Exploit Intelligence Platform – 370K+ CVEs, Ranked Exploits & EPSS Scores

CVE-2024-52443 9.8 CRITICAL EPSS 0.00

Geolocator <1.1 - Code Injection

Deserialization of Untrusted Data vulnerability in Nerijus Masikonis Geolocator allows Object Injection.This issue affects Geolocator: from n/a through 1.1.

CWE-502 Nov 20, 2024

CVE-2024-52440 9.8 CRITICAL EPSS 0.00

Bueno Labs Pvt. Ltd. Xpresslane Fast Checkout <1.0.0 - Code Injection

Deserialization of Untrusted Data vulnerability in Bueno Labs Pvt. Ltd. Xpresslane Fast Checkout allows Object Injection.This issue affects Xpresslane Fast Checkout: from n/a through 1.0.0.

CWE-502 Nov 20, 2024

CVE-2024-52439 9.8 CRITICAL EPSS 0.00

Mark O'Donnell Team Rosters <4.6 - Code Injection

Deserialization of Untrusted Data vulnerability in Mark O’Donnell Team Rosters allows Object Injection.This issue affects Team Rosters: from n/a through 4.6.

CWE-502 Nov 20, 2024

CVE-2024-10382 7.5 HIGH EPSS 0.00

Google Androidx.car.app < 1.4.0 - Insecure Deserialization

There exists a code execution vulnerability in the Car App Android Jetpack Library. CarAppService uses deserialization logic that allows construction of arbitrary java classes. This can lead to arbitrary code execution when combined with specific Java deserialization gadgets. An attacker needs to install a malicious application on victims device to be able to attack any application that uses vulnerable library. We recommend upgrading the library past version 1.7.0-beta02.

CWE-502 Nov 20, 2024

CVE-2024-52433 9.8 CRITICAL 1 PoC Analysis NUCLEI EPSS 0.82

Mindstien MY Geo Posts Free < 1.2 - Insecure Deserialization

Deserialization of Untrusted Data vulnerability in Mindstien Technologies My Geo Posts Free allows Object Injection.This issue affects My Geo Posts Free: from n/a through 1.2.

CWE-502 Nov 18, 2024

CVE-2024-52432 9.8 CRITICAL EPSS 0.01

Nixsolutions Nix Anti-spam Light < 0.0.4 - Insecure Deserialization

Deserialization of Untrusted Data vulnerability in NIX Solutions Ltd NIX Anti-Spam Light allows Object Injection.This issue affects NIX Anti-Spam Light: from n/a through 0.0.4.

CWE-502 Nov 18, 2024

CVE-2024-52430 9.8 CRITICAL 1 PoC Analysis EPSS 0.32

LIS Video Gallery < 0.2.1 - Insecure Deserialization

Deserialization of Untrusted Data vulnerability in Lis Lis Video Gallery allows Object Injection.This issue affects Lis Video Gallery: from n/a through 0.2.1.

CWE-502 Nov 18, 2024

CVE-2024-41151 8.8 HIGH EPSS 0.01

Apache Hertzbeat < 1.6.1 - Insecure Deserialization

Deserialization of Untrusted Data vulnerability in Apache HertzBeat. This vulnerability can only be exploited by authorized attackers. This issue affects Apache HertzBeat: before 1.6.1. Users are recommended to upgrade to version 1.6.1, which fixes the issue.

CWE-502 Nov 18, 2024

CVE-2024-52414 9.8 CRITICAL EPSS 0.00

Anthony Carbon WDES Responsive Mobile Menu <5.3.18 - Code Injection

Deserialization of Untrusted Data vulnerability in Anthony Carbon WDES Responsive Mobile Menu allows Object Injection.This issue affects WDES Responsive Mobile Menu: from n/a through 5.3.18.

CWE-502 Nov 16, 2024

CVE-2024-52413 9.8 CRITICAL EPSS 0.03

DMC Airin Blog <1.6.1 - Code Injection

Deserialization of Untrusted Data vulnerability in DMC Airin Blog allows Object Injection.This issue affects Airin Blog: from n/a through 1.6.1.

CWE-502 Nov 16, 2024

CVE-2024-52412 9.8 CRITICAL EPSS 0.00

Xin <1.0.8.1 - Code Injection

Deserialization of Untrusted Data vulnerability in Stephen Cui Xin allows Object Injection.This issue affects Xin: from n/a through 1.0.8.1.

CWE-502 Nov 16, 2024

CVE-2024-52411 9.8 CRITICAL EPSS 0.00

Flowcraft UX Design Studio Advanced Personalization <1.1.2 - Code I...

Deserialization of Untrusted Data vulnerability in Flowcraft UX Design Studio Advanced Personalization allows Object Injection.This issue affects Advanced Personalization: from n/a through 1.1.2.

CWE-502 Nov 16, 2024

CVE-2024-52410 9.8 CRITICAL EPSS 0.00

Phoenixheart Referrer Detector <4.2.1.0 - Code Injection

Deserialization of Untrusted Data vulnerability in Phoenixheart Referrer Detector allows Object Injection.This issue affects Referrer Detector: from n/a through 4.2.1.0.

CWE-502 Nov 16, 2024

CVE-2024-52409 9.8 CRITICAL EPSS 0.00

Phan An AJAX Random Posts <0.3.3 - Code Injection

Deserialization of Untrusted Data vulnerability in Phan An AJAX Random Posts allows Object Injection.This issue affects AJAX Random Posts: from n/a through 0.3.3.

CWE-502 Nov 16, 2024

CVE-2021-3838 9.8 CRITICAL 1 Writeup EPSS 0.04

DomPDF <2.0.0 - Code Injection

DomPDF before version 2.0.0 is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the file_get_contents() function. An attacker who can upload files of any type to the server can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution, especially when DOMPdf is used with frameworks with documented POP chains like Laravel or vulnerable developer code.

CWE-502 Nov 15, 2024

CVE-2024-37285 9.1 CRITICAL EPSS 0.01

Elastic Kibana < 8.15.0 - Insecure Deserialization

A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. A successful attack requires a malicious user to have a combination of both specific Elasticsearch indices privileges https://www.elastic.co/guide/en/elasticsearch/reference/current/defining-roles.html#roles-indices-priv and Kibana privileges https://www.elastic.co/guide/en/fleet/current/fleet-roles-and-privileges.html assigned to them. The following Elasticsearch indices permissions are required * write privilege on the system indices .kibana_ingest* * The allow_restricted_indices flag is set to true Any of the following Kibana privileges are additionally required * Under Fleet the All privilege is granted * Under Integration the Read or All privilege is granted * Access to the fleet-setup privilege is gained through the Fleet Server’s service account token

CWE-502 Nov 14, 2024

CVE-2024-10962 8.8 HIGH EPSS 0.05

Wpvivid Migration, Backup, Staging - Insecure Deserialization

The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 0.9.107 via deserialization of untrusted input in the 'replace_row_data' and 'replace_serialize_data' functions. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must create a staging site to trigger the exploit.

CWE-502 Nov 14, 2024

CVE-2024-43080 7.8 HIGH EPSS 0.00

Android - Privilege Escalation

In onReceive of AppRestrictionsFragment.java, there is a possible escalation of privilege due to unsafe deserialization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

CWE-502 Nov 13, 2024

CVE-2024-52306 7.6 HIGH 1 Writeup EPSS 0.04

FileManager <3.0.9 - Code Injection

FileManager provides a Backpack admin interface for files and folder. Prior to 3.0.9, deserialization of untrusted data from the mimes parameter could lead to remote code execution. This vulnerability is fixed in 3.0.9.

CWE-502 Nov 13, 2024

CVE-2024-10013 7.8 HIGH EPSS 0.00

Telerik UI for WinForms <2024 Q4 - Code Injection

In Progress Telerik UI for WinForms versions prior to 2024 Q4 (2024.4.1113), a code execution attack is possible through an insecure deserialization vulnerability.

CWE-502 Nov 13, 2024

CVE & Exploit Intelligence Database

Investigate

Ecosystems

Reference Indexes

Recent Blog Posts

CVEForge Labs

KEV Gaps