Vulnerabilities > Deserialization of Untrusted Data

DATE CVE VULNERABILITY TITLE RISK
2024-01-24 CVE-2023-50943 Deserialization of Untrusted Data vulnerability in Apache Airflow
Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of "enable_xcom_pickling=False" configuration setting resulting in poisoned data after XCom deserialization.
network
low complexity
apache CWE-502
7.5
2024-01-22 CVE-2017-20189 Deserialization of Untrusted Data vulnerability in Clojure
In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization.
network
low complexity
clojure CWE-502
critical
9.8
2024-01-16 CVE-2023-1405 Deserialization of Untrusted Data vulnerability in Strategy11 Formidable Forms
The Formidable Forms WordPress plugin before 6.2 unserializes user input, which could allow anonymous users to perform PHP Object Injection when a suitable gadget is present.
network
low complexity
strategy11 CWE-502
7.5
2024-01-15 CVE-2023-6049 Deserialization of Untrusted Data vulnerability in Estatik
The Estatik Real Estate Plugin WordPress plugin before 4.1.1 unserializes user input via some of its cookies, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget chain is present on the blog
network
low complexity
estatik CWE-502
critical
9.8
2024-01-08 CVE-2023-5235 Deserialization of Untrusted Data vulnerability in Kutethemes Ovic Responsive Wpbakery
The Ovic Responsive WPBakery WordPress plugin before 1.2.9 does not limit which options can be updated via some of its AJAX actions, which may allow attackers with a subscriber+ account to update blog options, such as 'users_can_register' and 'default_role'.
network
low complexity
kutethemes CWE-502
8.8
2024-01-08 CVE-2023-6528 Deserialization of Untrusted Data vulnerability in Themepunch Slider Revolution
The Slider Revolution WordPress plugin before 6.6.19 does not prevent users with at least the Author role from unserializing arbitrary content when importing sliders, potentially leading to Remote Code Execution.
network
low complexity
themepunch CWE-502
8.8
2024-01-03 CVE-2023-49442 Deserialization of Untrusted Data vulnerability in Jeecg
Deserialization of Untrusted Data in jeecgFormDemoController in JEECG 4.0 and earlier allows attackers to run arbitrary code via crafted POST request.
network
low complexity
jeecg CWE-502
critical
9.8
2023-12-31 CVE-2023-52182 Deserialization of Untrusted Data vulnerability in Ari-Soft ARI Stream Quiz
Deserialization of Untrusted Data vulnerability in ARI Soft ARI Stream Quiz – WordPress Quizzes Builder.This issue affects ARI Stream Quiz – WordPress Quizzes Builder: from n/a through 1.3.0.
network
low complexity
ari-soft CWE-502
8.8
2023-12-29 CVE-2023-51505 Deserialization of Untrusted Data vulnerability in Pluginus Woot
Deserialization of Untrusted Data vulnerability in realmag777 Active Products Tables for WooCommerce.
network
low complexity
pluginus CWE-502
critical
9.8
2023-12-25 CVE-2022-34268 Deserialization of Untrusted Data vulnerability in RWS Worldserver
An issue was discovered in RWS WorldServer before 11.7.3.
network
low complexity
rws CWE-502
critical
9.8