Total
2503 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-24978 | 2026-03-30 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in NooTheme Jobica Core jobica-core allows Object Injection.This issue affects Jobica Core: from n/a through <= 1.4.1. | |||||
| CVE-2026-25360 | 2026-03-30 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in rascals Vex vex allows Object Injection.This issue affects Vex: from n/a through < 1.2.9. | |||||
| CVE-2026-32484 | 2026-03-30 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in BoldGrid weForms weforms allows Object Injection.This issue affects weForms: from n/a through <= 1.6.26. | |||||
| CVE-2026-27095 | 2026-03-30 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in magepeopleteam Bus Ticket Booking with Seat Reservation bus-ticket-booking-with-seat-reservation allows Object Injection.This issue affects Bus Ticket Booking with Seat Reservation: from n/a through <= 5.6.0. | |||||
| CVE-2026-32508 | 2026-03-30 | N/A | 5.4 MEDIUM | ||
| Deserialization of Untrusted Data vulnerability in Mikado-Themes Halstein halstein allows Object Injection.This issue affects Halstein: from n/a through < 1.8. | |||||
| CVE-2026-24974 | 2026-03-30 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in NooTheme CitiLights noo-citilights allows Object Injection.This issue affects CitiLights: from n/a through <= 3.7.1. | |||||
| CVE-2026-32510 | 2026-03-30 | N/A | 5.4 MEDIUM | ||
| Deserialization of Untrusted Data vulnerability in Edge-Themes Kamperen kamperen allows Object Injection.This issue affects Kamperen: from n/a through < 1.3. | |||||
| CVE-2026-32502 | 2026-03-30 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Select-Themes Borgholm borgholm-marketing-agency-theme allows Object Injection.This issue affects Borgholm: from n/a through < 1.6. | |||||
| CVE-2026-32511 | 2026-03-30 | N/A | 5.4 MEDIUM | ||
| Deserialization of Untrusted Data vulnerability in Mikado-Themes Stål stal allows Object Injection.This issue affects Stål: from n/a through < 1.7. | |||||
| CVE-2026-32506 | 2026-03-30 | N/A | 5.4 MEDIUM | ||
| Deserialization of Untrusted Data vulnerability in Edge-Themes Archicon archicon allows Object Injection.This issue affects Archicon: from n/a through < 1.7. | |||||
| CVE-2026-32513 | 2026-03-30 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in Miguel Useche JS Archive List jquery-archive-list-widget allows Object Injection.This issue affects JS Archive List: from n/a through <= 6.1.7. | |||||
| CVE-2026-25031 | 2026-03-30 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in park_of_ideas Tasty Daily tastydaily allows Object Injection.This issue affects Tasty Daily: from n/a through < 1.27. | |||||
| CVE-2026-32512 | 2026-03-30 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Edge-Themes Pelicula pelicula-video-production-and-movie-theme allows Object Injection.This issue affects Pelicula: from n/a through < 1.10. | |||||
| CVE-2026-25358 | 2026-03-30 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in rascals Meloo meloo allows Object Injection.This issue affects Meloo: from n/a through < 2.8.2. | |||||
| CVE-2026-27082 | 2026-03-30 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in ThemeREX Love Story lovestory allows Object Injection.This issue affects Love Story: from n/a through <= 1.3.12. | |||||
| CVE-2026-25359 | 2026-03-30 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in rascals Pendulum pendulum allows Object Injection.This issue affects Pendulum: from n/a through < 3.1.5. | |||||
| CVE-2026-3328 | 2026-03-30 | N/A | 7.2 HIGH | ||
| The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via deserialization of the 'post_content' of admin_form posts in all versions up to, and including, 3.28.31. This is due to the use of WordPress's `maybe_unserialize()` function without class restrictions on user-controllable content stored in admin_form post content. This makes it possible for authenticated attackers, with Editor-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution. | |||||
| CVE-2026-4860 | 2026-03-30 | 7.5 HIGH | 7.3 HIGH | ||
| A security flaw has been discovered in 648540858 wvp-GB28181-pro up to 2.7.4. This affects the function GenericFastJsonRedisSerializer of the file src/main/java/com/genersoft/iot/vmp/conf/redis/RedisTemplateConfig.java of the component API Endpoint. The manipulation results in deserialization. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-33728 | 2026-03-30 | N/A | N/A | ||
| dd-trace-java is a Datadog APM client for Java. In versions of dd-trace-java 0.40.0 through prior to 1.60.2, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: First, dd-trace-java is attached as a Java agent (`-javaagent`) on Java 16 or earlier. Second, a JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable, Third, a gadget-chain-compatible library is present on the classpath. For JDK >= 17, no action is required, but upgrading is strongly encouraged. For JDK >= 8u121 < JDK 17, upgrade to dd-trace-java version 1.60.3 or later. For JDK < 8u121 and earlier where serialization filters are not available, apply the workaround. The workaround is to set the following environment variable to disable the RMI integration: `DD_INTEGRATION_RMI_ENABLED=false`. | |||||
| CVE-2026-33701 | 2026-03-30 | N/A | N/A | ||
| OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: First, OpenTelemetry Java instrumentation is attached as a Java agent (`-javaagent`) on Java 16 or earlier. Second, JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable. Third, gadget-chain-compatible library is present on the classpath. This results in arbitrary remote code execution with the privileges of the user running the instrumented JVM. For JDK >= 17, no action is required, but upgrading is strongly encouraged. For JDK < 17, upgrade to version 2.26.1 or later. As a workaround, set the system property `-Dotel.instrumentation.rmi.enabled=false` to disable the RMI integration. | |||||