EUVD-2025-198374

IBM webMethods Integration 10.11 through 10.11CoreFix22, 10.15 through 10.15CoreFix22, and 11.1 through 11.1CoreFix6 IBM webMethods Integration allow an authenticated user to execute arbitrary code on the system, caused by the deserialization of untrusted object graphs data...

CVE-2025-36072

IBM webMethods Integration (on prem) is affected by CVE-2025-36072 due to deserialization of untrusted object graphs, enabling an authenticated user to execute arbitrary code. Affected versions include 10.11 through IS_10.11_Core_Fix22, 10.15 through IS_10.15_Core_Fix22, and 11.1 through IS_11.1_...

SUSE CVE-2023-28154

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object...

CVE-2023-28154

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object...

Deserialisation Of Untrusted Object

JMSSink in log4j is vulnerable to deserialization of untrusted object. The insecure use of JNDI in JMSSink allows an attacker to send malicious object in LDAP store if it is accessible by an attacker or is configured to use an untrusted site, leading to a remote code execution. Note: this...

Remote Code Execution (RCE)

Apache Chainsaw in log4j is vulnerable to remote code execution. The vulnerability exists due to a deserialization of untrusted object vulnerability allowing an attacker to execute maliciously scripted code via the system...

Deserialization Of Untrusted Object

jackson-databind is vulnerable to deserialization of untrusted data that can lead to remote code execution. It is possible because untrusted classes org.apache.commons.dbcp2.datasources.SharedPoolDataSource was not filtered by default from the interaction between serialization gadgets and...

Arbitrary Code Execution

jackson-databind is vulnerable to arbitrary code execution. The vulnerability exists as the untrusted Java object com.pastdev.httpcomponents.configuration.JndiConfiguration is not filtered by default, allowing an attacker to execute arbitrary code during deserialization...

Deserialization Of Untrusted Object

jodd-json is vulnerable to deserialization of untrusted object. The vulnerability exists when the setClassMetadataName method was introduced, which fails to properly restrict certain types of classes during deserialization...

Ruby on Rails code issue vulnerability (CNVD-2020-39016)

Ruby on Rails is a set of Rails team based on the Ruby language open source Web application framework. A code issue vulnerability exists in Ruby on Rails versions prior to 5.2.5 and prior to 6.0.4. An attacker can exploit this vulnerability to inject untrusted Ruby objects into a web application,...

Deserialization Of Untrusted Object

jackson-databind is vulnerable to deserialization of untrusted data. It was possible for an untrusted class, org.springframework.aop.config.MethodLocatingFactoryBean, and org.springframework.beans.factory.config.BeanReferenceFactoryBean, to be used as a serialization gadget through polymorphic...

Deserialization Of Untrusted Object

bson is vulnerable to deserialization of untrusted object. The vulnerability exists as it does not properly check the values of bsontype, allowing the value to be skipped...

Deserialization Of Untrusted Object

jackson-databind is vulnerable to deserialization of untrusted data. It was possible for an untrusted class, javax.swing.JEditorPane to be used as a serialization gadget through polymorphic typing, potentially allowing execution of arbitrary code...

Deserialization Of Untrusted Object

Apache Storm UI Deamon is vulnerable to deserialization of untrusted object. When it is using with storm-kafka-client or storm-kafka modules, it does not filter the input of untrusted bytes before deserialization, allowing an attacker to provide malicious bytes to abuse the logic of the applicati...

Deserialization Of Untrusted Object

jackson-databind is vulnerable to deserialization of untrusted object. The attack exists because it does not validate the gadget type before performing deserialization of polymorphic types with no limits...

Remote Code Execution Via Deserialisation Of Untrusted Object

node-serialize is vulnerable to remote code execution. The vulnerability exists when an untrusted user input is passed via Immediately Invoked Function Expression IIFE to unserialize function which uses eval internally for deserialization...