021-11491
Malware in sbrugna...
EUVD-2009-4385
Malware in sbrugna...
EUVD-2016-1939
Malware in sbrugna...
EUVD-2020-12725
Malware in sbrugna...
CVE-2025-11346 ILIAS Base64 Decoding unserialize deserialization
A vulnerability has been found in ILIAS up to 8.23/9.13/10.1. This affects the function unserialize of the component Base64 Decoding Handler. Such manipulation of the argument fsettings leads to deserialization. It is possible to launch the attack remotely. Upgrading to version 8.24, 9.14 and 10....
EUVD-2023-50983
Malicious code in bioql PyPI...
EUVD-2025-5934
Malicious code in bioql PyPI...