Total
2101 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-25940 | 1 Visicut | 1 Visicut | 2025-06-23 | 9.8 Critical |
| VisiCut 2.1 allows code execution via Insecure XML Deserialization in the loadPlfFile method of VisicutModel.java. | ||||
| CVE-2025-46738 | 1 Schweitzer Engineering Laboratories | 1 Sel-5033 Acselerator Rtac Software | 2025-06-23 | 6.6 Medium |
| An authenticated attacker can maliciously modify layout data files in the SEL-5033 installation directory to execute arbitrary code. | ||||
| CVE-2025-27531 | 1 Apache | 1 Inlong | 2025-06-23 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 before 2.1.0, this issue would allow an authenticated attacker to read arbitrary files by double writing the param. Users are recommended to upgrade to version 2.1.0, which fixes the issue. | ||||
| CVE-2025-48200 | 1 Typo3 | 1 Sr Feuser Register Extension | 2025-06-20 | 10 Critical |
| The sr_feuser_register extension through 12.4.8 for TYPO3 allows Remote Code Execution. | ||||
| CVE-2025-49113 | 1 Roundcube | 1 Webmail | 2025-06-20 | 9.9 Critical |
| Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. | ||||
| CVE-2025-49331 | 2025-06-20 | 7.2 High | ||
| Deserialization of Untrusted Data vulnerability in impleCode eCommerce Product Catalog allows Object Injection. This issue affects eCommerce Product Catalog: from n/a through 3.4.3. | ||||
| CVE-2025-49330 | 2025-06-20 | 9.8 Critical | ||
| Deserialization of Untrusted Data vulnerability in CRM Perks Integration for Contact Form 7 and Zoho CRM, Bigin allows Object Injection. This issue affects Integration for Contact Form 7 and Zoho CRM, Bigin: from n/a through 1.3.0. | ||||
| CVE-2022-1471 | 2 Redhat, Snakeyaml Project | 14 Amq Clients, Amq Streams, Enterprise Linux and 11 more | 2025-06-18 | 8.3 High |
| SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond. | ||||
| CVE-2024-1432 | 2025-06-17 | 5 Medium | ||
| ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in DeepFaceLab pretrained DF.wf.288res.384.92.72.22 and classified as problematic. This issue affects the function apply_xseg of the file main.py. The manipulation leads to deserialization. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-253391. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2024-24590 | 1 Clear | 1 Clearml | 2025-06-17 | 8 High |
| Deserialization of untrusted data can occur in versions 0.17.0 to 1.14.2 of the client SDK of Allegro AI’s ClearML platform, enabling a maliciously uploaded artifact to run arbitrary code on an end user’s system when interacted with. | ||||
| CVE-2024-22284 | 1 Asgaros | 1 Asgaros Forum | 2025-06-17 | 8.7 High |
| Deserialization of Untrusted Data vulnerability in Thomas Belser Asgaros Forum.This issue affects Asgaros Forum: from n/a through 2.7.2. | ||||
| CVE-2022-45083 | 1 Properfraction | 1 Profilepress | 2025-06-17 | 6.6 Medium |
| Deserialization of Untrusted Data vulnerability in ProfilePress Membership Team Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress.This issue affects Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress: from n/a through 4.3.2. | ||||
| CVE-2025-31919 | 2025-06-17 | 9.8 Critical | ||
| Deserialization of Untrusted Data vulnerability in themeton Spare allows Object Injection. This issue affects Spare: from n/a through 1.7. | ||||
| CVE-2025-30618 | 2025-06-17 | 9.8 Critical | ||
| Deserialization of Untrusted Data vulnerability in yuliaz Rapyd Payment Extension for WooCommerce allows Object Injection. This issue affects Rapyd Payment Extension for WooCommerce: from n/a through 1.2.0. | ||||
| CVE-2023-52225 | 1 Taggbox | 1 Taggbox | 2025-06-17 | 10 Critical |
| Deserialization of Untrusted Data vulnerability in Tagbox Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics.This issue affects Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics: from n/a through 3.1. | ||||
| CVE-2023-52200 | 1 Reputeinfosystems | 1 Armember | 2025-06-17 | 9.6 Critical |
| Cross-Site Request Forgery (CSRF), Deserialization of Untrusted Data vulnerability in Repute Infosystems ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup.This issue affects ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup: n/a. | ||||
| CVE-2024-48112 | 1 Thinkphp | 1 Thinkphp | 2025-06-17 | 9.8 Critical |
| A deserialization vulnerability in the component \controller\Index.php of Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code. | ||||
| CVE-2025-24919 | 2025-06-17 | 8.1 High | ||
| A deserialization of untrusted input vulnerability exists in the cvhDecapsulateCmd functionality of Dell ControlVault3 prior to 5.15.10.14 and ControlVault3 Plus prior to 6.2.26.36. A specially crafted ControlVault response to a command can lead to arbitrary code execution. An attacker can compromise a ControlVault firmware and have it craft a malicious response to trigger this vulnerability. | ||||
| CVE-2025-46567 | 1 Hiyouga | 1 Llama-factory | 2025-06-17 | 6.1 Medium |
| LLama Factory enables fine-tuning of large language models. Prior to version 1.0.0, a critical vulnerability exists in the `llamafy_baichuan2.py` script of the LLaMA-Factory project. The script performs insecure deserialization using `torch.load()` on user-supplied `.bin` files from an input directory. An attacker can exploit this behavior by crafting a malicious `.bin` file that executes arbitrary commands during deserialization. This issue has been patched in version 1.0.0. | ||||
| CVE-2024-2054 | 1 Articatech | 1 Artica Proxy | 2025-06-17 | 9.8 Critical |
| The Artica-Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution as the "www-data" user. | ||||