Exploit Intelligence Platform – 370K+ CVEs, Ranked Exploits & EPSS Scores

CVE-2023-34382 4.4 MEDIUM EPSS 0.00

Wedevs Dokan < 3.7.19 - Insecure Deserialization

Deserialization of Untrusted Data vulnerability in weDevs Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy.This issue affects Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy: from n/a through 3.7.19.

CWE-502 Dec 19, 2023

CVE-2023-34027 8.3 HIGH EPSS 0.00

Rajnish Arora - Deserialization

Deserialization of Untrusted Data vulnerability in Rajnish Arora Recently Viewed Products.This issue affects Recently Viewed Products: from n/a through 1.0.0.

CWE-502 Dec 19, 2023

CVE-2023-37390 8.3 HIGH EPSS 0.00

Themesflat Addons For Elementor < 2.0.0 - Insecure Deserialization

Deserialization of Untrusted Data vulnerability in Themesflat Themesflat Addons For Elementor.This issue affects Themesflat Addons For Elementor: from n/a through 2.0.0.

CWE-502 Dec 19, 2023

CVE-2023-6730 8.8 HIGH 1 Writeup EPSS 0.00

Huggingface Transformers < 4.36.0 - Insecure Deserialization

Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.

CWE-502 Dec 19, 2023

CVE-2023-49819 7.5 HIGH EPSS 0.00

Wpsc-plugin Structured Content < 1.5.3 - Insecure Deserialization

Deserialization of Untrusted Data vulnerability in Gordon Böhme, Antonio Leutsch Structured Content (JSON-LD) #wpsc.This issue affects Structured Content (JSON-LD) #wpsc: from n/a through 1.5.3.

CWE-502 Dec 19, 2023

CVE-2023-46154 6.6 MEDIUM EPSS 0.00

E2Pdf - Deserialization

Deserialization of Untrusted Data vulnerability in E2Pdf.Com E2Pdf – Export To Pdf Tool for WordPress.This issue affects E2Pdf – Export To Pdf Tool for WordPress: from n/a through 1.20.18.

CWE-502 Dec 19, 2023

CVE-2023-46279 9.8 CRITICAL EPSS 0.02

Apache Dubbo <3.1.5 - Use After Free

Deserialization of Untrusted Data vulnerability in Apache Dubbo.This issue only affects Apache Dubbo 3.1.5. Users are recommended to upgrade to the latest version, which fixes the issue.

CWE-502 Dec 15, 2023

CVE-2023-29234 9.8 CRITICAL EPSS 0.89

Apache Dubbo <3.1.10, <3.2.4 - Deserialization

A deserialization vulnerability existed when decode a malicious package.This issue affects Apache Dubbo: from 3.1.0 through 3.1.10, from 3.2.0 through 3.2.4. Users are recommended to upgrade to the latest version, which fixes the issue.

CWE-502 Dec 15, 2023

CVE-2023-50252 8.3 HIGH 1 Writeup EPSS 0.10

Dompdf Php-svg-lib < 0.5.1 - Insecure Deserialization

php-svg-lib is an SVG file parsing / rendering library. Prior to version 0.5.1, when handling `<use>` tag that references an `<image>` tag, it merges the attributes from the `<use>` tag to the `<image>` tag. The problem pops up especially when the `href` attribute from the `<use>` tag has not been sanitized. This can lead to an unsafe file read that can cause PHAR Deserialization vulnerability in PHP prior to version 8. Version 0.5.1 contains a patch for this issue.

CWE-502 Dec 12, 2023

CVE-2023-6656 5.0 MEDIUM EPSS 0.00

DeepFaceLab pretrained DF.wf.288res.384.92.72.22 - Deserialization

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in DeepFaceLab pretrained DF.wf.288res.384.92.72.22. It has been rated as critical. Affected by this issue is some unknown functionality of the file DFLIMG/DFLJPG.py. The manipulation leads to deserialization. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The identifier of this vulnerability is VDB-247364. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

CWE-502 Dec 10, 2023

CVE-2023-6654 6.3 MEDIUM 1 PoC Analysis EPSS 0.02

PHPEMS 6.x/7.x/8.x/9.0 - Deserialization

A vulnerability classified as critical was found in PHPEMS 6.x/7.x/8.x/9.0. Affected by this vulnerability is an unknown functionality in the library lib/session.cls.php of the component Session Data Handler. The manipulation leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-247357 was assigned to this vulnerability.

CWE-502 Dec 10, 2023

CVE-2023-6580 8.8 HIGH 1 Writeup EPSS 0.00

D-Link DIR-846 FW100A53DBR - Deserialization

A vulnerability, which was classified as critical, was found in D-Link DIR-846 FW100A53DBR. This affects an unknown part of the file /HNAP1/ of the component QoS POST Handler. The manipulation of the argument smartqos_express_devices/smartqos_normal_devices leads to deserialization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-247161 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CWE-502 Dec 07, 2023

CVE-2023-49297 3.3 LOW 1 Writeup EPSS 0.00

PyDrive2 - RCE

PyDrive2 is a wrapper library of google-api-python-client that simplifies many common Google Drive API V2 tasks. Unsafe YAML deserilization will result in arbitrary code execution. A maliciously crafted YAML file can cause arbitrary code execution if PyDrive2 is run in the same directory as it, or if it is loaded in via `LoadSettingsFile`. This is a deserilization attack that will affect any user who initializes GoogleAuth from this package while a malicious yaml file is present in the same directory. This vulnerability does not require the file to be directly loaded through the code, only present. This issue has been addressed in commit `c57355dc` which is included in release version `1.16.2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CWE-502 Dec 05, 2023

CVE-2023-46674 6.0 MEDIUM EPSS 0.00

Elastic - Deserialization

An issue was identified that allowed the unsafe deserialization of java objects from hadoop or spark configuration properties that could have been modified by authenticated users. Elastic would like to thank Yakov Shafranovich, with Amazon Web Services for reporting this issue.

CWE-502 Dec 05, 2023

CVE-2023-48967 9.8 CRITICAL EPSS 0.00

Ssolon <2.6.0, <2.5.12 - Deserialization

Ssolon <= 2.6.0 and <=2.5.12 is vulnerable to Deserialization of Untrusted Data.

CWE-502 Dec 04, 2023

CVE-2023-48887 9.8 CRITICAL 1 Writeup EPSS 0.00

Jupiter <1.3.1 - Command Injection

A deserialization vulnerability in Jupiter v1.3.1 allows attackers to execute arbitrary commands via sending a crafted RPC request.

CWE-502 Dec 01, 2023

CVE-2023-48886 9.8 CRITICAL 1 Writeup EPSS 0.00

NettyRpc <1.2 - Command Injection

A deserialization vulnerability in NettyRpc v1.2 allows attackers to execute arbitrary commands via sending a crafted RPC request.

CWE-502 Dec 01, 2023

CVE-2023-47207 9.8 CRITICAL EPSS 0.02

Deltaww Infrasuite Device Master - Insecure Deserialization

In Delta Electronics InfraSuite Device Master v.1.0.7, a vulnerability exists that allows an unauthenticated attacker to execute code with local administrator privileges.

CWE-502 Nov 30, 2023

CVE-2023-48952 7.5 HIGH EPSS 0.00

openlink virtuoso-opensource <7.2.11 - DoS

An issue in the box_deserialize_reusing function in openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) after running a SELECT statement.

CWE-502 Nov 29, 2023

CVE-2023-6378 7.1 HIGH EPSS 0.01

Logback <1.4.11 - DoS

A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.

CWE-502 Nov 29, 2023

CVE & Exploit Intelligence Database

Investigate

Ecosystems

Reference Indexes

Recent Blog Posts

CVEForge Labs

KEV Gaps