CVE-2026-33993

Locutus (locutus/php/var/unserialize) is affected by prototype pollution via the proto key during PHP unserialize deserialization. Before v3.0.25, unserialize assigns keys into plain objects using bracket notation, which can trigger the proto setter and replace the object prototype with attacker-...

CVE-2026-33993 Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the unserialize function in locutus/php/var/unserialize assigns deserialized keys to plain objects via bracket notation without filtering the proto key. When a PHP serialized...

EUVD-2026-16070

Saloon has insecure deserialization in AccessTokenAuthenticator...

EUVD-2026-16888

Locutus has Prototype Pollution via proto Key Injection in unserialize...

Prototype Pollution

Overview locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes Affected versions of this package are vulnerable to Prototype Pollution in the unserialize function. An attacker can inject arbitrary properties into the prototype of deserialized...

GHSA-4MPH-V827-F877 Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()

Summary The unserialize function in locutus/php/var/unserialize assigns deserialized keys to plain objects via bracket notation without filtering the proto key. When a PHP serialized payload contains proto as an array or object key, JavaScript's proto setter is invoked, replacing the deserialized...

Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()

Summary The unserialize function in locutus/php/var/unserialize assigns deserialized keys to plain objects via bracket notation without filtering the proto key. When a PHP serialized payload contains proto as an array or object key, JavaScript's proto setter is invoked, replacing the deserialized...

CVE-2026-33942

Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize in AccessTokenAuthenticator::unserialize to restore OAuth token state from cache or storage, with allowedclasses = true. An attacker who can control the serialized...

PT-2026-28587

Name of the Vulnerable Software and Affected Versions Locutus versions prior to 3.0.25 Description The unserialize function in locutus/php/var/unserialize assigns deserialized keys to plain objects via bracket notation without filtering the proto key. When a PHP serialized payload contains proto ...

Locutus 安全漏洞

Locutus is an open-source JavaScript library developed by Locutus. Versions of Locutus prior to 3.0.25 contained security vulnerabilities. These vulnerabilities stemmed from the unserialize function not filtering the proto key, which could lead to prototype pollution, property injection, and...

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the unserialize process of the AccessTokenAuthenticator class when restoring OAuth token state from cache or storage using PHP's unserialize with allowedclasses = true. An attacker can achieve...

CVE-2026-33942

Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize in AccessTokenAuthenticator::unserialize to restore OAuth token state from cache or storage, with allowedclasses = true. An attacker who can control the serialized...

CVE-2026-33942 Saloon has insecure deserialization in AccessTokenAuthenticator (object injection / RCE)

Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize in AccessTokenAuthenticator::unserialize to restore OAuth token state from cache or storage, with allowedclasses = true. An attacker who can control the serialized...

CVE-2026-33942

Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize in AccessTokenAuthenticator::unserialize to restore OAuth token state from cache or storage, with allowedclasses = true. An attacker who can control the serialized...

PT-2026-28182

Name of the Vulnerable Software and Affected Versions Saloon versions prior to 4.0.0 Description Saloon is a PHP library used for building API integrations and SDKs. The library used PHP's unserialize function in the AccessTokenAuthenticator::unserialize method, with allowed classes set to true, ...

Saloon 代码问题漏洞

Saloon is a PHP API integration and SDK library developed by Saloon PHP Open Source. Versions of Saloon prior to 4.0.0 had code vulnerabilities. These vulnerabilities stemmed from the use of un serialize in AccessTokenAuthenticator::un serialize, which used PHP’s un serialize method to restore th...

EUVD-2026-13374

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Versions up to and including 8.9.2 contain an unsafe deserialization vulnerability in the SavedSearch filter processing component that allows an authenticated administrator to execute arbitrary...

PT-2026-26447

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Versions up to and including 8.9.2 contain an unsafe deserialization vulnerability in the SavedSearch filter processing component that allows an authenticated administrator to execute arbitrary...

Exploit for Improper Input Validation in Typo3

TYPO3 CVE-2020-15099 — Unauthenticated RCE PHP Object Injecti...

CVE-2026-2626

The divi-booster WordPress plugin before 5.0.2 does not have authorization and CSRF checks in one of its fixing function, allowing unauthenticated users to modify stored divi-booster WordPress plugin before 5.0.2 options. Furthermore, due to the use of unserialize on the data, this could be furth...