Total
2313 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-15350 | 2026-01-26 | N/A | 7.8 HIGH | ||
| Anritsu VectorStar CHX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Anritsu VectorStar. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CHX files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27039. | |||||
| CVE-2025-15348 | 2026-01-26 | N/A | 7.8 HIGH | ||
| Anritsu ShockLine CHX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Anritsu ShockLine. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CHX files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27833. | |||||
| CVE-2026-0762 | 2026-01-26 | N/A | 8.1 HIGH | ||
| GPT Academic stream_daas Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GPT Academic. Interaction with a malicious DAAS server is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the stream_daas function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27956. | |||||
| CVE-2026-0763 | 2026-01-26 | N/A | 9.8 CRITICAL | ||
| GPT Academic run_in_subprocess_wrapper_func Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GPT Academic. Authentication is not required to exploit this vulnerability. The specific flaw exists within the run_in_subprocess_wrapper_func function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27958. | |||||
| CVE-2026-0772 | 2026-01-26 | N/A | 7.5 HIGH | ||
| Langflow Disk Cache Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is required to exploit this vulnerability. The specific flaw exists within the disk cache service. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27919. | |||||
| CVE-2026-0773 | 2026-01-26 | N/A | 9.8 CRITICAL | ||
| Upsonic Cloudpickle Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Upsonic. Authentication is not required to exploit this vulnerability. The specific flaw exists within the add_tool endpoint, which listens on TCP port 7541 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26845. | |||||
| CVE-2025-30025 | 1 Axis | 2 Camera Station Pro, Device Manager | 2026-01-23 | N/A | 7.8 HIGH |
| The communication protocol used between the server process and the service control had a flaw that could lead to a local privilege escalation. | |||||
| CVE-2025-30023 | 1 Axis | 3 Camera Station, Camera Station Pro, Device Manager | 2026-01-23 | N/A | 9.0 CRITICAL |
| The communication protocol used between client and server had a flaw that could lead to an authenticated user performing a remote code execution attack. | |||||
| CVE-2023-7334 | 1 Chanjetvip | 1 T\+ | 2026-01-23 | N/A | 9.8 CRITICAL |
| Changjetong T+ versions up to and including 16.x contain a .NET deserialization vulnerability in an AjaxPro endpoint that can lead to remote code execution. A remote attacker can send a crafted request to /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore with a malicious JSON body that leverages deserialization of attacker-controlled .NET types to invoke arbitrary methods such as System.Diagnostics.Process.Start. This can result in execution of arbitrary commands in the context of the T+ application service account. Exploitation evidence was observed by the Shadowserver Foundation as early as 2023-08-19 (UTC). | |||||
| CVE-2024-30226 | 1 Wpdeveloper | 1 Betterdocs | 2026-01-23 | N/A | 9.0 CRITICAL |
| Deserialization of Untrusted Data vulnerability in WPDeveloper BetterDocs.This issue affects BetterDocs: from n/a through 3.3.3. | |||||
| CVE-2025-11346 | 1 Ilias | 1 Ilias | 2026-01-23 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability has been found in ILIAS up to 8.23/9.13/10.1. This affects the function unserialize of the component Base64 Decoding Handler. Such manipulation of the argument f_settings leads to deserialization. It is possible to launch the attack remotely. Upgrading to version 8.24, 9.14 and 10.2 is able to mitigate this issue. It is advisable to upgrade the affected component. | |||||
| CVE-2025-11345 | 1 Ilias | 1 Ilias | 2026-01-23 | 6.5 MEDIUM | 5.5 MEDIUM |
| A flaw has been found in ILIAS up to 8.23/9.13/10.1. Affected by this issue is the function unserialize of the component Test Import. This manipulation causes deserialization. It is possible to initiate the attack remotely. Upgrading to version 8.24, 9.14 and 10.2 can resolve this issue. Upgrading the affected component is advised. | |||||
| CVE-2025-47584 | 1 Themegoods | 1 Photography | 2026-01-22 | N/A | 8.5 HIGH |
| Deserialization of Untrusted Data vulnerability in ThemeGoods Photography.This issue affects Photography: from n/a through 7.5.2. | |||||
| CVE-2025-47579 | 1 Themegoods | 1 Photography | 2026-01-22 | N/A | 9.0 CRITICAL |
| Deserialization of Untrusted Data vulnerability in ThemeGoods Photography. This issue affects Photography: from n/a through 7.5.2. | |||||
| CVE-2025-14071 | 2026-01-22 | N/A | 7.5 HIGH | ||
| The Live Composer – Free WordPress Website Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.0.2 via deserialization of untrusted input in the dslc_module_posts_output shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | |||||
| CVE-2025-14930 | 1 Huggingface | 1 Transformers | 2026-01-21 | N/A | 7.8 HIGH |
| Hugging Face Transformers GLM4 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of weights. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28309. | |||||
| CVE-2025-14920 | 1 Huggingface | 1 Transformers | 2026-01-21 | N/A | 7.8 HIGH |
| Hugging Face Transformers Perceiver Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25423. | |||||
| CVE-2025-14921 | 1 Huggingface | 1 Transformers | 2026-01-21 | N/A | 7.8 HIGH |
| Hugging Face Transformers Transformer-XL Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25424. | |||||
| CVE-2025-14929 | 1 Huggingface | 1 Transformers | 2026-01-21 | N/A | 7.8 HIGH |
| Hugging Face Transformers X-CLIP Checkpoint Conversion Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of checkpoints. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28308. | |||||
| CVE-2026-21226 | 1 Microsoft | 1 Azure Sdk For Python | 2026-01-20 | N/A | 7.5 HIGH |
| Deserialization of untrusted data in Azure Core shared client library for Python allows an authorized attacker to execute code over a network. | |||||