CVE & Exploit Intelligence Database

CVE-2026-2555 5.0 MEDIUM EPSS 0.00

A weakness has been identified in JeecgBoot 3.9.1. This vulnerability affects the function importDocumentFromZip of the file org/jeecg/modules/airag/llm/controller/AiragKnowledgeController.java of the component Retrieval-Augmented Generation. Executing a manipulation can lead to deserialization. The attack can be launched remotely. Attacks of this nature are highly complex. It is stated that the exploitability is difficult. The project was informed of the problem early through an issue report but has not responded yet.

CWE-20 Feb 16, 2026

CVE-2026-26333 9.8 CRITICAL EPSS 0.00

Calero VeraSMART versions prior to 2022 R1 expose an unauthenticated .NET Remoting HTTP service on TCP port 8001. The service publishes default ObjectURIs (including EndeavorServer.rem and RemoteFileReceiver.rem) and permits the use of SOAP and binary formatters with TypeFilterLevel set to Full. An unauthenticated remote attacker can invoke the exposed remoting endpoints to perform arbitrary file read and write operations via the WebClient class. This allows retrieval of sensitive files such as WebRoot\\web.config, which may disclose IIS machineKey validation and decryption keys. An attacker can use these keys to generate a malicious ASP.NET ViewState payload and achieve remote code execution within the IIS application context. Additionally, supplying a UNC path can trigger outbound SMB authentication from the service account, potentially exposing NTLMv2 hashes for relay or offline cracking.

CWE-306 Feb 13, 2026

CVE-2026-26208 7.8 HIGH 1 Writeup EPSS 0.00

ADB Explorer is a fluent UI for ADB on Windows. Prior to Beta 0.9.26020, ADB Explorer is vulnerable to Insecure Deserialization leading to Remote Code Execution. The application attempts to deserialize the App.txt settings file using Newtonsoft.Json with TypeNameHandling set to Objects. This allows an attacker to supply a crafted JSON file containing a gadget chain (e.g., ObjectDataProvider) to execute arbitrary code when the application launches and subsequently saves its settings. This vulnerability is fixed in Beta 0.9.26020.

CWE-502 Feb 13, 2026

CVE-2026-26221 2 PoCs Analysis EPSS 0.01

Hyland OnBase contains an unauthenticated .NET Remoting exposure in the OnBase Workflow Timer Service (Hyland.Core.Workflow.NTService.exe). An attacker who can reach the service can send crafted .NET Remoting requests to default HTTP channel endpoints on TCP/8900 (e.g., TimerServiceAPI.rem and TimerServiceEvents.rem for Workflow) to trigger unsafe object unmarshalling, enabling arbitrary file read/write. By writing attacker-controlled content into web-accessible locations or chaining with other OnBase features, this can lead to remote code execution. The same primitive can be abused by supplying a UNC path to coerce outbound NTLM authentication (SMB coercion) to an attacker-controlled host.

CWE-502 Feb 13, 2026

CVE-2025-61880 8.8 HIGH EPSS 0.01

In Infoblox NIOS through 9.0.7, insecure deserialization can result in remote code execution.

CWE-502 Feb 12, 2026

CVE-2026-26215 2 PoCs Analysis EPSS 0.00

manga-image-translator version beta-0.3 and prior in shared API mode contains an unsafe deserialization vulnerability that can lead to unauthenticated remote code execution. The FastAPI endpoints /simple_execute/{method} and /execute/{method} deserialize attacker-controlled request bodies using pickle.loads() without validation. Although a nonce-based authorization check is intended to restrict access, the nonce defaults to an empty string and the check is skipped, allowing remote attackers to execute arbitrary code in the server context by sending a crafted pickle payload.

CWE-502 Feb 11, 2026

CVE-2026-0910 8.8 HIGH EPSS 0.00

The wpForo Forum plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.4.13 via deserialization of untrusted input in the 'wpforo_display_array_data' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.

CWE-502 Feb 11, 2026

CVE-2026-1235 6.5 MEDIUM EPSS 0.00

The WP eCommerce WordPress plugin through 3.15.1 unserializes user input via ajax actions, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.

CWE-502 Feb 11, 2026

CVE-2026-21531 9.8 CRITICAL 2 PoCs Analysis EPSS 0.00

Deserialization of untrusted data in Azure SDK allows an unauthorized attacker to execute code over a network.

CWE-502 Feb 10, 2026

CVE-2026-21511 7.5 HIGH EPSS 0.00

Deserialization of untrusted data in Microsoft Office Outlook allows an unauthorized attacker to perform spoofing over a network.

CWE-502 Feb 10, 2026

CVE-2026-23685 4.4 MEDIUM EPSS 0.00

Due to a Deserialization vulnerability in SAP NetWeaver (JMS service), an attacker authenticated as an administrator with local access could submit specially crafted content to the server. If processed by the application, this content could trigger unintended behavior during internal logic execution, potentially causing a denial of service. Successful exploitation results in a high impact on availability, while confidentiality and integrity remain unaffected.

CWE-502 Feb 10, 2026

CVE-2026-25925 7.8 HIGH EPSS 0.00

PowerDocu contains a Windows GUI executable to perform technical documentations. Prior to 2.4.0, PowerDocu contains a critical security vulnerability in how it parses JSON files within Flow or App packages. The application blindly trusts the $type property in JSON files, allowing an attacker to instantiate arbitrary .NET objects and execute code. This vulnerability is fixed in 2.4.0.

CWE-502 Feb 09, 2026

CVE-2026-25923 EPSS 0.00

my little forum is a PHP and MySQL based internet forum that displays the messages in classical threaded view. Prior to 20260208.1, the application fails to filter the phar:// protocol in URL validation, allowing attackers to upload a malicious Phar Polyglot file (disguised as JPEG) via the image upload feature, trigger Phar deserialization through BBCode [img] tag processing, and exploit Smarty 4.1.0 POP chain to achieve arbitrary file deletion. This vulnerability is fixed in 20260208.1.

CWE-502 Feb 09, 2026

CVE-2026-2113 7.3 HIGH 2 PoCs Analysis EPSS 0.00

A security vulnerability has been detected in yuan1994 tpadmin up to 1.3.12. This affects an unknown part in the library /public/static/admin/lib/webuploader/0.1.5/server/preview.php of the component WebUploader. The manipulation leads to deserialization. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

CWE-502 Feb 07, 2026

CVE-2026-25632 10.0 CRITICAL 1 Writeup EPSS 0.00

EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water distribution networks. Prior to 0.16.1, EPyT-Flow’s REST API parses attacker-controlled JSON request bodies using a custom deserializer (my_load_from_json) that supports a type field. When type is present, the deserializer dynamically imports an attacker-specified module/class and instantiates it with attacker-supplied arguments. This allows invoking dangerous classes such as subprocess.Popen, which can lead to OS command execution during JSON parsing. This also affects the loading of JSON files. This vulnerability is fixed in 0.16.1.

CWE-502 Feb 06, 2026

CVE-2020-37071 9.8 CRITICAL 1 PoC Analysis EPSS 0.01

CraftCMS 3 vCard Plugin 1.0.0 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary PHP code through a crafted payload. Attackers can generate a malicious serialized payload that triggers remote code execution by exploiting the plugin's vCard download functionality with a specially crafted request.

CWE-502 Feb 03, 2026

CVE-2026-25615 7.2 HIGH EPSS 0.00

Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5668.

CWE-502 Feb 03, 2026

CVE-2026-25614 7.5 HIGH EPSS 0.00

Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5680.

CWE-502 Feb 03, 2026

CVE-2025-70560 8.4 HIGH 1 Writeup EPSS 0.00

Boltz 2.0.0 contains an insecure deserialization vulnerability in its molecule loading functionality. The application uses Python pickle to deserialize molecule data files without validation. An attacker with the ability to place a malicious pickle file in a directory processed by boltz can achieve arbitrary code execution when the file is loaded.

CWE-502 Feb 03, 2026

CVE-2025-70559 6.5 MEDIUM EPSS 0.00

pdfminer.six before 20251230 contains an insecure deserialization vulnerability in the CMap loading mechanism. The library uses Python pickle to deserialize CMap cache files without validation. An attacker with the ability to place a malicious pickle file in a location accessible to the application can trigger arbitrary code execution or privilege escalation when the file is loaded by a trusted process. This is caused by an incomplete patch to CVE-2025-64512.

CWE-502 Feb 03, 2026