Total
2312 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-40551 | 1 Solarwinds | 1 Web Help Desk | 2026-02-03 | N/A | 9.8 CRITICAL |
| SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication. | |||||
| CVE-2025-40553 | 1 Solarwinds | 1 Web Help Desk | 2026-02-03 | N/A | 9.8 CRITICAL |
| SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication. | |||||
| CVE-2026-25615 | 2026-02-03 | N/A | 7.2 HIGH | ||
| Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5668. | |||||
| CVE-2026-25614 | 2026-02-03 | N/A | 7.5 HIGH | ||
| Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5680. | |||||
| CVE-2026-24954 | 2026-02-03 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.This issue affects WpEvently: from n/a through <= 5.0.8. | |||||
| CVE-2025-30160 | 1 Redlib | 1 Redlib | 2026-02-03 | N/A | 7.5 HIGH |
| Redlib is an alternative private front-end to Reddit. A vulnerability has been identified in Redlib where an attacker can cause a denial-of-service (DOS) condition by submitting a specially crafted base2048-encoded DEFLATE decompression bomb to the restore_preferences form. This leads to excessive memory consumption and potential system instability, which can be exploited to disrupt Redlib instances. This vulnerability is fixed in 0.36.0. | |||||
| CVE-2025-33210 | 1 Nvidia | 1 Isaac Lab | 2026-02-02 | N/A | 9.0 CRITICAL |
| NVIDIA Isaac Lab contains a deserialization vulnerability. A successful exploit of this vulnerability might lead to code execution. | |||||
| CVE-2025-56005 | 1 Dabeaz | 1 Ply | 2026-01-30 | N/A | 9.8 CRITICAL |
| An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the `picklefile` parameter in the `yacc()` function. This parameter accepts a `.pkl` file that is deserialized with `pickle.load()` without validation. Because `pickle` allows execution of embedded code via `__reduce__()`, an attacker can achieve code execution by passing a malicious pickle file. The parameter is not mentioned in official documentation or the GitHub repository, yet it is active in the PyPI version. This introduces a stealthy backdoor and persistence risk. | |||||
| CVE-2026-24747 | 1 Linuxfoundation | 1 Pytorch | 2026-01-30 | N/A | 8.8 HIGH |
| PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTorch's `weights_only` unpickler allows an attacker to craft a malicious checkpoint file (`.pth`) that, when loaded with `torch.load(..., weights_only=True)`, can corrupt memory and potentially lead to arbitrary code execution. Version 2.10.0 fixes the issue. | |||||
| CVE-2026-1691 | 2026-01-30 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability has been found in bolo-solo up to 2.6.4. This impacts the function importMarkdownsSync of the file src/main/java/org/b3log/solo/bolo/prop/BackupService.java of the component SnakeYAML. Such manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-27925 | 1 Nintex | 1 Automation | 2026-01-29 | N/A | 8.5 HIGH |
| Nintex Automation 5.6 and 5.7 before 5.8 has insecure deserialization of user input. | |||||
| CVE-2026-24765 | 2026-01-29 | N/A | 7.8 HIGH | ||
| PHPUnit is a testing framework for PHP. A vulnerability has been discovered in versions prior to 12.5.8, 11.5.50, 10.5.62, 9.6.33, and 8.5.52 involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the `cleanupForCoverage()` method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious `.coverage` files are present prior to the execution of the PHPT test. The vulnerability occurs when a `.coverage` file, which should not exist before test execution, is deserialized without the `allowed_classes` parameter restriction. An attacker with local file write access can place a malicious serialized object with a `__wakeup()` method into the file system, leading to arbitrary code execution during test runs with code coverage instrumentation enabled. This vulnerability requires local file write access to the location where PHPUnit stores or expects code coverage files for PHPT tests. This can occur through CI/CD pipeline attacks, the local development environment, and/or compromised dependencies. Rather than just silently sanitizing the input via `['allowed_classes' => false]`, the maintainer has chosen to make the anomalous state explicit by treating pre-existing `.coverage` files for PHPT tests as an error condition. Starting in versions in versions 12.5.8, 11.5.50, 10.5.62, 9.6.33, when a `.coverage` file is detected for a PHPT test prior to execution, PHPUnit will emit a clear error message identifying the anomalous state. Organizations can reduce the effective risk of this vulnerability through proper CI/CD configuration, including ephemeral runners, code review enforcement, branch protection, artifact isolation, and access control. | |||||
| CVE-2025-67619 | 2026-01-29 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in designthemes Kids Heaven kids-world allows Object Injection.This issue affects Kids Heaven: from n/a through <= 3.2. | |||||
| CVE-2025-67617 | 2026-01-29 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in themeton Consult Aid consultaid allows Object Injection.This issue affects Consult Aid: from n/a through <= 1.4.3. | |||||
| CVE-2025-69099 | 2026-01-28 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in fuelthemes North north-wp allows Object Injection.This issue affects North: from n/a through <= 5.7.5. | |||||
| CVE-2025-27522 | 1 Apache | 1 Inlong | 2026-01-28 | N/A | 6.5 MEDIUM |
| Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 through 2.1.0. This vulnerability is a secondary mining bypass for CVE-2024-26579. Users are advised to upgrade to Apache InLong's 2.2.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/11732 | |||||
| CVE-2024-37502 | 1 Wpwebelite | 1 Woocommerce Social Login | 2026-01-28 | N/A | 5.4 MEDIUM |
| Deserialization of Untrusted Data vulnerability in wpweb WooCommerce Social Login.This issue affects WooCommerce Social Login: from n/a through 2.6.3. | |||||
| CVE-2025-68047 | 2026-01-28 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in Arraytics Eventin wp-event-solution allows Object Injection.This issue affects Eventin: from n/a through <= 4.1.1. | |||||
| CVE-2025-69036 | 2026-01-28 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in strongholdthemes Tech Life CPT techlife-cpt allows Object Injection.This issue affects Tech Life CPT: from n/a through <= 16.4. | |||||
| CVE-2025-69035 | 2026-01-28 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in strongholdthemes Dental Care CPT dentalcare-cpt allows Object Injection.This issue affects Dental Care CPT: from n/a through <= 20.2. | |||||