CVE-2026-42471

Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke client Connection.php:76 calls unserialize on data received from the server response, enabling client-side RCE if connecting to a malicious server...

CVE-2025-63950

The CVE describes an insecure deserialization vulnerability in the to3k Twittodon application, specifically in the download.php script where the obj parameter is base64-encoded data passed directly to unserialize() without validation. This allows a remote, unauthenticated attacker to inject arbit...

CVE-2023-22851

Tiki before 24.2 allows lib/importer/tikiimporterblogwordpress.php PHP Object Injection by an admin because of an unserialize call...

Laravel Framework < 5.5.41 / 5.6.x < 5.6.30 RCE

The version of Laravel Framework installed of the remote host is prior to 5.5.41 or 5.6.x prior to 5.6.30. It is, therefore, affected by a remote code execution vulnerability due to an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in...

K16021: PHP vulnerability CVE-2014-8142

Security Advisory Description Use-after-free vulnerability in the processnesteddata function in ext/standard/varunserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages imprope...

CVE-2023-22850

Tiki before 24.1, when the Spreadsheets feature is enabled, allows lib/sheet/grid.php PHP Object Injection because of an unserialize call...

Code injection

Tiki before 24.2 allows lib/importer/tikiimporterblogwordpress.php PHP Object Injection by an admin because of an unserialize call...

Code injection

Tiki before 24.1, when the Spreadsheets feature is enabled, allows lib/sheet/grid.php PHP Object Injection because of an unserialize call...

CVE-2023-22851

Tiki Wiki CMS Groupware before 24.2 is vulnerable to PHP Object Injection via lib/importer/tikiimporter_blog_wordpress.php when an admin triggers an unserialize call during WordPress import. CVE-2023-22851 details an object injection flaw that can lead to arbitrary PHP object creation within appl...

Laravel Framework RCE Vulnerability

In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in...

GHSA-QVQM-H22R-4CP9 Laravel Framework RCE Vulnerability

In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in...

CVE-2019-5434

An attacker could send a specifically crafted payload to the XML-RPC invocation script and trigger the unserialize call on the "what" parameter in the "openads.spc" RPC method. Such vulnerability could be used to perform various types of attacks, e.g. exploit serialize-related PHP vulnerabilities...

Design/Logic Flaw

An issue was discovered in CMS Made Simple 2.2.8. In the module FrontEndUsers in the file class.FrontEndUsersManipulate.php or class.FrontEndUsersManipulator.php, it is possible to reach an unserialize call with an untrusted FEU cookie, and achieve authenticated object injection...

CVE-2019-9061

An issue was discovered in CMS Made Simple 2.2.8. In the module ModuleManager in the file action.installmodule.php, it is possible to reach an unserialize call with untrusted input and achieve authenticated object injection by using the "install module" feature...

CVE-2019-9057

An issue was discovered in CMS Made Simple 2.2.8. In the module FilePicker, it is possible to reach an unserialize call with an untrusted parameter, and achieve authenticated object injection...

Design/Logic Flaw

An issue was discovered in CMS Made Simple 2.2.8. In the module ModuleManager in the file action.installmodule.php, it is possible to reach an unserialize call with untrusted input and achieve authenticated object injection by using the "install module" feature...

CVE-2019-9061

CMS Made Simple v2.2.8 is affected via the ModuleManager’s action.installmodule.php where an unserialize call with untrusted input can be triggered, enabling authenticated object injection when using the "install module" feature. This is supported across multiple sources (NVD/CVE-2019-9061 and PT...

CVE-2019-9061

An issue was discovered in CMS Made Simple 2.2.8. In the module ModuleManager in the file action.installmodule.php, it is possible to reach an unserialize call with untrusted input and achieve authenticated object injection by using the "install module" feature...

CVE-2018-19396

ext/standard/varunserializer.c in PHP 5.x through 7.1.24 allows attackers to cause a denial of service application crash via an unserialize call for the com, dotnet, or variant class...

CVE-2018-19396

ext/standard/varunserializer.c in PHP 5.x through 7.1.24 allows attackers to cause a denial of service application crash via an unserialize call for the com, dotnet, or variant class...