LIVE · cybersecurity feed

deserialization

CVE-2026-4735vulnerability
zeroday.news · 106d ago

CVE-2026-4735: Deserialization of Untrusted Data vulnerability in DTStack chunjun (‎chunjun-core/src/main/java/com/dtstack/chunjun

Deserialization of Untrusted Data vulnerability in DTStack chunjun (‎chunjun-core/src/main/java/com/dtstack/chunjun/util modules). This vulnerability is associated with program files GsonUtil.Java. This issue affects chunjun: before 1.16.1.

CVE-2026-4681vulnerability
zeroday.news · 106d ago

CVE-2026-4681: A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill and PTC FlexPLM.

A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data. This issue affects Windchill PDMLink: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0; FlexPLM: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.0.3.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0.

CVE-2026-4538vulnerability
zeroday.news · 108d ago·medium

CVE-2026-4538: A vulnerability was identified in PyTorch 2.10.0.

A vulnerability was identified in PyTorch 2.10.0. The affected element is an unknown function of the component pt2 Loading Handler. The manipulation leads to deserialization. The attack can only be performed from a local environment. The exploit is publicly available and might be used. The project was informed of the problem early through a pull request but has not reacted yet.

CVE-2026-0677vulnerability
zeroday.news · 110d ago·medium

CVE-2026-0677: Deserialization of Untrusted Data vulnerability in TotalSuite TotalContest Lite totalcontest-lite allows Object Inj

Deserialization of Untrusted Data vulnerability in TotalSuite TotalContest Lite totalcontest-lite allows Object Injection.This issue affects TotalContest Lite: from n/a through <= 2.9.1.

CVE-2026-29109vulnerability
zeroday.news · 110d ago·high

CVE-2026-29109: SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application.

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions up to and including 8.9.2 contain an unsafe deserialization vulnerability in the SavedSearch filter processing component that allows an authenticated administrator to execute arbitrary system commands on the server. `FilterDefinitionProvider.php` calls `unserialize()` on user-controlled data from the `saved_search.contents` database column without restricting instantiable classes. Version 8.9.3 patches the issue.

CVE-2026-2646vulnerability
zeroday.news · 111d ago·high

CVE-2026-2646: A heap-buffer-overflow vulnerability exists in wolfSSL's wolfSSL_d2i_SSL_SESSION() function.

A heap-buffer-overflow vulnerability exists in wolfSSL's wolfSSL_d2i_SSL_SESSION() function. When deserializing session data with SESSION_CERTS enabled, certificate and session id lengths are read from an untrusted input without bounds validation, allowing an attacker to overflow fixed-size buffers and corrupt heap memory. A maliciously crafted session would need to be loaded from an external source to trigger this vulnerability. Internal sessions were not vulnerable.

CVE-2025-71260vulnerability
zeroday.news · 111d ago·high

CVE-2025-71260: BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a deserialization of untrusted data vulnerabili

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a deserialization of untrusted data vulnerability in the ASP.NET servlet's VIEWSTATE handling that allows authenticated attackers to execute arbitrary code. Attackers can supply crafted serialized objects to the VIEWSTATE parameter to achieve remote code execution and fully compromise the application. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.

CVE-2026-25445vulnerability
zeroday.news · 111d ago·high

CVE-2026-25445: Deserialization of Untrusted Data vulnerability in Membership Software WishList Member X allows Object Injection.T

Deserialization of Untrusted Data vulnerability in Membership Software WishList Member X allows Object Injection.This issue affects WishList Member X: from n/a through 3.29.0.

CVE-2025-60237vulnerability
zeroday.news · 111d ago·critical

CVE-2025-60237: Deserialization of Untrusted Data vulnerability in Themeton Finag allows Object Injection.This issue affects Finag

Deserialization of Untrusted Data vulnerability in Themeton Finag allows Object Injection.This issue affects Finag: from n/a through 1.5.0.

CVE-2025-60233vulnerability
zeroday.news · 111d ago·critical

CVE-2025-60233: Deserialization of Untrusted Data vulnerability in Themeton Zuut allows Object Injection.This issue affects Zuut:

Deserialization of Untrusted Data vulnerability in Themeton Zuut allows Object Injection.This issue affects Zuut: from n/a through 1.4.2.

CVE-2026-27096vulnerability
zeroday.news · 111d ago·high

CVE-2026-27096: Deserialization of Untrusted Data vulnerability in BuddhaThemes ColorFolio - Freelance Designer WordPress Theme al

Deserialization of Untrusted Data vulnerability in BuddhaThemes ColorFolio - Freelance Designer WordPress Theme allows Object Injection.This issue affects ColorFolio - Freelance Designer WordPress Theme: from n/a through 1.3.

CVE-2026-25873vulnerability
zeroday.news · 111d ago·critical

CVE-2026-25873: OmniGen2-RL contains an unauthenticated remote code execution vulnerability in the reward server component that al

OmniGen2-RL contains an unauthenticated remote code execution vulnerability in the reward server component that allows remote attackers to execute arbitrary commands by sending malicious HTTP POST requests. Attackers can exploit insecure pickle deserialization of request bodies to achieve code execution on the host system running the exposed service.

CVE-2026-25449vulnerability
zeroday.news · 112d ago·critical

CVE-2026-25449: Deserialization of Untrusted Data vulnerability in shinetheme Traveler traveler allows Object Injection.This issue

Deserialization of Untrusted Data vulnerability in shinetheme Traveler traveler allows Object Injection.This issue affects Traveler: from n/a through < 3.2.8.1.

CVE-2026-25769vulnerability
zeroday.news · 113d ago·critical

CVE-2026-25769: Wazuh is a free and open source platform used for threat prevention, detection, and response.

Wazuh is a free and open source platform used for threat prevention, detection, and response. Versions 4.0.0 through 4.14.2 have a Remote Code Execution (RCE) vulnerability due to Deserialization of Untrusted Data). All Wazuh deployments using cluster mode (master/worker architecture) and any organization with a compromised worker node (e.g., through initial access, insider threat, or supply chain attack) are impacted. An attacker who gains access to a worker node (through any means) can achieve full RCE on the master node with root privileges. Version 4.14.3 fixes the issue.

CVE-2026-1323vulnerability
zeroday.news · 113d ago·high

CVE-2026-1323: The extension fails to properly define allowed classes used when deserializing transport failure metadata.

The extension fails to properly define allowed classes used when deserializing transport failure metadata. An attacker may exploit this to execute untrusted serialized code. Note that an active exploit requires write access to the directory configured at $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_filepath'].

CVE-2026-27962vulnerability
zeroday.news · 114d ago·critical

CVE-2026-27962: Authlib is a Python library which builds OAuth and OpenID Connect servers.

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any JWS deserialization function, the library extracts and uses the cryptographic key embedded in the attacker-controlled JWT jwk header field. An attacker can sign a token with their own private key, embed the matching public key in the header, and have the server accept the forged token as cryptographically valid — bypassing authentication and authorization entirely. This issue has been patched in ver

CVE-2026-32614vulnerability
zeroday.news · 114d ago·high

CVE-2026-32614: Go ShangMi (Commercial Cryptography) Library (GMSM) is a cryptographic library that covers the Chinese commercial

Go ShangMi (Commercial Cryptography) Library (GMSM) is a cryptographic library that covers the Chinese commercial cryptographic public algorithms SM2/SM3/SM4/SM9/ZUC. Prior to 0.41.1, the current SM9 decryption implementation contains an infinity-point ciphertext forgery vulnerability. The root cause is that, during decryption, the elliptic-curve point C1 in the ciphertext is only deserialized and checked to be on the curve, but the implementation does not explicitly reject the point at infinity. In the current implementation, an attacker can construct C1 as the point at infinity, causing the bilinear pairing result to degenerate into the identity element in the GT group. As a result, a crit

CVE-2025-54920vulnerability
zeroday.news · 114d ago·high

CVE-2025-54920: This issue affects Apache Spark: before 3.5.7 and 4.0.1.

This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue. Summary Apache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to overly permissive Jackson deserialization of event log data. This allows an attacker with access to the Spark event logs directory to inject malicious JSON payloads that trigger deserialization of arbitrary classes, enabling command execution on the host running the Spark History Server. Details The vulnerability arises because the Spark History Server uses Jackson polymorphic deserialization with @JsonTypeInfo.I

CVE-2026-32355vulnerability
zeroday.news · 116d ago·high

CVE-2026-32355: Deserialization of Untrusted Data vulnerability in Crocoblock JetEngine jet-engine allows Object Injection.This is

Deserialization of Untrusted Data vulnerability in Crocoblock JetEngine jet-engine allows Object Injection.This issue affects JetEngine: from n/a through < 3.8.4.1.

CVE-2026-32141vulnerability
zeroday.news · 118d ago·high

CVE-2026-32141: flatted is a circular JSON parser.

flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process. This vulnerability is fixed in 3.4.0.

CVE-2026-3989vulnerability
zeroday.news · 118d ago·high

CVE-2026-3989: SGLangs `replay_request_dump.py` contains an insecure pickle.load() without validation and proper deserialization.

SGLangs `replay_request_dump.py` contains an insecure pickle.load() without validation and proper deserialization. An attacker can take advantage of this by providing a malicious .pkl file, which will execute the attackers code on the device running the script.

CVE-2026-3060vulnerability
zeroday.news · 118d ago·critical

CVE-2026-3060: SGLang' encoder parallel disaggregation system is vulnerable to unauthenticated remote code execution through the d

SGLang' encoder parallel disaggregation system is vulnerable to unauthenticated remote code execution through the disaggregation module, which deserializes untrusted data using pickle.loads() without authentication.

CVE-2026-3059vulnerability
zeroday.news · 118d ago·critical

CVE-2026-3059: SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker

SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker, which deserializes untrusted data using pickle.loads() without authentication.

CVE-2026-3967vulnerability
zeroday.news · 118d ago·medium

CVE-2026-3967: A flaw has been found in Alfresco Activiti up to 7.19/8.8.0.

A flaw has been found in Alfresco Activiti up to 7.19/8.8.0. Affected by this issue is the function deserialize/createObjectInputStream of the file activiti-core/activiti-engine/src/main/java/org/activiti/engine/impl/variable/SerializableType.java of the component Process Variable Serialization System. This manipulation causes deserialization. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.