Vulnerabilities > Deserialization of Untrusted Data

DATE CVE VULNERABILITY TITLE RISK
2023-01-14 CVE-2023-22850 Deserialization of Untrusted Data vulnerability in Tiki
Tiki before 24.1, when the Spreadsheets feature is enabled, allows lib/sheet/grid.php PHP Object Injection because of an unserialize call.
network
low complexity
tiki CWE-502
8.8
8.8
2023-01-13 CVE-2022-46478 Deserialization of Untrusted Data vulnerability in Datax-Web Project Datax-Web
The RPC interface in datax-web v1.0.0 and v2.0.0 to v2.1.2 contains no permission checks by default which allows attackers to execute arbitrary commands via crafted Hessian serialized data.
network
low complexity
datax-web-project CWE-502
critical
 9.8
9.8
2023-01-10 CVE-2022-47083 Deserialization of Untrusted Data vulnerability in Spitfire Project Spitfire 1.0475
A PHP Object Injection vulnerability in the unserialize() function Spitfire CMS v1.0.475 allows authenticated attackers to execute arbitrary code via sending crafted requests to the web application.
network
low complexity
spitfire-project CWE-502
8.8
8.8
2022-12-26 CVE-2020-10650 Deserialization of Untrusted Data vulnerability in multiple products
A deserialization flaw was discovered in jackson-databind through 2.9.10.4.
network
high complexity
fasterxml oracle CWE-502
8.1
8.1
2022-12-20 CVE-2022-41596 Deserialization of Untrusted Data vulnerability in Huawei Emui and Harmonyos
The system tool has inconsistent serialization and deserialization.
network
low complexity
huawei CWE-502
7.5
7.5
2022-12-16 CVE-2021-38241 Deserialization of Untrusted Data vulnerability in Ruoyi
Deserialization issue discovered in Ruoyi before 4.6.1 allows remote attackers to run arbitrary code via weak cipher in Shiro framework.
network
low complexity
ruoyi CWE-502
critical
 9.8
9.8
2022-12-15 CVE-2021-33420 Deserialization of Untrusted Data vulnerability in Replicator Project Replicator
A deserialization issue discovered in inikulin replicator before 1.0.4 allows remote attackers to run arbitrary code via the fromSerializable function in TypedArray object.
network
low complexity
replicator-project CWE-502
critical
 9.8
9.8
2022-12-07 CVE-2022-44351 Deserialization of Untrusted Data vulnerability in Skycaiji 2.5.1
Skycaiji v2.5.1 was discovered to contain a deserialization vulnerability via /SkycaijiApp/admin/controller/Mystore.php.
network
low complexity
skycaiji CWE-502
critical
 9.8
9.8
2022-12-07 CVE-2022-44371 Deserialization of Untrusted Data vulnerability in Hope-Boot Project Hope-Boot 1.0.0
hope-boot 1.0.0 has a deserialization vulnerability that can cause Remote Code Execution (RCE).
network
low complexity
hope-boot-project CWE-502
critical
 9.8
9.8
2022-12-05 CVE-2022-32224 Deserialization of Untrusted Data vulnerability in Activerecord Project Activerecord
A possible escalation to RCE vulnerability exists when using YAML serialized columns in Active Record < 7.0.3.1, <6.1.6.1, <6.0.5.1 and <5.2.8.1 which could allow an attacker, that can manipulate data in the database (via means like SQL injection), the ability to escalate to an RCE.
network
low complexity
activerecord-project CWE-502
critical
 9.8
9.8