Exploit Intelligence Platform – 370K+ CVEs, Ranked Exploits & EPSS Scores

CVE-2026-0895 1 Writeup EPSS 0.00

Cpsit Typo3-mailqueue < 0.4.3 - Insecure Deserialization

The extension extends TYPO3’ FileSpool component, which was vulnerable to Insecure Deserialization prior to TYPO3-CORE-SA-2026-004 https://typo3.org/security/advisory/typo3-core-sa-2026-004 . Since the related fix is overwritten by the extension, using the extension with a patched TYPO3 core version still allows for Insecure Deserialization, because the affected vulnerable code was extracted from TYPO3 core to the extension. More information about this vulnerability can be found in the related TYPO3 Core Security Advisory TYPO3-CORE-SA-2026-004 https://typo3.org/security/advisory/typo3-core-sa-2026-004 .

CWE-502 Jan 20, 2026

CVE-2023-7334 9.8 CRITICAL EXPLOITED 1 Writeup EPSS 0.00

Chanjetvip T+ < 16.000.000.0283 - Insecure Deserialization

Changjetong T+ versions up to and including 16.x contain a .NET deserialization vulnerability in an AjaxPro endpoint that can lead to remote code execution. A remote attacker can send a crafted request to /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore with a malicious JSON body that leverages deserialization of attacker-controlled .NET types to invoke arbitrary methods such as System.Diagnostics.Process.Start. This can result in execution of arbitrary commands in the context of the T+ application service account. Exploitation evidence was observed by the Shadowserver Foundation as early as 2023-08-19 (UTC).

CWE-502 Jan 15, 2026

CVE-2026-23746 EPSS 0.00

Entrust Instant Financial Issuance (IFI) On Premise <6.10.5-6.11.1 ...

Entrust Instant Financial Issuance (IFI) On Premise software (formerly referred to as CardWizard) versions 5.x, prior to 6.10.5, and prior to 6.11.1 contain an insecure .NET Remoting exposure in the SmartCardController service (DCG.SmartCardControllerService.exe). The service registers a TCP remoting channel with unsafe formatter/settings that permit untrusted remoting object invocation. A remote, unauthenticated attacker who can reach the remoting port can invoke exposed remoting objects to read arbitrary files from the server and coerce outbound authentication, and may achieve arbitrary file write and remote code execution via known .NET Remoting exploitation techniques. This can lead to disclosure of sensitive installation and service-account data and compromise of the affected host.

CWE-306 Jan 15, 2026

CVE-2026-21226 7.5 HIGH EPSS 0.01

Azure Core < - Code Injection

Deserialization of untrusted data in Azure Core shared client library for Python allows an authorized attacker to execute code over a network.

CWE-502 Jan 13, 2026

CVE-2026-20963 8.8 HIGH EPSS 0.02

Microsoft Office SharePoint - Code Injection

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

CWE-502 Jan 13, 2026

CVE-2026-0859 7.8 HIGH 1 Writeup EPSS 0.00

Typo3 < 10.4.55 - Insecure Deserialization

TYPO3's mail‑file spool deserialization flaw lets local users with write access to the spool directory craft a malicious file that is deserialized during the mailer:spool:send command, enabling arbitrary PHP code execution on the web server. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.

CWE-502 Jan 13, 2026

CVE-2024-14021 7.8 HIGH EPSS 0.00

Llamaindex < 0.11.6 - Insecure Deserialization

LlamaIndex (run-llama/llama_index) versions up to and including 0.11.6 contain an unsafe deserialization vulnerability in BGEM3Index.load_from_disk() in llama_index/indices/managed/bge_m3/base.py. The function uses pickle.load() to deserialize multi_embed_store.pkl from a user-supplied persist_dir without validation. An attacker who can provide a crafted persist directory containing a malicious pickle file can trigger arbitrary code execution when the victim loads the index from disk.

CWE-502 Jan 12, 2026

CVE-2025-69276 8.8 HIGH EPSS 0.00

Broadcom DX Netops Spectrum < 25.4.1 - Insecure Deserialization

Deserialization of Untrusted Data vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Object Injection.This issue affects DX NetOps Spectrum: 24.3.13 and earlier.

CWE-502 Jan 12, 2026

CVE-2026-22612 7.8 HIGH 1 Writeup EPSS 0.00

Trailofbits Fickling < 0.1.7 - Insecure Deserialization

Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, Fickling is vulnerable to detection bypass due to "builtins" blindness. This issue has been patched in version 0.1.7.

CWE-502 Jan 10, 2026

CVE-2026-22609 7.8 HIGH 1 Writeup EPSS 0.00

Fickling <0.1.7 - Code Injection

Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, the unsafe_imports() method in Fickling's static analyzer fails to flag several high-risk Python modules that can be used for arbitrary code execution. Malicious pickles importing these modules will not be detected as unsafe, allowing attackers to bypass Fickling's primary static safety checks. This issue has been patched in version 0.1.7.

CWE-184 Jan 10, 2026

CVE-2026-22608 7.8 HIGH 1 Writeup EPSS 0.00

Fickling <0.1.7 - RCE

Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, both ctypes and pydoc modules aren't explicitly blocked. Even other existing pickle scanning tools (like picklescan) do not block pydoc.locate. Chaining these two together can achieve RCE while the scanner still reports the file as LIKELY_SAFE. This issue has been patched in version 0.1.7.

CWE-184 Jan 10, 2026

CVE-2026-22607 7.8 HIGH 1 Writeup EPSS 0.00

Fickling <0.1.6 - Code Injection

Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat Python's cProfile module as unsafe. Because of this, a malicious pickle that uses cProfile.run() is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS. If a user relies on Fickling's output to decide whether a pickle is safe to deserialize, this misclassification can lead them to execute attacker-controlled code on their system. This affects any workflow or product that uses Fickling as a security gate for pickle deserialization. This issue has been patched in version 0.1.7.

CWE-184 Jan 10, 2026

CVE-2026-22606 7.8 HIGH 1 Writeup EPSS 0.00

Fickling <0.1.6 - Code Injection

Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat Python’s runpy module as unsafe. Because of this, a malicious pickle that uses runpy.run_path() or runpy.run_module() is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS. If a user relies on Fickling’s output to decide whether a pickle is safe to deserialize, this misclassification can lead them to execute attacker-controlled code on their system. This affects any workflow or product that uses Fickling as a security gate for pickle deserialization. This issue has been patched in version 0.1.7.

CWE-184 Jan 10, 2026

CVE-2025-67911 9.8 CRITICAL EPSS 0.00

Tribulant Software Newsletters <4.11 - Code Injection

Deserialization of Untrusted Data vulnerability in Tribulant Software Newsletters newsletters-lite allows Object Injection.This issue affects Newsletters: from n/a through <= 4.11.

CWE-502 Jan 08, 2026

CVE-2026-22187 7.8 HIGH 2 PoCs Analysis EPSS 0.00

OME Pom-bio-formats - Insecure Deserialization

Bio-Formats versions up to and including 8.3.0 perform unsafe Java deserialization of attacker-controlled memoization cache files (.bfmemo) during image processing. The loci.formats.Memoizer class automatically loads and deserializes memo files associated with images without validation, integrity checks, or trust enforcement. An attacker who can supply a crafted .bfmemo file alongside an image can trigger deserialization of untrusted data, which may result in denial of service, logic manipulation, or potentially remote code execution in environments where suitable gadget chains are present on the classpath.

CWE-502 Jan 07, 2026

CVE-2025-47552 9.8 CRITICAL EPSS 0.00

DZS Video Gallery <12.37 - Code Injection

Deserialization of Untrusted Data vulnerability in Digital zoom studio DZS Video Gallery allows Object Injection.This issue affects DZS Video Gallery: from n/a through 12.37.

CWE-502 Jan 07, 2026

CVE-2025-47553 8.8 HIGH EPSS 0.00

DZS Video Gallery <12.25 - Code Injection

Deserialization of Untrusted Data vulnerability in Digital zoom studio DZS Video Gallery allows Object Injection.This issue affects DZS Video Gallery: from n/a through 12.25.

CWE-502 Jan 06, 2026

CVE-2025-31047 8.8 HIGH EPSS 0.00

Themify Edmin <2.0.0 - Code Injection

Deserialization of Untrusted Data vulnerability in Themify Themify Edmin allows Object Injection.This issue affects Themify Edmin: from n/a through 2.0.0.

CWE-502 Jan 05, 2026

CVE-2025-15453 6.3 MEDIUM EPSS 0.00

milvus <2.6.7 - Deserialization

A security vulnerability has been detected in milvus up to 2.6.7. This vulnerability affects the function expr.Exec of the file pkg/util/expr/expr.go of the component HTTP Endpoint. The manipulation of the argument code leads to deserialization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. A fix is planned for the next release 2.6.8.

CWE-502 Jan 05, 2026

CVE-2025-15438 4.7 MEDIUM EPSS 0.00

PluXml <5.8.22 - Deserialization

A vulnerability was determined in PluXml up to 5.8.22. Affected is the function FileCookieJar::__destruct of the file core/admin/medias.php of the component Media Management Module. Executing a manipulation of the argument File can lead to deserialization. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was informed early about this issue and announced that "[w]e fix this issue in the next version 5.8.23". A patch for it is ready.

CWE-20 Jan 02, 2026

CVE & Exploit Intelligence Database

Investigate

Ecosystems

Reference Indexes

Recent Blog Posts

CVEForge Labs

KEV Gaps