GHSA-GWHV-J974-6FXM MikroORM is vulnerable to SQL Injection via specially crafted object

Summary MikroORM versions = 6.6.9 and = 7.0.5 are vulnerable to SQL injection when specially crafted objects are interpreted as raw SQL query fragments. Impact If user-controlled input is passed directly to MikroORM query construction APIs, an attacker may inject raw SQL fragments. This can lead ...

PT-2026-28611

Name of the Vulnerable Software and Affected Versions MikroORM versions 6.6.9 and earlier MikroORM versions 7.0.5 and earlier Description MikroORM is susceptible to SQL injection when processing specially crafted objects as raw SQL query fragments. If user-controlled input is directly passed to...

GHSA-4HX9-48XH-5MXR Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization

A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration. Mitigation Disable LDAP referrals in all LDAP user providers in all realms...

EUVD-2025-199598

Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization...

CVE-2025-13467

A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration...

org.keycloak.storage.ldap: Keycloak: Deserialization of Untrusted Data in LDAP User Federation

A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration...

org.keycloak.storage.ldap: Keycloak: Deserialization of Untrusted Data in LDAP User Federation

A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration...

CVE-2025-13467

A CVE-2025-13467 issue affects Keycloak’s LDAP User Federation provider. An authenticated realm administrator can trigger deserialization of untrusted Java objects by feeding a malicious LDAP server configuration. Public documentation in connected advisories confirms this is an admin-triggered de...

PT-2025-48039

Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A flaw exists in the Keycloak LDAP User Federation provider that allows an authenticated realm administrator to trigger deserialization of untrusted Java objects. This is achieved through a...

Red Hat build of Keycloak 安全漏洞

Red Hat build of Keycloak is a web application for single sign-on from Red Hat, Inc. A security vulnerability exists in Red Hat build of Keycloak version 26.2, which originates from deserializing untrusted Java objects and could lead to remote code execution...

GHSA-VR64-R9QJ-H27F Reading specially crafted serializable objects from an untrusted source may cause an infinite loop and denial of service

Any program on the JVM may read serialized objects via java.io.ObjectInputStream.readObject. Reading serialized objects from an untrusted source is inherently unsafe this affects any program running on any version of the JVM and is a prerequisite for this vulnerability. Clojure classes that...

GHSA-JGXC-8MWQ-9XQW Clojure classes can be used to craft a serialized object that runs arbitrary code on deserialization

In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server deserializes untrusted objects...

DEBIAN-CVE-2017-20189

In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server deserializes untrusted objects...

IBM B2B Advanced Communications 代码问题漏洞

IBM B2B Advanced Communications is a comprehensive business-to-business B2B integration solution from International Business Machines IBM. It is part of the IBM Sterling B2B Integration product family and is designed to simplify and optimize B2B interactions between businesses and partners. A...

PT-2023-19848 · Ibm · Ibm B2B Advanced Communications +1

Name of the Vulnerable Software and Affected Versions: IBM B2B Advanced Communications version 1.0.0.0 IBM Multi-Enterprise Integration Gateway version 1.0.0.1 Description: The issue allows a user to cause a denial of service due to the deserializing of untrusted serialized Java objects...

SUSE CVE-2012-0446

Multiple cross-site scripting XSS vulnerabilities in Mozilla Firefox 4.x through 9.0, Thunderbird 5.0 through 9.0, and SeaMonkey before 2.7 allow remote attackers to inject arbitrary web script or HTML via a 1 web page or 2 Firefox extension, related to improper enforcement of XPConnect security...

Arbitrary Code Execution

GraniteDS is vulnerable to arbitrary code execution. It fails to prevent instantiation of untrusted object via public parameter-less constructor and calling arbitrary Java Beans setter methods. Thereby allowing an attacker to send malicious Java objects with pre-set properties, leading to arbitra...

xmlrpc: Deserialization of untrusted Java object through <ex:serializable> tag

A flaw was discovered in the Apache XML-RPC ws-xmlrpc library that deserializes untrusted data when enabledForExtensions setting is enabled. A remote attacker could use this vulnerability to execute arbitrary code via a crafted serialized Java object in a element...

CVE-2011-2894

Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by 1 serializing a...

OpenJDK Applet Trusted Methods Chaining Privilege Escalation Vulnerability (6904691)

Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.225 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from...