Total
1747 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-24661 | 2025-02-03 | 9.8 Critical | ||
| Deserialization of Untrusted Data vulnerability in MagePeople Team Taxi Booking Manager for WooCommerce allows Object Injection. This issue affects Taxi Booking Manager for WooCommerce: from n/a through 1.1.8. | ||||
| CVE-2024-37060 | 1 Lfprojects | 1 Mlflow | 2025-02-03 | 8.8 High |
| Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.27.0 or newer, enabling a maliciously crafted Recipe to execute arbitrary code on an end user’s system when run. | ||||
| CVE-2024-37059 | 1 Lfprojects | 1 Mlflow | 2025-02-03 | 8.8 High |
| Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0 or newer, enabling a maliciously uploaded PyTorch model to run arbitrary code on an end user’s system when interacted with. | ||||
| CVE-2024-37058 | 1 Lfprojects | 1 Mlflow | 2025-02-03 | 8.8 High |
| Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.5.0 or newer, enabling a maliciously uploaded Langchain AgentExecutor model to run arbitrary code on an end user’s system when interacted with. | ||||
| CVE-2024-37057 | 1 Lfprojects | 1 Mlflow | 2025-02-03 | 8.8 High |
| Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.0.0rc0 or newer, enabling a maliciously uploaded Tensorflow model to run arbitrary code on an end user’s system when interacted with. | ||||
| CVE-2024-37056 | 1 Lfprojects | 1 Mlflow | 2025-02-03 | 8.8 High |
| Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.23.0 or newer, enabling a maliciously uploaded LightGBM scikit-learn model to run arbitrary code on an end user’s system when interacted with. | ||||
| CVE-2024-37055 | 1 Lfprojects | 1 Mlflow | 2025-02-03 | 8.8 High |
| Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.24.0 or newer, enabling a maliciously uploaded pmdarima model to run arbitrary code on an end user’s system when interacted with. | ||||
| CVE-2024-37054 | 1 Lfprojects | 1 Mlflow | 2025-02-03 | 8.8 High |
| Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.9.0 or newer, enabling a maliciously uploaded PyFunc model to run arbitrary code on an end user’s system when interacted with. | ||||
| CVE-2024-37053 | 1 Lfprojects | 1 Mlflow | 2025-02-03 | 8.8 High |
| Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with. | ||||
| CVE-2024-37052 | 1 Lfprojects | 1 Mlflow | 2025-02-03 | 8.8 High |
| Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with. | ||||
| CVE-2025-24794 | 2025-01-31 | 6.7 Medium | ||
| The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Snowflake discovered and remediated a vulnerability in the Snowflake Connector for Python. The OCSP response cache uses pickle as the serialization format, potentially leading to local privilege escalation. This vulnerability affects versions 2.7.12 through 3.13.0. Snowflake fixed the issue in version 3.13.1. | ||||
| CVE-2025-0841 | 2025-01-31 | 7.3 High | ||
| A vulnerability has been found in Aridius XYZ up to 20240927 on OpenCart and classified as critical. This vulnerability affects the function loadMore of the component News. The manipulation leads to deserialization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. | ||||
| CVE-2024-1813 | 1 Presstigers | 1 Simple Job Board | 2025-01-31 | 9.8 Critical |
| The Simple Job Board plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.11.0 via deserialization of untrusted input in the job_board_applicant_list_columns_value function. This makes it possible for unauthenticated attackers to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code when a submitted job application is viewed. | ||||
| CVE-2023-20852 | 1 Aenrich | 1 A\+hrd | 2025-01-30 | 9.8 Critical |
| aEnrich Technology a+HRD has a vulnerability of Deserialization of Untrusted Data within its MSMQ interpreter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary system commands to perform arbitrary system operation or disrupt service. | ||||
| CVE-2023-20853 | 1 Aenrich | 1 A\+hrd | 2025-01-30 | 9.8 Critical |
| aEnrich Technology a+HRD has a vulnerability of Deserialization of Untrusted Data within its MSMQ asynchronized message process. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary system commands to perform arbitrary system operation or disrupt service. | ||||
| CVE-2024-13742 | 1 Icontrolwp | 1 Icontrolwp | 2025-01-30 | 9.8 Critical |
| The iControlWP – Multiple WordPress Site Manager plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.5 via deserialization of untrusted input from the reqpars parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | ||||
| CVE-2023-1669 | 1 Seopress | 1 Seopress | 2025-01-30 | 7.2 High |
| The SEOPress WordPress plugin before 6.5.0.3 unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present. | ||||
| CVE-2023-1196 | 1 Advancedcustomfields | 1 Advanced Custom Fields | 2025-01-30 | 8.8 High |
| The Advanced Custom Fields (ACF) Free and Pro WordPress plugins 6.x before 6.1.0 and 5.x before 5.12.5 unserialize user controllable data, which could allow users with a role of Contributor and above to perform PHP Object Injection when a suitable gadget is present. | ||||
| CVE-2024-9314 | 1 Rankmath | 2 Rankmath Seo Ai Seo Tools To Dominate Seo Rankings, Seo | 2025-01-29 | 7.2 High |
| The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.228 via deserialization of untrusted input 'set_redirections' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | ||||
| CVE-2021-31010 | 1 Apple | 5 Ipados, Iphone Os, Mac Os X and 2 more | 2025-01-29 | 7.5 High |
| A deserialization issue was addressed through improved validation. This issue is fixed in Security Update 2021-005 Catalina, iOS 12.5.5, iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6, watchOS 7.6.2. A sandboxed process may be able to circumvent sandbox restrictions. Apple was aware of a report that this issue may have been actively exploited at the time of release.. | ||||