Exploit Intelligence Platform – 370K+ CVEs, Ranked Exploits & EPSS Scores

CVE-2024-37053 8.8 HIGH EPSS 0.01

Lfprojects Mlflow - Insecure Deserialization

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with.

CWE-502 Jun 04, 2024

CVE-2024-37052 8.8 HIGH EPSS 0.00

Lfprojects Mlflow - Insecure Deserialization

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with.

CWE-502 Jun 04, 2024

CVE-2024-3301 8.5 HIGH EPSS 0.10

DELMIA Apriso <2024 - Code Injection

An unsafe .NET object deserialization vulnerability in DELMIA Apriso Release 2019 through Release 2024 could lead to post-authentication remote code execution.

CWE-502 May 30, 2024

CVE-2024-3300 9.0 CRITICAL NUCLEI EPSS 0.33

DELMIA Apriso <2024 - Code Injection

An unsafe .NET object deserialization vulnerability in DELMIA Apriso Release 2019 through Release 2024 could lead to pre-authentication remote code execution.

CWE-502 May 30, 2024

CVE-2024-26289 9.8 CRITICAL 1 Writeup EPSS 0.00

Sigb Pmb < 7.3.18 - Insecure Deserialization

Deserialization of Untrusted Data vulnerability in PMB Services PMB allows Remote Code Inclusion.This issue affects PMB: from 7.5.1 before 7.5.6-2, from 7.4.1 before 7.4.9, from 7.3.1 before 7.3.18.

CWE-502 May 27, 2024

CVE-2024-5352 6.3 MEDIUM EPSS 0.00

Anji-plus AJ-Report <1.4.1 - Deserialization

A vulnerability was found in anji-plus AJ-Report up to 1.4.1. It has been rated as critical. Affected by this issue is the function validationRules of the component com.anjiplus.template.gaea.business.modules.datasetparam.controller.DataSetParamController#verification. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-266264.

CWE-502 May 26, 2024

CVE-2024-5351 6.3 MEDIUM EPSS 0.00

Anji-plus AJ-Report <1.4.1 - Deserialization

A vulnerability was found in anji-plus AJ-Report up to 1.4.1. It has been declared as critical. Affected by this vulnerability is the function getValueFromJs of the component Javascript Handler. The manipulation leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-266263.

CWE-502 May 26, 2024

CVE-2024-5085 8.1 HIGH EPSS 0.04

Hashthemes Hash Form < 1.1.1 - Insecure Deserialization

The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.0 via deserialization of untrusted input in the 'process_entry' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

CWE-502 May 23, 2024

CVE-2024-4157 7.5 HIGH 1 PoC Analysis EPSS 0.00

Fluentforms Contact Form < 5.1.16 - Insecure Deserialization

The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.1.15 via deserialization of untrusted input in the extractDynamicValues function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. Successful exploitation requires the attacker to have "View Form" and "Manage Form" permissions, which must be explicitly set by an administrator. However, this requirement can be bypassed when this vulnerability is chained with CVE-2024-2771.

CWE-502 May 22, 2024

CVE-2024-34274 3.9 LOW EPSS 0.00

OpenBD - Deserialization

OpenBD 20210306203917-6cbe797 is vulnerable to Deserialization of Untrusted Data. The cookies bdglobals and bdclient_spot of the OpenBD software uses serialized data, which can be used to execute arbitrary code on the system. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

CWE-502 May 21, 2024

CVE-2024-31879 7.5 HIGH EPSS 0.01

IBM i <7.5 - Code Injection

IBM i 7.2, 7.3, and 7.4 could allow a remote attacker to execute arbitrary code leading to a denial of service of network ports on the system, caused by the deserialization of untrusted data. IBM X-Force ID: 287539.

CWE-502 May 18, 2024

CVE-2024-34997 7.5 HIGH EPSS 0.00

Joblib - Insecure Deserialization

joblib v1.4.2 was discovered to contain a deserialization vulnerability via the component joblib.numpy_pickle::NumpyArrayWrapper().read_array(). NOTE: this is disputed by the supplier because NumpyArrayWrapper is only used during caching of trusted content.

CWE-502 May 17, 2024

CVE-2024-34751 4.4 MEDIUM EPSS 0.00

WebToffee Order Export & Order Import for WooCommerce <2.4.9 - Dese...

Deserialization of Untrusted Data vulnerability in WebToffee Order Export & Order Import for WooCommerce.This issue affects Order Export & Order Import for WooCommerce: from n/a through 2.4.9.

CWE-502 May 16, 2024

CVE-2024-4200 7.7 HIGH EPSS 0.00

Telerik Reporting <2024 Q2 - Code Injection

In Progress® Telerik® Reporting versions prior to 2024 Q2 (18.1.24.2.514), a code execution attack is possible by a local threat actor through an insecure deserialization vulnerability.

CWE-502 May 15, 2024

CVE-2024-3967 7.6 HIGH EPSS 0.01

OpenText iManager <3.2.6.0200 - RCE

Remote Code Execution has been discovered in OpenText™ iManager 3.2.6.0200. The vulnerability can trigger remote code execution unisng unsafe java object deserialization.

CWE-502 May 15, 2024

CVE-2024-3483 7.8 HIGH EPSS 0.00

Microfocus Imanager < 3.2.6 - Command Injection

Remote Code Execution has been discovered in OpenText™ iManager 3.2.6.0200. The vulnerability can trigger command injection and insecure deserialization issues.

CWE-502 May 15, 2024

CVE-2024-30044 7.2 HIGH EPSS 0.48

Microsoft SharePoint Server - RCE

Microsoft SharePoint Server Remote Code Execution Vulnerability

CWE-502 May 14, 2024

CVE-2024-30042 7.8 HIGH EPSS 0.00

Microsoft Excel - RCE

Microsoft Excel Remote Code Execution Vulnerability

CWE-502 May 14, 2024

CVE-2024-4699 6.3 MEDIUM 1 Writeup EPSS 0.02

Dlink Dar-8000-10 Firmware < 20230922 - Insecure Deserialization

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, has been found in D-Link DAR-8000-10 up to 20230922. This issue affects some unknown processing of the file /importhtml.php. The manipulation of the argument sql leads to deserialization. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-263747. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.

CWE-502 May 14, 2024

CVE-2024-4606 5.4 MEDIUM EPSS 0.00

BdThemes Ultimate Store Kit Elementor Addons <2.0.3 - Deserialization

Deserialization of Untrusted Data vulnerability in BdThemes Ultimate Store Kit Elementor Addons.This issue affects Ultimate Store Kit Elementor Addons: from n/a through 2.0.3.

CWE-502 May 14, 2024

CVE & Exploit Intelligence Database

Investigate

Ecosystems

Reference Indexes

Recent Blog Posts

CVEForge Labs

KEV Gaps