Critical
CVE-2021-41419
QVIS NVR DVR before 2021-12-13 is vulnerable to Remote Code Execution via Java deserialization.
Tag: Insecure Deserialization
All CVEs associated with "Insecure Deserialization". Page 14/17 • 2007 CVEs.
Subscribe CVEs: RSS for “Insecure Deserialization” · RSS (High+Critical only)
About “Insecure Deserialization”
A curated feed of “Insecure Deserialization”-related CVEs appears below. We currently track 2007 CVEs for this tag (all time). In the last 365 days, 674 were published. Average CVSS is 8.4 (all time; 8.3 over 365d), and 85% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-502 - Deserialization of Untrusted Data, CWE-20 - Improper Input Validation, CWE-94 - Improper Control of Generation of Code ('Code Injection').
In our taxonomy this topic maps to a HIGH impact class. Common exploitation patterns for this weakness can lead to high. Use the filters to triage high risk first and validate exposure in your environment. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.
CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).
CVSS ≥ 0.0
2022-07-18
2022-07-13
Critical
CVE-2022-35857
kvf-admin through 2022-02-12 allows remote attackers to execute arbitrary code because deserialization is mishandled. The rememberMe parameter is encrypted with a hardcoded key from the com.kalvin.kv…
2022-07-01
Critical
CVE-2022-31605
NVFLARE, versions prior to 2.1.2, contains a vulnerability in its utils module, where YAML files are loaded via yaml.load() instead of yaml.safe_load(). The deserialization of Untrusted Data, may all…
Critical
CVE-2022-31604
NVFLARE, versions prior to 2.1.2, contains a vulnerability in its PKI implementation module, where The CA credentials are transported via pickle and no safe deserialization. The deserialization of Un…
2022-06-30
High
CVE-2022-31115
opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. In versions prior to 2.0.1 the ruby `YAML.load` function was used instead of `YAML.safe_load`. As a result opensearch-ru…
2022-06-29
Critical
CVE-2022-33107
ThinkPHP v6.0.12 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\AbstractCache.php. This vulnerability allows attackers…
2022-06-16
High
CVE-2022-1642
A program using swift-corelibs-foundation is vulnerable to a denial of service attack caused by a potentially malicious source producing a JSON document containing a type mismatch. This vulnerability…
2022-06-15
Medium
CVE-2022-20195
In the keystore library, there is a possible prevention of access to system Settings due to unsafe deserialization. This could lead to local denial of service with User execution privileges needed. U…
2022-06-13
Critical
CVE-2021-40604
A Server-Side Request Forgery (SSRF) vulnerability in IPS Community Suite before 4.6.2 allows remote authenticated users to request arbitrary URLs or trigger deserialization via phar protocol when ge…
2022-06-10
High
CVE-2022-25863
The package gatsby-plugin-mdx before 2.14.1, from 3.0.0 and before 3.15.2 are vulnerable to Deserialization of Untrusted Data when passing input through to the gray-matter package, due to its default…
High
CVE-2022-25845
The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions.…
2022-06-02
Critical
CVE-2022-1660
The affected products are vulnerable of untrusted data due to deserialization without prior authorization/authentication, which may allow an attacker to remotely execute arbitrary code.
2022-06-01
Critical
CVE-2022-29875
A vulnerability has been identified in Biograph Horizon PET/CT Systems (All VJ30 versions < VJ30C-UD01), MAGNETOM Family (NUMARIS X: VA12M, VA12S, VA10B, VA20A, VA30A, VA31A), MAMMOMAT Revelation (Al…
2022-05-17
Critical
CVE-2022-24108
The Skyoftech So Listing Tabs module 2.2.0 for OpenCart allows a remote attacker to inject a serialized PHP object via the setting parameter, potentially resulting in the ability to write to files on…
2022-05-16
High
CVE-2022-0573
JFrog Artifactory before 7.36.1 and 6.23.41, is vulnerable to Insecure Deserialization of untrusted data which can lead to DoS, Privilege Escalation and Remote Code Execution when a specially crafted…
2022-05-12
Critical
CVE-2022-29363
Phpok v6.1 was discovered to contain a deserialization vulnerability via the update_f() function in login_control.php. This vulnerability allows attackers to getshell via writing arbitrary files.
2022-05-06
High
CVE-2021-23592
The package topthink/framework before 6.0.12 are vulnerable to Deserialization of Untrusted Data due to insecure unserialize method in the Driver class.
2022-05-02
Critical
CVE-2020-23621
The Java Remote Management Interface of all versions of SVI MS Management System was discovered to contain a vulnerability due to insecure deserialization of user-supplied content, which can allow at…
Critical
CVE-2020-23620
The Java Remote Management Interface of all versions of Orlansoft ERP was discovered to contain a vulnerability due to insecure deserialization of user-supplied content, which can allow attackers to…
2022-05-01
Critical
CVE-2022-25767
All versions of package com.bstek.ureport:ureport2-console are vulnerable to Remote Code Execution by connecting to a malicious database server, causing arbitrary file read and deserialization of loc…
High
CVE-2022-25647
The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
2022-04-29
High
CVE-2022-29936
USU Oracle Optimization before 5.17 allows authenticated quantum users to achieve remote code execution because of /v2/quantum/save-data-upload-big-file Java deserialization. NOTE: this is not an Ora…
2022-04-25
Critical
CVE-2022-1390
The Admin Word Count Column WordPress plugin through 2.2 does not validate the path parameter given to readfile(), which could allow unauthenticated attackers to read arbitrary files on server runnin…
2022-04-20
Critical
CVE-2022-29528
An issue was discovered in MISP before 2.4.158. PHAR deserialization can occur.
Critical
CVE-2022-26133
SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior…
2022-04-15
Critical
CVE-2022-27158
pearweb < 1.32 suffers from Deserialization of Untrusted Data.
2022-04-14
Critical
CVE-2022-24846
GeoWebCache is a tile caching server implemented in Java. The GeoWebCache disk quota mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and res…
2022-04-13
High
CVE-2022-24847
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The GeoServer security mechanism can perform an unchecked JNDI lookup, which in turn c…
High
CVE-2022-24818
GeoTools is an open source Java library that provides tools for geospatial data. The GeoTools library has a number of data sources that can perform unchecked JNDI lookups, which in turn can be used t…
High
CVE-2022-22958
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities (CVE-2022-22957 & CVE-2022-22958). A malicious actor with administrative access…
High
CVE-2022-22957
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities (CVE-2022-22957 & CVE-2022-22958). A malicious actor with administrative access…
High
CVE-2019-6834
A CWE-502: Deserialization of Untrusted Data vulnerability exists which could allow an attacker to execute arbitrary code on the targeted system with SYSTEM privileges when placing a malicious user t…
2022-04-12
Critical
CVE-2022-23450
A vulnerability has been identified in SIMATIC Energy Manager Basic (All versions < V7.3 Update 1), SIMATIC Energy Manager PRO (All versions < V7.3 Update 1). The affected system allows remote users…
2022-04-06
Medium
CVE-2022-20763
A vulnerability in the login authorization components of Cisco Webex Meetings could allow an authenticated, remote attacker to inject arbitrary Java code. This vulnerability is due to improper deseri…
2022-04-05
Critical
CVE-2020-19229
Jeesite 1.2.7 uses the apache shiro version 1.2.3 affected by CVE-2016-4437. Because of this version of the java deserialization vulnerability, an attacker could exploit the vulnerability to execute…
2022-03-29
High
CVE-2022-1032
Insecure deserialization of not validated module file in GitHub repository crater-invoice/crater prior to 6.0.6.
2022-03-23
Critical
CVE-2021-27470
A deserialization vulnerability exists in how the LogService.rem service in Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier verifies serialized data. This vulnerability may allow a rem…
Critical
CVE-2021-27466
A deserialization vulnerability exists in how the ArchiveService.rem service in Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier verifies serialized data. This vulnerability may allow a…
Critical
CVE-2021-27462
A deserialization vulnerability exists in how the AosService.rem service in Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier verifies serialized data. This vulnerability may allow a rem…
2022-03-17
High
CVE-2022-26503
Deserialization of untrusted data in Veeam Agent for Windows 2.0, 2.1, 2.2, 3.0.2, 4.x, and 5.x allows local users to run arbitrary code with local system privileges.
2022-03-10
High
CVE-2022-23940
SuiteCRM through 7.12.1 and 8.x through 8.0.1 allows Remote Code Execution. Authenticated users with access to the Scheduled Reports module can achieve this by leveraging PHP deserialization in the e…
2022-03-08
High
CVE-2022-24282
A vulnerability has been identified in SINEC NMS (All versions >= V1.0.3 < V2.0), SINEC NMS (All versions < V1.0.3), SINEMA Server V14 (All versions). The affected system allows to upload JSON object…
2022-02-18
High
CVE-2022-0138
MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 has a deserialization function that does not validate…
2022-02-11
High
CVE-2021-39676
In writeThrowable of AndroidFuture.java, there is a possible parcel serialization/deserialization mismatch due to improper input validation. This could lead to local escalation of privilege with no a…
2022-01-28
Critical
CVE-2021-45899
SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows PHAR deserialization that can lead to remote code execution.
2022-01-26
High
CVE-2021-41766
Apache Karaf allows monitoring of applications and the Java runtime by using the Java Management Extensions (JMX). JMX is a Java RMI based technology that relies on Java serialized objects for client…
2022-01-18
High
CVE-2022-23307
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
High
CVE-2022-23302
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP servic…
High
CVE-2021-45394
An issue was discovered in Spipu HTML2PDF before 5.2.4. Attackers can trigger deserialization of arbitrary data via the injection of a malicious <link> tag in the converted HTML document.
2022-01-10
Critical
CVE-2021-43297
A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization…
2022-01-04
High
CVE-2022-21647
CodeIgniter is an open source PHP full-stack web framework. Deserialization of Untrusted Data was found in the `old()` function in CodeIgniter4. Remote attackers may inject auto-loadable arbitrary ob…
2021-12-23
High
CVE-2021-4118
pytorch-lightning is vulnerable to Deserialization of Untrusted Data
2021-12-22
Critical
CVE-2021-44029
An issue was discovered in Quest KACE Desktop Authority before 11.2. This vulnerability allows attackers to execute remote code through a deserialization exploitation in the RadAsyncUpload function o…
2021-12-21
Critical
CVE-2021-36336
Wyse Management Suite 3.3.1 and below versions contain a deserialization vulnerability that could allow an unauthenticated attacker to execute code on the affected system.
2021-12-15
High
CVE-2021-0970
In createFromParcel of GpsNavigationMessage.java, there is a possible Parcel serialization/deserialization mismatch. This could lead to local escalation of privilege with no additional execution priv…
High
CVE-2021-0928
In createFromParcel of OutputConfiguration.java, there is a possible parcel serialization/deserialization mismatch due to improper input validation. This could lead to local escalation of privilege w…
High
CVE-2021-0921
In ParsingPackageImpl of ParsingPackageImpl.java, there is a possible parcel serialization/deserialization mismatch due to improper input validation. This could lead to local escalation of privilege…
2021-12-14
High
CVE-2021-4104
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectio…
2021-12-07
High
CVE-2021-42130
A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary code execution.
Critical
CVE-2021-42127
A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 using Inforail Service allows arbitrary code execution via Data Repository Service.
2021-12-06
Critical
CVE-2021-44682
An issue (6 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for po…
Critical
CVE-2021-44681
An issue (5 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for po…
Critical
CVE-2021-44680
An issue (4 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for po…
Critical
CVE-2021-44679
An issue (3 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for po…
Critical
CVE-2021-44678
An issue (2 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for po…
Critical
CVE-2021-44677
An issue (1 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for po…
Critical
CVE-2021-36567
ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\AbstractCache.
Critical
CVE-2021-36564
ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\Adapter.php.
2021-12-03
High
CVE-2021-23758
All versions of package ajaxpro.2 are vulnerable to Deserialization of Untrusted Data due to the possibility of deserialization of arbitrary .NET classes, which can be abused to gain remote code exec…
2021-11-15
High
CVE-2021-34992
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS 6.10. Authentication is required to exploit this vulnerability. The specific flaw ex…
2021-11-11
High
CVE-2021-26558
Deserialization of Untrusted Data vulnerability of Apache ShardingSphere-UI allows an attacker to inject outer link resources. This issue affects Apache ShardingSphere-UI Apache ShardingSphere-UI ver…
2021-11-05
Critical
CVE-2021-42237
Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authenticat…
2021-10-28
Critical
CVE-2019-19810
Zoom Call Recording 6.3.1 from Eleveo is vulnerable to Java Deserialization attacks targeting the inbuilt RMI service. A remote unauthenticated attacker can exploit this vulnerability by sending craf…
2021-10-25
Critical
CVE-2021-40865
An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to v…
2021-10-21
Critical
CVE-2021-40719
Adobe Connect version 11.2.3 (and earlier) is affected by a Deserialization of Untrusted Data vulnerability to achieve arbitrary method invocation when AMF messages are deserialized on an Adobe Conne…
High
CVE-2021-39321
Version 3.3.23 of the Sassy Social Share WordPress plugin is vulnerable to PHP Object Injection via the wp_ajax_heateor_sss_import_config AJAX action due to deserialization of unvalidated user suppli…
2021-10-15
Critical
CVE-2021-40720
Ops CLI version 2.0.4 (and earlier) is affected by a Deserialization of Untrusted Data vulnerability to achieve arbitrary code execution when the checkout_repo function is called on a maliciously cra…
2021-10-13
High
CVE-2021-40843
Proofpoint Insider Threat Management Server contains an unsafe deserialization vulnerability in the Web Console. An attacker with write access to the local database could cause arbitrary code to exec…
2021-10-12
High
CVE-2021-33728
A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). The affected system allows to upload JSON objects that are deserialized to JAVA objects. Due to insecure deseriali…
2021-10-07
Critical
CVE-2021-42090
An issue was discovered in Zammad before 4.1.1. The Form functionality allows remote code execution because deserialization is mishandled.
2021-10-06
High
CVE-2021-0685
In ParsedIntentInfo of ParsedIntentInfo.java, there is a possible parcel serialization/deserialization mismatch due to unsafe deserialization. This could lead to local escalation of privilege with no…
2021-10-01
Critical
CVE-2021-41110
cwlviewer is a web application to view and share Common Workflow Language workflows. Versions prior to 1.3.1 contain a Deserialization of Untrusted Data vulnerability. Commit number f6066f09edb70033a…
2021-09-24
High
CVE-2021-41588
In Gradle Enterprise before 2021.1.3, a crafted request can trigger deserialization of arbitrary unsafe Java objects. The attacker must have the encryption and signing keys.
Critical
CVE-2021-40102
An issue was discovered in Concrete CMS through 8.5.5. Arbitrary File deletion can occur via PHAR deserialization in is_dir (PHP Object Injection associated with the __wakeup magic method).
2021-09-14
Critical
CVE-2021-37181
A vulnerability has been identified in Cerberus DMS V4.0 (All versions), Cerberus DMS V4.1 (All versions), Cerberus DMS V4.2 (All versions), Cerberus DMS V5.0 (All versions < v5.0 QU1), Desigo CC Com…
2021-09-10
High
CVE-2021-39207
parlai is a framework for training and evaluating AI models on a variety of openly available dialogue datasets. In affected versions the package is vulnerable to YAML deserialization attack caused by…
Critical
CVE-2021-24040
Due to use of unsafe YAML deserialization logic, an attacker with the ability to modify local YAML configuration files could provide malicious input, resulting in remote code execution or similar ris…
2021-09-09
Critical
CVE-2021-37579
The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. But there's an exception that the attacker can us…
High
CVE-2021-32836
ZStack is open source IaaS(infrastructure as a service) software. In ZStack before versions 3.10.12 and 4.1.6 there is a pre-auth unsafe deserialization vulnerability in the REST API. An attacker in…
2021-09-08
High
CVE-2021-35217
Insecure Deseralization of untrusted data remote code execution vulnerability was discovered in Patch Manager Orion Platform Integration module and reported to us by ZDI. An Authenticated Attacker co…
2021-09-06
High
CVE-2021-32568
mrdoc is vulnerable to Deserialization of Untrusted Data
2021-09-01
High
CVE-2021-35218
Deserialization of Untrusted Data in the Web Console Chart Endpoint can lead to remote code execution. An unauthorized attacker who has network access to the Orion Patch Manager Web Console could pot…
High
CVE-2021-35216
Insecure Deserialization of untrusted data remote code execution vulnerability was discovered in Patch Manager Orion Platform Integration module. An Authenticated Attacker with network access via HTT…
High
CVE-2021-35215
Insecure deserialization leading to Remote Code Execution was detected in the Orion Platform version 2020.2.5. Authentication is required to exploit this vulnerability.
2021-08-31
High
CVE-2021-36231
Deserialization of untrusted data in multiple functions in MIK.starlight 7.9.5.24363 allows authenticated remote attackers to execute operating system commands by crafting serialized objects.
High
CVE-2021-21677
Jenkins Code Coverage API Plugin 1.4.0 and earlier does not apply Jenkins JEP-200 deserialization protection to Java objects it deserializes from disk, resulting in a remote code execution vulnerabil…
High
CVE-2021-36981
In the server in SerNet verinice before 1.22.2, insecure Java deserialization allows remote authenticated attackers to execute arbitrary code.
2021-08-30
Critical
CVE-2021-34066
An issue was discovered in EdgeGallery/developer before v1.0. There is a "Deserialization of yaml file" vulnerability that can allow attackers to execute system command through uploading the maliciou…
2021-08-25
High
CVE-2021-21869
An unsafe deserialization vulnerability exists in the Engine.plugin ProfileInformation ProfileData functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file…
2021-08-24
High
CVE-2021-31010
A deserialization issue was addressed through improved validation. This issue is fixed in Security Update 2021-005 Catalina, iOS 12.5.5, iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6, watchOS 7.6.2. A…
2021-08-18
High
CVE-2021-21868
An unsafe deserialization vulnerability exists in the ObjectManager.plugin Project.get_MissingTypes() functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted f…
High
CVE-2021-21867
An unsafe deserialization vulnerability exists in the ObjectManager.plugin ObjectStream.ProfileByteArray functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafte…
2021-08-06
Critical
CVE-2021-37544
In JetBrains TeamCity before 2020.2.4, there was an insecure deserialization.
2021-08-05
High
CVE-2021-21863
A unsafe deserialization vulnerability exists in the ComponentModel Profile.FromFile() functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to…
2021-08-04
High
CVE-2021-36483
DevExpress.XtraReports.UI through v21.1 allows attackers to execute arbitrary code via insecure deserialization.
2021-08-02
High
CVE-2021-21866
A unsafe deserialization vulnerability exists in the ObjectManager.plugin ProfileInformation.ProfileData functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafte…
High
CVE-2021-21865
A unsafe deserialization vulnerability exists in the PackageManagement.plugin ExtensionMethods.Clone() functionality of CODESYS GmbH CODESYS Development System 3.5.16. A specially crafted file can le…
High
CVE-2021-21864
A unsafe deserialization vulnerability exists in the ComponentModel ComponentManager.StartupCultureSettings functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially cra…
2021-07-30
Critical
CVE-2021-29781
IBM Partner Engagement Manager 2.0 could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. By sending specially-crafted data, an attacker coul…
2021-07-29
Critical
CVE-2020-36239
Jira Data Center, Jira Core Data Center, Jira Software Data Center from version 6.3.0 before 8.5.16, from 8.6.0 before 8.13.8, from 8.14.0 before 8.17.0 and Jira Service Management Data Center from v…
2021-07-28
Critical
CVE-2020-5341
Deserialization of Untrusted Data Vulnerability Dell EMC Avamar Server versions 7.4.1, 7.5.0, 7.5.1, 18.2, 19.1 and 19.2 and Dell EMC Integrated Data Protection Appliance versions 2.0, 2.1, 2.2, 2.3,…
2021-07-22
Critical
CVE-2021-35464
ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code executio…
2021-07-21
High
CVE-2021-22777
A CWE-502: Deserialization of Untrusted Data vulnerability exists that could cause code execution by opening a malicious project file.
2021-07-08
High
CVE-2021-29150
A remote insecure deserialization vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.10.0, 6.9.6 and 6.8.9. Aruba has released updates to ClearPass Policy Manager t…
2021-06-30
Critical
CVE-2021-35971
Veeam Backup and Replication 10 before 10.0.1.4854 P20210609 and 11 before 11.0.0.837 P20210507 mishandles deserialization during Microsoft .NET remoting.
2021-06-29
Critical
CVE-2021-29485
Ratpack is a toolkit for creating web applications. In versions prior to 1.9.0, a malicious attacker can achieve Remote Code Execution (RCE) via a maliciously crafted Java deserialization gadget chai…
High
CVE-2021-22439
There is a deserialization vulnerability in Huawei AnyOffice V200R006C10. An attacker can construct a specific request to exploit this vulnerability. Successfully exploiting this vulnerability, the a…
2021-06-24
Critical
CVE-2021-31649
In applications using jfinal 4.9.08 and below, there is a deserialization vulnerability when using redis,may be vulnerable to remote code execute
2021-06-22
Medium
CVE-2021-34394
Trusty contains a vulnerability in the NVIDIA OTE protocol that is present in all TAs. An incorrect message stream deserialization allows an attacker to use the malicious CA that is run by the user t…
2021-06-21
High
CVE-2021-35196
Manuskript through 0.12.0 allows remote attackers to execute arbitrary code via a crafted settings.pickle file in a project file, because there is insecure deserialization via the pickle.load() funct…