Lucene search
K

1321 matches found

OSV
OSV
added 2026/05/05 9:29 p.m.4 views

GHSA-GWFR-JFJF-92VV Grav has Insecure Deserialization in File Cache

Insecure Deserialization in File Cache - Severity: High - CWE: CWE-502 - Location: system/src/Grav/Framework/Cache/Adapter/FileCache.php - Sink: unserialize$value, 'allowedclasses' = true Affected versions - Affected: = 1.7.44 and true allows object instantiation and does not constrain classes. P...

5CVSS5.8AI score0.00224EPSS
Exploits0References9
Github Security Blog
Github Security Blog
added 2026/05/05 9:29 p.m.7 views

Grav has Insecure Deserialization in File Cache

Insecure Deserialization in File Cache - Severity: High - CWE: CWE-502 - Location: system/src/Grav/Framework/Cache/Adapter/FileCache.php - Sink: unserialize$value, 'allowedclasses' = true Affected versions - Affected: = 1.7.44 and true allows object instantiation and does not constrain classes. P...

5CVSS5.8AI score0.00224EPSS
Exploits0References9Affected Software1
OSV
OSV
added 2026/05/05 9:29 p.m.4 views

GHSA-VJ3M-2G9H-VM4P Grav has multiple RCE vectors: unsafe unserialize (x3), command injection in git clone, SSTI blocklist bypass

Multiple RCE vectors were found in Grav CMS. Three are critical, two are high. 1. Unsafe unserialize in JobQueue — direct RCE gadget Critical system/src/Grav/Common/Scheduler/JobQueue.php:465 calls unserializebase64decode... without restricting allowedclasses. The Job class has...

9.8CVSS6AI score0.01683EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/05/05 9:29 p.m.6 views

Grav has multiple RCE vectors: unsafe unserialize (x3), command injection in git clone, SSTI blocklist bypass

Multiple RCE vectors were found in Grav CMS. Three are critical, two are high. 1. Unsafe unserialize in JobQueue — direct RCE gadget Critical system/src/Grav/Common/Scheduler/JobQueue.php:465 calls unserializebase64decode... without restricting allowedclasses. The Job class has...

6AI score
Exploits0References3Affected Software1
VulnCheck KEV
VulnCheck KEV
added 2026/05/04 12:0 a.m.28 views

VulnCheck KEV: CVE-2026-3296

The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry metadata. This is due to the html-admin-page-entries-view.php file calling PHP's native unserialize on stored entry meta...

9.8CVSS5.8AI score0.00878EPSS
In wildExploits1References2
GithubExploit
GithubExploit
added 2026/05/02 2:18 p.m.148 views

php-8.5.5-var_destroy-uaf

PHP 8.5.5 — vardestroy destruct reentrancy UAF Siste...

6AI score
Exploits0
Snyk
Snyk
added 2026/05/01 5:32 p.m.7 views

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the unserialize process. An attacker can execute arbitrary code by sending a crafted serialized PHP closure to the TCP server, which is then deserialized and executed without authentication or...

8.6CVSS6.1AI score0.00253EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/01 5:32 p.m.6 views

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the unserialize function in the sync-invoke client when processing data received from a server response. An attacker can execute arbitrary code by sending crafted serialized data from a malicious...

9.8CVSS6.1AI score0.01757EPSS
Exploits2References2
Snyk
Snyk
added 2026/05/01 5:32 p.m.5 views

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the FileHandler process. An attacker can execute arbitrary code by supplying crafted serialized data to the session or cache handlers, which are processed using unserialize from the filesystem...

9.8CVSS6.1AI score0.0038EPSS
Exploits0References2
NVD
NVD
added 2026/05/01 4:16 p.m.10 views

CVE-2026-42471

Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke client Connection.php:76 calls unserialize on data received from the server response, enabling client-side RCE if connecting to a malicious server...

8.1CVSS0.01757EPSS
Exploits2References3
CNNVD
CNNVD
added 2026/05/01 12:0 a.m.11 views

Mix PHP 代码问题漏洞

Mix PHP is Mix PHP open source a PHP command line mode development framework that supports seamless multi-server ecosystem switching. A code issue vulnerability exists in Mix PHP versions 2.x through 2.2.17 that stems from a session and cache handler call to unserialize on file system data in the...

9.8CVSS5.9AI score0.0038EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/01 12:0 a.m.3 views

CVE-2026-42473

Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The session and cache handlers use unserialize on data from the filesystem in the FileHandler object...

9.8CVSS5.8AI score0.0038EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/05/01 12:0 a.m.9 views

PT-2026-36488

Name of the Vulnerable Software and Affected Versions MixPHP Framework versions 2.x through 2.2.17 Description An unsafe deserialization issue exists in the sync-invoke client within the Connection.php file at line 76. The client uses the unserialize function on data received from server response...

8.1CVSS6.6AI score0.01757EPSS
Exploits2References7
Vulnrichment
Vulnrichment
added 2026/05/01 12:0 a.m.5 views

CVE-2026-42472

Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The session and cache handlers use unserialize on data from Redis in the RedisHandler object...

5.8AI score0.0038EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/05/01 12:0 a.m.10 views

Mix PHP 代码问题漏洞

Mix PHP is Mix PHP open source a PHP command line mode development framework that supports seamless multi-server ecosystem switching. A code issue vulnerability exists in Mix PHP versions 2.x through 2.2.17, which stems from a call to unserialize in Connection.php to process server response data,...

8.1CVSS6.4AI score0.01757EPSS
Exploits2References2
Github Security Blog
Github Security Blog
added 2026/04/14 12:7 a.m.6 views

Craft Commerce has a SQL Injection can lead to Remote Code Execution via TotalRevenue Widget

Summary A SQL injection in the Commerce TotalRevenue widget can lead to remote code execution through a chain of four vulnerabilities: SQL Injection -- The TotalRevenue stat interpolates unsanitized widget settings directly into a sprintf-based SQL Expression. Any control panel user can create an...

7.7CVSS6.7AI score0.00476EPSS
Exploits0References4Affected Software1
Snyk
Snyk
added 2026/04/13 9:13 p.m.3 views

SQL Injection

Overview craftcms/commerce is a Craft Commerce Affected versions of this package are vulnerable to SQL Injection via the TotalRevenue widget, where unsanitized widget settings are interpolated into SQL expressions. An attacker can execute arbitrary commands on the server by injecting a maliciousl...

7.7CVSS6.4AI score0.00476EPSS
Exploits0References2
Zero Science Lab
Zero Science Lab
added 2026/04/12 12:0 a.m.68 views

Pachno 1.0.6 FileCache Deserialization Remote Code Execution

Summary Pachno is an open-source collaboration platform formerly known as The Bug Genie designed for team project management, issue tracking, and documentation. It offers a module-based, customizable environment for software development and team workflows, distributed under the Mozilla Public...

9.8CVSS6.4AI score0.00484EPSS
Exploits1
NVD
NVD
added 2026/04/08 2:16 a.m.11 views

CVE-2026-3296

The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry metadata. This is due to the html-admin-page-entries-view.php file calling PHP's native unserialize on stored entry meta...

9.8CVSS0.00878EPSS
Exploits1References6
CVE
CVE
added 2026/04/08 1:24 a.m.50 views

CVE-2026-3296

The Everest Forms WordPress plugin ( 3.4.3 (e.g., 3.4.4 or later) to fix the issue. If upgrading is not immediate, disable or audit admin entry views to avoid triggering deserialization.

9.8CVSS5.9AI score0.00878EPSS
In wildExploits1References6
Rows per page
Query Builder