CVE & Exploit Intelligence Database

CVE-2025-62703 8.8 HIGH 1 Writeup EPSS 0.00

Fugue is a unified interface for distributed computing that lets users execute Python, Pandas, and SQL code on Spark, Dask, and Ray with minimal rewrites. In version 0.9.2 and prior, there is a remote code execution vulnerability by pickle deserialization via FlaskRPCServer. The Fugue framework implements an RPC server system for distributed computing operations. In the core functionality of the RPC server implementation, I found that the _decode() function in fugue/rpc/flask.py directly uses cloudpickle.loads() to deserialize data without any sanitization. This creates a remote code execution vulnerability when malicious pickle data is processed by the RPC server. The vulnerability exists in the RPC communication mechanism where the client can send arbitrary serialized Python objects that will be deserialized on the server side, allowing attackers to execute arbitrary code on the victim's machine. This issue has been patched via commit 6f25326.

CWE-502 Nov 25, 2025

CVE-2025-51746 9.8 CRITICAL EPSS 0.00

An issue was discovered in jishenghua JSH_ERP 2.3.1. The /serialNumber/addSerialNumber endpoint is vulnerable to fastjson deserialization attacks.

CWE-502 Nov 25, 2025

CVE-2025-51745 9.8 CRITICAL EPSS 0.00

An issue was discovered in jishenghua JSH_ERP 2.3.1. The /role/addcan endpoint is vulnerable to fastjson deserialization attacks.

CWE-502 Nov 25, 2025

CVE-2025-51744 9.8 CRITICAL EPSS 0.00

An issue was discovered in jishenghua JSH_ERP 2.3.1. The /user/addUser endpoint is vulnerable to fastjson deserialization attacks.

CWE-502 Nov 25, 2025

CVE-2025-51743 9.8 CRITICAL EPSS 0.00

An issue was discovered in jishenghua JSH_ERP 2.3.1. The /materialCategory/addMaterialCategory endpoint is vulnerable to fastjson deserialization attacks.

CWE-502 Nov 25, 2025

CVE-2025-51742 9.8 CRITICAL EPSS 0.00

An issue was discovered in jishenghua JSH_ERP 2.3.1. The /material/getMaterialEnableSerialNumberList endpoint passes the search query parameter directly to parseObject(), introducing a Fastjson deserialization vulnerability that can lead to RCE via JDBC payloads.

CWE-502 Nov 25, 2025

CVE-2025-61168 9.8 CRITICAL EPSS 0.00

An issue in the cms_rest.php component of SIGB PMB v8.0.1.14 allows attackers to execute arbitrary code via unserializing an arbitrary file.

CWE-502 Nov 25, 2025

CVE-2025-13467 5.5 MEDIUM 1 Writeup EPSS 0.00

A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.

CWE-502 Nov 25, 2025

CVE-2025-66073 6.5 MEDIUM EPSS 0.00

Deserialization of Untrusted Data vulnerability in Cozmoslabs WP Webhooks wp-webhooks allows Object Injection.This issue affects WP Webhooks: from n/a through <= 3.3.8.

CWE-502 Nov 21, 2025

CVE-2025-66055 7.2 HIGH EPSS 0.00

Deserialization of Untrusted Data vulnerability in Icegram Email Subscribers & Newsletters email-subscribers allows Object Injection.This issue affects Email Subscribers & Newsletters: from n/a through <= 5.9.10.

CWE-502 Nov 21, 2025

CVE-2025-62164 8.8 HIGH 1 Writeup EPSS 0.00

vLLM is an inference and serving engine for large language models (LLMs). From versions 0.10.2 to before 0.11.1, a memory corruption vulnerability could lead to a crash (denial-of-service) and potentially remote code execution (RCE), exists in the Completions API endpoint. When processing user-supplied prompt embeddings, the endpoint loads serialized tensors using torch.load() without sufficient validation. Due to a change introduced in PyTorch 2.8.0, sparse tensor integrity checks are disabled by default. As a result, maliciously crafted tensors can bypass internal bounds checks and trigger an out-of-bounds memory write during the call to to_dense(). This memory corruption can crash vLLM and potentially lead to code execution on the server hosting vLLM. This issue has been patched in version 0.11.1.

CWE-502 Nov 21, 2025

CVE-2025-59245 9.8 CRITICAL EPSS 0.01

Microsoft SharePoint Online Elevation of Privilege Vulnerability

CWE-502 Nov 20, 2025

CVE-2025-36072 8.8 HIGH EPSS 0.00

IBM webMethods Integration 10.11 through 10.11_Core_Fix22, 10.15 through 10.15_Core_Fix22, and 11.1 through 11.1_Core_Fix6 IBM webMethods Integration allow an authenticated user to execute arbitrary code on the system, caused by the deserialization of untrusted object graphs data.

CWE-502 Nov 20, 2025

CVE-2025-64408 6.3 MEDIUM EPSS 0.01

Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through user-controllable URL parameters. These vulnerabilities affect all applications using Causeway's ViewModel functionality and can be exploited by authenticated attackers to execute arbitrary code with application privileges.  This issue affects all current versions. Users are recommended to upgrade to version 3.5.0, which fixes the issue.

CWE-502 Nov 19, 2025

CVE-2025-13145 7.2 HIGH EPSS 0.00

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.33.1. This is due to deserialization of untrusted data supplied via CSV file imports in the import_single_post_as_csv function within SingleImportExport.php. This makes it possible for authenticated attackers, with administrator-level access or higher, to inject a PHP object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

CWE-502 Nov 19, 2025

CVE-2025-60455 8.4 HIGH EPSS 0.00

Unsafe Deserialization vulnerability in Modular Max Serve before 25.6, specifically when the "--experimental-enable-kvcache-agent" feature is used allowing attackers to execute arbitrary code.

CWE-502 Nov 18, 2025

CVE-2025-13081 5.9 MEDIUM EPSS 0.00

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.

CWE-502 Nov 18, 2025

CVE-2025-12844 7.1 HIGH 1 Writeup EPSS 0.00

The AI Engine plugin for WordPress is vulnerable to PHP Object Injection via PHAR Deserialization in all versions up to, and including, 3.1.8 via deserialization of untrusted input in the 'rest_simpleTranscribeAudio' and 'rest_simpleVisionQuery' functions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.

CWE-502 Nov 13, 2025

CVE-2025-11367 9.8 CRITICAL EPSS 0.01

The N-central Software Probe < 2025.4 is vulnerable to Remote Code Execution via deserialization

CWE-502 Nov 12, 2025

CVE-2025-62204 8.0 HIGH EPSS 0.03

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

CWE-502 Nov 11, 2025