CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

1301 matches found

CVE-2026-10721

Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize calls in the in Permission, Cache, and Search components. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the database. Thanks XananasX7 f...

8.4CVSS5.5AI score0.00023EPSS

Exploits0References1

Nuclei•added 2 days ago•428 views

Revive Adserver 4.2 - Remote Code Execution

Revive Adserver 4.2 is susceptible to remote code execution. An attacker can send a crafted payload to the XML-RPC invocation script and trigger the unserialize call on the "what" parameter in the "openads.spc" RPC method. This can be exploited to perform various types of attacks, e.g...

9.8CVSS8.2AI score0.89078EPSS

Exploits7References5

NVD•added 3 days ago•6 views

CVE-2026-10721

8.4CVSS0.00023EPSS

Exploits0References1

Cvelist•added 3 days ago•28 views

CVE-2026-10721 Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the in Permission, Cache, and Search components

8.4CVSS0.00023EPSS

Exploits0References1

CVE•added 3 days ago•12 views

CVE-2026-10721

Concrete CMS

8.4CVSS5.5AI score0.00023EPSS

Exploits0References1

Vulnrichment•added 3 days ago•5 views

CVE-2026-10721 Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the in Permission, Cache, and Search components

8.4CVSS5.5AI score0.00023EPSS

Exploits0References1

EUVD•added 3 days ago•5 views

EUVD-2026-35994

8.4CVSS5.5AI score0.00023EPSS

Exploits0References1

Positive Technologies•added 3 days ago•5 views

PT-2026-48390

8.4CVSS5.5AI score0.00023EPSS

Exploits0References2

Cvelist•added 4 days ago•28 views

CVE-2026-46491 SimpleSAMLphp casserver FileSystemTicketStore path traversal allows out-of-ticket-directory read/unserialize and conditional deletion

SimpleSAMLphp-casserver is a CAS 1.0 and 2.0 compliant CAS server in the form of a SimpleSAMLphp module. Prior to version 7.0.3, simplesamlphp-module-casserver builds file paths for the file-based CAS ticket store by directly concatenating the configured ticket directory with an attacker-controll...

8.6CVSS0.00119EPSS

Exploits0References3

CVE•added 4 days ago•11 views

CVE-2026-46491

CVE-2026-46491 affects the simplesamlphp-module-casserver when using the FileSystemTicketStore. A attacker-controlled ticket identifier is concatenated into the ticket path, enabling path traversal (e.g., ../target.serialized) to read and unserialize files outside the ticket directory. In the CAS...

8.6CVSS5.5AI score0.00119EPSS

Exploits0References3

NVD•added 4 days ago•7 views

CVE-2026-8365

The Blocksy theme for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution via the 'blocksymeta' REST API field and the V200 database migration in versions up to and including 2.1.35. This is due to insufficient input sanitization in the blocksysanitizepostmetaoptions...

8.8CVSS0.00633EPSS

Exploits0References13

RedhatCVE•added 6 days ago•10 views

CVE-2026-7654

The Admin Columns plugin for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution in versions up to and including 7.0.18. This is due to the use of unserialize without an allowedclasses restriction in the IdsToCollection::getidsfromstring function, which processes...

8.8CVSS6.6AI score0.00523EPSS

Exploits0References1

EUVD•added 2026/06/06 12:31 a.m.•6 views

EUVD-2026-34922

8.8CVSS6.6AI score0.00523EPSS

Exploits0References11

Cvelist•added 2026/06/05 10:28 p.m.•29 views

CVE-2026-7654 Admin Columns <= 7.0.18 - Authenticated (Contributor+) PHP Object Injection to Remote Code Execution via Custom Field Meta Value

8.8CVSS0.00523EPSS

Exploits0References10

Vulnrichment•added 2026/06/05 10:28 p.m.•5 views

CVE-2026-7654 Admin Columns <= 7.0.18 - Authenticated (Contributor+) PHP Object Injection to Remote Code Execution via Custom Field Meta Value

8.8CVSS6.6AI score0.00523EPSS

Exploits0References10

CVE•added 2026/06/05 10:28 p.m.•15 views

CVE-2026-7654

The Admin Columns plugin for WordPress (up to version 7.0.18) is vulnerable to PHP Object Injection that leads to Remote Code Execution. Root cause: unserialize() used without an allowed_classes restriction in IdsToCollection::get_ids_from_string(), processing attacker-controlled post meta values...

8.8CVSS6.6AI score0.00523EPSS

Exploits0References10

RedhatCVE•added 2026/06/05 7:46 p.m.•6 views

CVE-2026-42472

Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The session and cache handlers use unserialize on data from Redis in the RedisHandler object...

9.8CVSS5.5AI score0.00055EPSS

Exploits0References1

RedhatCVE•added 2026/06/05 7:22 p.m.•7 views

CVE-2026-7888

Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize calls in the Workflow, Form block, and File/Set components that lack the allowedclasses restriction. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been...

8.4CVSS5.6AI score0.00035EPSS

Exploits0References1

RedhatCVE•added 2026/06/05 7:21 p.m.•6 views

CVE-2026-3296

The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry metadata. This is due to the html-admin-page-entries-view.php file calling PHP's native unserialize on stored entry meta...

9.8CVSS5.6AI score0.00037EPSS

Exploits1References1

RedhatCVE•added 2026/06/05 7:15 p.m.•6 views

CVE-2026-46725

The extension passes an attacker-controlled cookie directly to PHP's unserialize without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server. Exploitation...

9.2CVSS5.7AI score0.03271EPSS

Exploits1References1

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by