Lucene search
K

1318 matches found

CNNVD
CNNVD
added 2026/03/27 12:0 a.m.8 views

Locutus 安全漏洞

Locutus is an open-source JavaScript library developed by Locutus. Versions of Locutus prior to 3.0.25 contained security vulnerabilities. These vulnerabilities stemmed from the unserialize function not filtering the proto key, which could lead to prototype pollution, property injection, and...

9.8CVSS5.8AI score0.00583EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/03/27 12:0 a.m.6 views

PT-2026-28587

Name of the Vulnerable Software and Affected Versions Locutus versions prior to 3.0.25 Description The unserialize function in locutus/php/var/unserialize assigns deserialized keys to plain objects via bracket notation without filtering the proto key. When a PHP serialized payload contains proto ...

6.9CVSS5.9AI score0.00583EPSS
Exploits1References8
Snyk
Snyk
added 2026/03/26 2:24 a.m.5 views

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the unserialize process of the AccessTokenAuthenticator class when restoring OAuth token state from cache or storage using PHP's unserialize with allowedclasses = true. An attacker can achieve...

9.8CVSS6.4AI score0.00622EPSS
Exploits0References2
NVD
NVD
added 2026/03/26 1:16 a.m.8 views

CVE-2026-33942

Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize in AccessTokenAuthenticator::unserialize to restore OAuth token state from cache or storage, with allowedclasses = true. An attacker who can control the serialized...

9.8CVSS0.00622EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/03/26 12:27 a.m.25 views

CVE-2026-33942 Saloon has insecure deserialization in AccessTokenAuthenticator (object injection / RCE)

Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize in AccessTokenAuthenticator::unserialize to restore OAuth token state from cache or storage, with allowedclasses = true. An attacker who can control the serialized...

9.3CVSS0.00622EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/03/26 12:27 a.m.7 views

CVE-2026-33942

Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize in AccessTokenAuthenticator::unserialize to restore OAuth token state from cache or storage, with allowedclasses = true. An attacker who can control the serialized...

9.3CVSS6.6AI score0.00622EPSS
Exploits0References3Affected Software1
CNNVD
CNNVD
added 2026/03/26 12:0 a.m.8 views

Saloon 代码问题漏洞

Saloon is a PHP API integration and SDK library developed by Saloon PHP Open Source. Versions of Saloon prior to 4.0.0 had code vulnerabilities. These vulnerabilities stemmed from the use of un serialize in AccessTokenAuthenticator::un serialize, which used PHP’s un serialize method to restore th...

9.8CVSS6.2AI score0.00622EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/03/26 12:0 a.m.21 views

PT-2026-28182

Name of the Vulnerable Software and Affected Versions Saloon versions prior to 4.0.0 Description Saloon is a PHP library used for building API integrations and SDKs. The library used PHP's unserialize function in the AccessTokenAuthenticator::unserialize method, with allowed classes set to true, ...

9.8CVSS6.4AI score0.00622EPSS
Exploits0References8
EUVD
EUVD
added 2026/03/19 11:12 p.m.5 views

EUVD-2026-13374

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Versions up to and including 8.9.2 contain an unsafe deserialization vulnerability in the SavedSearch filter processing component that allows an authenticated administrator to execute arbitrary...

8.6CVSS6.1AI score0.00469EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/03/19 12:0 a.m.6 views

PT-2026-26447

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Versions up to and including 8.9.2 contain an unsafe deserialization vulnerability in the SavedSearch filter processing component that allows an authenticated administrator to execute arbitrary...

8.6CVSS6.1AI score0.00469EPSS
Exploits0References3
GithubExploit
GithubExploit
added 2026/03/14 8:11 p.m.329 views

Exploit for Improper Input Validation in Typo3

TYPO3 CVE-2020-15099 — Unauthenticated RCE PHP Object Injecti...

8.8CVSS7.9AI score0.01782EPSS
Exploits1
NVD
NVD
added 2026/03/11 6:17 a.m.6 views

CVE-2026-2626

The divi-booster WordPress plugin before 5.0.2 does not have authorization and CSRF checks in one of its fixing function, allowing unauthenticated users to modify stored divi-booster WordPress plugin before 5.0.2 options. Furthermore, due to the use of unserialize on the data, this could be furth...

8.1CVSS0.00156EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/03/11 6:0 a.m.7 views

CVE-2026-2626

The divi-booster WordPress plugin before 5.0.2 does not have authorization and CSRF checks in one of its fixing function, allowing unauthenticated users to modify stored divi-booster WordPress plugin before 5.0.2 options. Furthermore, due to the use of unserialize on the data, this could be furth...

5.8AI score0.00156EPSS
Exploits0References1
EUVD
EUVD
added 2026/03/11 6:0 a.m.5 views

EUVD-2026-11096

The divi-booster WordPress plugin before 5.0.2 does not have authorization and CSRF checks in one of its fixing function, allowing unauthenticated users to modify stored divi-booster WordPress plugin before 5.0.2 options. Furthermore, due to the use of unserialize on the data, this could be furth...

5.8AI score0.00156EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/11 6:0 a.m.30 views

CVE-2026-2626 Divi Booster < 5.0.2 - Unauthenticated PHP Object Injection

The divi-booster WordPress plugin before 5.0.2 does not have authorization and CSRF checks in one of its fixing function, allowing unauthenticated users to modify stored divi-booster WordPress plugin before 5.0.2 options. Furthermore, due to the use of unserialize on the data, this could be furth...

0.00156EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/03/11 12:0 a.m.8 views

PT-2026-24587

The divi-booster WordPress plugin before 5.0.2 does not have authorization and CSRF checks in one of its fixing function, allowing unauthenticated users to modify stored divi-booster WordPress plugin before 5.0.2 options. Furthermore, due to the use of unserialize on the data, this could be furth...

8.1CVSS5.8AI score0.00156EPSS
Exploits0References5
VulnCheck KEV
VulnCheck KEV
added 2026/03/09 12:0 a.m.7 views

VulnCheck KEV: CVE-2019-5434

An attacker could send a specifically crafted payload to the XML-RPC invocation script and trigger the unserialize call on the "what" parameter in the "openads.spc" RPC method. Such vulnerability could be used to perform various types of attacks, e.g. exploit serialize-related PHP vulnerabilities...

9.8CVSS5.8AI score0.57022EPSS
In wildExploits7References27
Fedora
Fedora
added 2026/03/05 12:57 a.m.10 views

[SECURITY] Fedora 43 Update: php-zumba-json-serializer-3.2.4-1.fc43

This is a library to serialize PHP variables in JSON format. It is similar of the serialize function in PHP, but the output is a string JSON encoded. You can also unserialize the JSON generated by this tool and have you PHP content back. Autoloader: /usr/share/php/Zumba/JsonSerializer/autoload.ph...

6AI score
Exploits0
OSV
OSV
added 2026/03/04 3:31 a.m.5 views

GHSA-GJ26-W59C-29MF Concrete CMS vulnerable to Remote Code Execution by stored PHP object injection

Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are later passed to...

8.9CVSS6AI score0.00605EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/03/04 1:56 a.m.6 views

CVE-2024-47886

Chamilo is a learning management system. Chamillo is affected by a post-authentication phar unserialize which leads to a remote code execution RCE within versions 1.11.12 to 1.11.26. By abusing multiple supported features from the virtualization plugin vchamilo, the vulnerability allows an...

8.7CVSS6.7AI score0.00905EPSS
Exploits1References1
Rows per page
Query Builder