CVE-2026-1235

The WP eCommerce WordPress plugin through 3.15.1 unserializes user input via ajax actions, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog...

CVE-2026-23524

Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHP’s unserialize function without restricting which classes can be instantiated, which leaves users vulnerable to...

CVE-2026-23524

Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHP’s unserialize function without restricting which classes can be instantiated, which leaves users vulnerable to...

CVE-2026-23524

Laravel Reverb (laravel/reverb) prior to v1.7.0 is exposed to Remote Code Execution when horizontal scaling is enabled (REVERB_SCALING_ENABLED=true) because data from the Redis channel is deserialized with PHP unserialize() without class restrictions. Affected versions are v1.6.3 and below; vulne...

WordPress Nexter Extension - Site Enhancements Toolkit plugin <= 4.4.6 - Unauthenticated PHP Object Injection via 'nxt_unserialize_replace' vulnerability

WordPress Nexter Extension - Site Enhancements Toolkit plugin = 4.4.6 - Unauthenticated PHP Object Injection via 'nxtunserializereplace' vulnerability discovered by Webbernaut in WordPress Plugin Nexter Extension versions = 4.4.6...

PT-2026-3792

Name of the Vulnerable Software and Affected Versions Laravel Reverb versions 1.6.3 and below Description Laravel Reverb, a real-time WebSocket communication backend for Laravel applications, has an issue where it passes data from the Redis channel directly into PHP’s unserialize function without...

CVE-2026-0726 Nexter Extension – Site Enhancements Toolkit <= 4.4.6 - Unauthenticated PHP Object Injection via 'nxt_unserialize_replace'

The Nexter Extension – Site Enhancements Toolkit plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.6 via deserialization of untrusted input in the 'nxtunserializereplace' function. This makes it possible for unauthenticated attackers to inject a...

PT-2026-4332

CVE-2026-23911 - Adobe Flash Player Unserialize Buffer Overflow CVE ID : CVE-2026-23911 Published : Jan. 20, 2026, 5:16 a.m. | 1 hour, 29 minutes ago Description : Rejected reason: Not used Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and...

MiracleLinux 7 : glusterfs-3.12.2-18.el7 (AXSA:2019-3587:01)

The remote MiracleLinux 7 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2019-3587:01 advisory. glusterfs: Improper deserialization in dict.c:dictunserialize can allow attackers to read arbitrary memory CVE-2018-10911 Tenable has extracted the preceding...

CVE-2009-4137

The loadContentFromCookie function in core/Cookie.php in Piwik before 0.5 does not validate strings obtained from cookies before calling the unserialize function, which allows remote attackers to execute arbitrary code or upload arbitrary files via vectors related to the destruct function in the...

PT-2026-1654

Name of the Vulnerable Software and Affected Versions DZS Video Gallery versions through 12.37 Description The software contains a flaw due to deserialization of untrusted data, which allows for object injection. This issue presents a potential for remote code execution. The vulnerable component...

📄 Taiga Tribe_gig Authenticated Unserialize Remote Code Execution

This Metasploit module exploits an unserialization flaw by creating a userstory in a project. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class TaigaClientException 'Taiga tribegig authenticated unserialize remote...

CVE-2025-63951

An insecure deserialization vulnerability exists in the rss-mp3.php script of the MiczFlor RPi-Jukebox-RFID project through commit 4b2334f0ae0e87c0568876fc41c48c38aa9a7014 2025-10-07. The 'rss' GET parameter receives data that is passed directly to the unserialize function without validation. Thi...

CVE-2025-63950

An insecure deserialization vulnerability exists in the download.php script of the to3k Twittodon application through commit b1c58a7d1dc664b38deb486ca290779621342c0b 2023-02-28. The 'obj' parameter receives base64-encoded data that is passed directly to the unserialize function without validation...

CVE-2025-63950

An insecure deserialization vulnerability exists in the download.php script of the to3k Twittodon application through commit b1c58a7d1dc664b38deb486ca290779621342c0b 2023-02-28. The 'obj' parameter receives base64-encoded data that is passed directly to the unserialize function without validation...

CVE-2025-63950

The CVE describes an insecure deserialization vulnerability in the to3k Twittodon application, specifically in the download.php script where the obj parameter is base64-encoded data passed directly to unserialize() without validation. This allows a remote, unauthenticated attacker to inject arbit...

CVE-2025-63951

The CVE-2025-63951 vulnerability affects the MiczFlor RPi-Jukebox-RFID project, specifically the rss-mp3.php script. The rss GET parameter is passed directly to PHP’s unserialize() without validation, enabling a remote, unauthenticated attacker to inject arbitrary PHP objects, which can cause err...

PT-2025-52347

Name of the Vulnerable Software and Affected Versions MiczFlor RPi-Jukebox-RFID versions prior to commit 4b2334f0ae0e87c0568876fc41c48c38aa9a7014 2025-10-07 Description An insecure deserialization issue exists in the rss-mp3.php script. The rss GET parameter receives data that is directly passed ...

CVE-2025-66571

UNA CMS versions 9.0.0-RC1 - 14.0.0-RC4 contain a PHP object injection vulnerability in BxBaseMenuSetAclLevel.php where the profileid POST parameter is passed to PHP unserialize without proper handling, allowing remote, unauthenticated attackers to inject arbitrary PHP objects and potentially wri...

CVE-2025-66571

UNA CMS versions 9.0.0-RC1 - 14.0.0-RC4 contain a PHP object injection vulnerability in BxBaseMenuSetAclLevel.php where the profileid POST parameter is passed to PHP unserialize without proper handling, allowing remote, unauthenticated attackers to inject arbitrary PHP objects and potentially wri...