CVE & Exploit Intelligence Database

Updated 3h ago

Search and track vulnerabilities with real-time exploit intelligence. Cross-reference CVEs against public exploits from ExploitDB, Metasploit, GitHub, and Nuclei — with CVSS and EPSS scoring, CISA KEV monitoring, and AI-powered exploit analysis.

338,223 CVEs tracked 53,271 with exploits 4,730 exploited in wild 1,542 CISA KEV 3,929 Nuclei templates 37,826 vendors 42,547 researchers
2,435 results Clear all
CVE-2016-6809 9.8 CRITICAL 1 PoC Analysis EPSS 0.07
Apache Tika < 1.13 - Insecure Deserialization
Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization.
CWE-502 Apr 06, 2017
CVE-2016-8749 9.8 CRITICAL 1 Writeup EPSS 0.12
Apache Camel < - RCE
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks.
CWE-502 Mar 28, 2017
CVE-2014-8731 9.8 CRITICAL 1 PoC Analysis EPSS 0.47
PHPMemcachedAdmin <1.2.2 - RCE
PHPMemcachedAdmin 1.2.2 and earlier allows remote attackers to execute arbitrary PHP code via vectors related "serialized data and the last part of the concatenated filename," which creates a file in webroot.
CWE-502 Mar 23, 2017
CVE-2017-5929 9.8 CRITICAL 1 PoC Analysis EPSS 0.10
QOS Logback < 1.2.0 - Insecure Deserialization
QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.
CWE-502 Mar 13, 2017
CVE-2017-3159 9.8 CRITICAL 1 Writeup EPSS 0.03
Apache Camel < 2.14.4 - Insecure Deserialization
Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can lead to security flaws.
CWE-502 Mar 07, 2017
CVE-2017-5830 9.8 CRITICAL EPSS 0.03
Revive-adserver Revive Adserver < 4.0.0 - Insecure Deserialization
Revive Adserver before 4.0.1 allows remote attackers to execute arbitrary code via serialized data in the cookies related to the delivery scripts.
CWE-502 Mar 03, 2017
CVE-2016-0360 9.8 CRITICAL EPSS 0.01
IBM Websphere MQ JMS <9.0 - Code Injection
IBM Websphere MQ JMS 7.0.1, 7.1, 7.5, 8.0, and 9.0 client provides classes that deserialize objects from untrusted sources which could allow a malicious user to execute arbitrary Java code by adding vulnerable classes to the classpath. IBM Reference #: 1983457.
CWE-502 Feb 15, 2017
CVE-2017-5954 9.8 CRITICAL EPSS 0.02
Serialize-to-js < 1.0.0 - Insecure Deserialization
An issue was discovered in the serialize-to-js package 0.5.0 for Node.js. Untrusted data passed into the deserialize() function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE).
CWE-502 Feb 10, 2017
CVE-2017-5941 9.8 CRITICAL 9 PoCs Analysis EPSS 0.78
Node-serialize < 0.0.4 - Insecure Deserialization
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the unserialize() function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE).
CWE-502 Feb 09, 2017
CVE-2016-6199 9.8 CRITICAL EPSS 0.02
Gradle 2.12 - RCE
ObjectSocketWrapper.java in Gradle 2.12 allows remote attackers to execute arbitrary code via a crafted serialized object.
CWE-502 Feb 07, 2017
CVE-2016-3415 9.1 CRITICAL EPSS 0.00
Synacor Zimbra Collaboration Suite < 8.6.0 - Insecure Deserialization
Zimbra Collaboration before 8.7.0 allows remote attackers to conduct deserialization attacks via unspecified vectors, aka bug 102276.
CWE-502 Jan 18, 2017
CVE-2016-9865 9.8 CRITICAL EPSS 0.00
Phpmyadmin - Security Feature Bypass
An issue was discovered in phpMyAdmin. Due to a bug in serialized string parsing, it was possible to bypass the protection offered by PMA_safeUnserialize() function. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.
CWE-502 Dec 11, 2016
CVE-2016-6620 9.8 CRITICAL EPSS 0.01
phpMyAdmin <4.6.4, <4.4.15.8, <4.0.10.17 - Code Injection
An issue was discovered in phpMyAdmin. Some data is passed to the PHP unserialize() function without verification that it's valid serialized data. The unserialization can result in code execution because of the interaction with object instantiation and autoloading. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.
CWE-502 Dec 11, 2016
CVE-2016-7065 8.8 HIGH 1 PoC Analysis EPSS 0.12
Redhat Jboss Enterprise Application P... - Insecure Deserialization
The JMX servlet in Red Hat JBoss Enterprise Application Platform (EAP) 4 and 5 allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object.
CWE-502 Oct 13, 2016
CVE-2016-5019 9.8 CRITICAL EPSS 0.06
Apache Myfaces Trinidad < 1.0.13 - Insecure Deserialization
CoreResponseStateManager in Apache MyFaces Trinidad 1.0.0 through 1.0.13, 1.2.x before 1.2.15, 2.0.x before 2.0.2, and 2.1.x before 2.1.2 might allow attackers to conduct deserialization attacks via a crafted serialized view state string.
CWE-502 Oct 03, 2016
CVE-2016-4385 7.3 HIGH EPSS 0.04
HP Network Automation Software - RCE
The RMI service in HP Network Automation Software 9.1x, 9.2x, 10.0x before 10.00.02.01, and 10.1x before 10.11.00.01 allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) and Commons BeanUtils libraries.
CWE-502 Sep 29, 2016
CVE-2016-6330 9.8 CRITICAL EPSS 0.13
Red Hat JBoss Operations Network (JON) - RCE
The server in Red Hat JBoss Operations Network (JON), when SSL authentication is not configured for JON server / agent communication, allows remote attackers to execute arbitrary code via a crafted HTTP request, related to message deserialization. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-3737.
CWE-502 Sep 27, 2016
CVE-2016-4978 7.2 HIGH EPSS 0.01
Apache Activemq Artemis < 1.4.0 - Insecure Deserialization
The getObject method of the javax.jms.ObjectMessage class in the (1) JMS Core client, (2) Artemis broker, and (3) Artemis REST component in Apache ActiveMQ Artemis before 1.4.0 might allow remote authenticated users with permission to send messages to the Artemis broker to deserialize arbitrary objects and execute arbitrary code by leveraging gadget classes being present on the Artemis classpath.
CWE-502 Sep 27, 2016
CVE-2016-7124 9.8 CRITICAL EPSS 0.75
Php < 5.6.24 - Insecure Deserialization
ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call.
CWE-502 Sep 12, 2016
CVE-2016-1114 9.8 CRITICAL EPSS 0.02
Adobe Coldfusion - Insecure Deserialization
Adobe ColdFusion 10 before Update 19, 11 before Update 8, and 2016 before Update 1 allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library.
CWE-502 May 11, 2016

Investigate

Critical + Public Exploits Exploited in Wild + PoC High EPSS (>=0.7) + PoC With Nuclei Templates Latest Public Exploits

Ecosystems

Linux Maven Packagist PyPI npm Go ecosystem RubyGems crates.io NuGet Hex SwiftURL GitHub Actions

Reference Indexes

Exploit Database Researchers Vendors CWE Categories

Recent Blog Posts

CVE-2026-4105: systemd-machined Privilege Escalation - 72 Minutes from Drop to Bypass
Mar 13, 2026
CVE-2026-28391: OpenClaw Command Injection - The Day I Hacked Myself
Mar 09, 2026
Introducing FuzzForge: Autonomous Source-Code Fuzzing - Finding Bugs in nginx in 112 Minutes
Mar 08, 2026
CVE-2025-68670 Part 2: From Crash to RCE - The One That Fought Back (and Lost)
Mar 04, 2026
CVE-2025-68670: Pre-Auth xrdp Overflow - The One Where the Protocol Fought Back
Mar 04, 2026
CVE-2025-62507: Redis Stack Overflow to RCE in 68 Minutes - Then We Turned ASLR On
Mar 03, 2026
 View all posts →

CVEForge Labs

CVE-2016-15057 CRITICAL
Apache Continuum - Command Injection
CVE-2021-32824 CRITICAL
Apache Dubbo <2.6.10-2.7.10 - RCE
CVE-2023-42117 CRITICAL
Exim < 4.96.2 - Remote Code Execution
CVE-2024-31866 CRITICAL
Apache Zeppelin <0.11.1 - RCE
CVE-2024-37288 CRITICAL
Elastic Kibana - Insecure Deserialization
CVE-2024-43115 HIGH
Apache DolphinScheduler <3.2.2 - RCE
CVE-2024-45409 CRITICAL
Ruby-SAML <=1.16.0 - Auth Bypass
CVE-2024-56143 HIGH
Strapi < 5.5.2 - IDOR
CVE-2025-10622 HIGH
Red Hat Satellite - Command Injection
CVE-2025-11539 CRITICAL
Grafana Image Renderer - RCE
 View all labs →

KEV Gaps

CVE-2026-3910
Google Chrome <146.0.7680.75 - RCE
 CVE-2026-3909
Google Chrome < 146.0.7680.75 - Out-of-Bounds Access
 CVE-2026-1603
Ivanti Endpoint Manager < 2024 - Authentication Bypass
 CVE-2023-43000
macOS Ventura <13.5-iPadOS <16.6-Safari <16.6 - Use After Free
 CVE-2021-30952
tvOS <15.2 - RCE
 CVE-2021-22681
Rockwell Automation Studio 5000 <21 - Path Traversal
 CVE-2026-22719
VMware Aria Operations - Command Injection
 CVE-2026-25108
FileZen - Command Injection
 CVE-2026-22769
Dell RecoverPoint <6.0.3.1 HF1 - Auth Bypass
 CVE-2021-22175
Gitlab < 13.6.7 - SSRF
 CVE-2024-7694
Teamt5 Threatsonar Anti-ransomware < 3.5.0 - Unrestricted File Upload
 CVE-2020-7796
Zimbra Collaboration Suite <8.8.15 Patch 7 - SSRF