CWE-502
AllowedDeserialization of Untrusted Data
Abstraction: Base · Status: Draft
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
4800 vulnerabilities reference this CWE, most recent first.
CVE-2026-13759 (GCVE-0-2026-13759)
Vulnerability from cvelistv5 – Published: 2026-06-30 19:24 – Updated: 2026-07-03 03:56- CWE-502 - Deserialization of Untrusted Data
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7278595 | vendor-advisorypatch |
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | WebSphere Extreme Scale |
Affected:
8.6.1.0 , ≤ 8.6.1.6
(semver)
cpe:2.3:a:ibm:websphere_extreme_scale:8.6.1.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:websphere_extreme_scale:8.6.1.6:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13759",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-02T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-03T03:56:10.967Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:websphere_extreme_scale:8.6.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:websphere_extreme_scale:8.6.1.6:*:*:*:*:*:*:*"
],
"product": "WebSphere Extreme Scale",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "8.6.1.6",
"status": "affected",
"version": "8.6.1.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 ships three ObjectInputStream subclasses (WsObjectInputStream, ObjectStreamPool$ReusableInputStream, ObjectInputStreamResolver) that install no JEP-290 class filter; when Coherence is on the classpath, multiple RCE gadget chains including RemoteConstructor.readResolve and PriorityQueue/ExtractorComparator are confirmed working, allowing a post-login attacker who can write a session attribute or a LAN-adjacent attacker on the grid replication wire to execute arbitrary code on peer WAS JVMs\u003c/p\u003e"
}
],
"value": "IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 ships three ObjectInputStream subclasses (WsObjectInputStream, ObjectStreamPool$ReusableInputStream, ObjectInputStreamResolver) that install no JEP-290 class filter; when Coherence is on the classpath, multiple RCE gadget chains including RemoteConstructor.readResolve and PriorityQueue/ExtractorComparator are confirmed working, allowing a post-login attacker who can write a session attribute or a LAN-adjacent attacker on the grid replication wire to execute arbitrary code on peer WAS JVMs"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T19:24:03.665Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7278595"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eWe recommend customer to enable encryption. Please follow the link to enable encryption.\u003cbr/\u003e\u003ca href=\"https://www.ibm.com/docs/en/wxs/latest?topic=sydgies-securing-data-that-flows-between-extreme-scale-clients-servers-ssl-encryption.\" rel=\"nofollow\"\u003ehttps://www.ibm.com/docs/en/wxs/latest?topic=sydgies-securing-data-that-flows-between-extreme-scale-clients-servers-ssl-encryption.\u003c/a\u003e\u003cbr/\u003e\u003cbr/\u003eFor extra security customer can enable JEP 290 global JVM deserialization filter (-Djdk.serialFilter) while starting catalog and container servers.JEP 290 is available from 8.0.8.5 onwards.\u003c/p\u003e"
}
],
"value": "We recommend customer to enable encryption. Please follow the link to enable encryption.\n https://www.ibm.com/docs/en/wxs/latest?topic=sydgies-securing-data-that-flows-between-extreme-scale-clients-servers-ssl-encryption. \n\nFor extra security customer can enable JEP 290 global JVM deserialization filter (-Djdk.serialFilter) while starting catalog and container servers.JEP 290 is available from 8.0.8.5 onwards."
}
],
"title": "IBM WebSphere eXtreme Scale is affected by Insecure Deserilization",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2026-13759",
"datePublished": "2026-06-30T19:24:03.665Z",
"dateReserved": "2026-06-29T18:10:36.156Z",
"dateUpdated": "2026-07-03T03:56:10.967Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13371 (GCVE-0-2026-13371)
Vulnerability from cvelistv5 – Published: 2026-07-02 23:04 – Updated: 2026-07-07 17:01- CWE-502 - Deserialization of Untrusted Data
| URL | Tags |
|---|---|
| https://www.watchguard.com/wgrd-psirt/advisory/wg… | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| WatchGuard | Fireware OS |
Affected:
12.0 , ≤ 12.12
(semver)
Affected: 12.5 , ≤ 12.5.18 (semver) Affected: 2025.1 , ≤ 2026.2 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13371",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T18:04:59.649744Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T17:01:52.545Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Fireware OS",
"vendor": "WatchGuard",
"versions": [
{
"lessThanOrEqual": "12.12",
"status": "affected",
"version": "12.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "12.5.18",
"status": "affected",
"version": "12.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "2026.2",
"status": "affected",
"version": "2025.1",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:watchguard:fireware_os:*:*:*:*:*:*:*:12.0",
"versionEndIncluding": "12.12",
"versionStartIncluding": "12.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:watchguard:fireware_os:*:*:*:*:*:*:*:12.5",
"versionEndIncluding": "12.5.18",
"versionStartIncluding": "12.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:watchguard:fireware_os:*:*:*:*:*:*:*:2025.1",
"versionEndIncluding": "2026.2",
"versionStartIncluding": "2025.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Cody Sixteen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An authenticated administrator can trigger a denial-of-service condition in the Fireware Management Web UI by sending malformed or crafted data to the \u003ccode\u003eput_data\u003c/code\u003e endpoint, which performs unsafe deserialization of the attacker-supplied input."
}
],
"value": "An authenticated administrator can trigger a denial-of-service condition in the Fireware Management Web UI by sending malformed or crafted data to the put_data endpoint, which performs unsafe deserialization of the attacker-supplied input."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T23:04:42.674Z",
"orgId": "5d1c2695-1a31-4499-88ae-e847036fd7e3",
"shortName": "WatchGuard"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00014"
}
],
"source": {
"advisory": "WGSA-2026-00014",
"defect": [
"FBX-30942"
],
"discovery": "EXTERNAL"
},
"title": "WatchGuard Firebox Management Web UI Denial of Service via Unsafe Deserialization",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5d1c2695-1a31-4499-88ae-e847036fd7e3",
"assignerShortName": "WatchGuard",
"cveId": "CVE-2026-13371",
"datePublished": "2026-07-02T23:04:42.674Z",
"dateReserved": "2026-06-25T19:43:53.207Z",
"dateUpdated": "2026-07-07T17:01:52.545Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12787 (GCVE-0-2026-12787)
Vulnerability from cvelistv5 – Published: 2026-06-21 07:30 – Updated: 2026-06-22 17:18| URL | Tags |
|---|---|
| https://vuldb.com/vuln/372529 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/372529/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-12787 | third-party-advisory |
| https://vuldb.com/submit/835654 | third-party-advisory |
| https://ucn9h68n9289.feishu.cn/docx/I8uZdkZL3oSqB… | exploit |
| Vendor | Product | Version | |
|---|---|---|---|
| zhilink 智互联(深圳)科技有限公司 | ADP Application Developer Platform 应用开发者平台 |
Affected:
1.0.0
cpe:2.3:a:zhilink_:adp_application_developer_platform_:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12787",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T17:18:30.484630Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T17:18:38.928Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:zhilink_:adp_application_developer_platform_:*:*:*:*:*:*:*:*"
],
"modules": [
"testConnection Endpoint"
],
"product": "ADP Application Developer Platform \u5e94\u7528\u5f00\u53d1\u8005\u5e73\u53f0",
"vendor": "zhilink \u667a\u4e92\u8054(\u6df1\u5733)\u79d1\u6280\u6709\u9650\u516c\u53f8",
"versions": [
{
"status": "affected",
"version": "1.0.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "bigbrother_man (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in zhilink \u667a\u4e92\u8054(\u6df1\u5733)\u79d1\u6280\u6709\u9650\u516c\u53f8 ADP Application Developer Platform \u5e94\u7528\u5f00\u53d1\u8005\u5e73\u53f0 1.0.0. This affects an unknown part of the component testConnection Endpoint. The manipulation of the argument jdbcUrl results in deserialization. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "Deserialization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-21T07:30:34.571Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-372529 | zhilink \u667a\u4e92\u8054(\u6df1\u5733)\u79d1\u6280\u6709\u9650\u516c\u53f8 ADP Application Developer Platform \u5e94\u7528\u5f00\u53d1\u8005\u5e73\u53f0 testConnection Endpoint deserialization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/372529"
},
{
"name": "VDB-372529 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/372529/cti"
},
{
"name": "CVE-2026-12787 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-12787"
},
{
"name": "Submit #835654 | Zhilink (Shenzhen) Technology Co., Ltd. ADP Application Developer Platform V1.0.0 Deserialization of Untrusted Data (CWE-502)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/835654"
},
{
"tags": [
"exploit"
],
"url": "https://ucn9h68n9289.feishu.cn/docx/I8uZdkZL3oSqBnxkwTAcfDvknUh?from=from_copylink"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-20T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-20T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-20T12:03:47.000Z",
"value": "VulDB entry last update"
}
],
"title": "zhilink \u667a\u4e92\u8054(\u6df1\u5733)\u79d1\u6280\u6709\u9650\u516c\u53f8 ADP Application Developer Platform \u5e94\u7528\u5f00\u53d1\u8005\u5e73\u53f0 testConnection Endpoint deserialization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-12787",
"datePublished": "2026-06-21T07:30:34.571Z",
"dateReserved": "2026-06-20T09:58:40.593Z",
"dateUpdated": "2026-06-22T17:18:38.928Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12578 (GCVE-0-2026-12578)
Vulnerability from cvelistv5 – Published: 2026-06-30 07:20 – Updated: 2026-06-30 12:50- CWE-502 - Deserialization of untrusted data
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12578",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-30T12:49:59.088298Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:50:13.635Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "DTMSoft",
"vendor": "deltaww",
"versions": [
{
"status": "affected",
"version": "*"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:deltaww:dtmsoft:*:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "coordinator",
"value": "CISA"
},
{
"lang": "en",
"type": "reporter",
"value": "kimiya working with Trend Micro Zero Day Initiative"
}
],
"datePublic": "2026-06-25T01:36:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The affected product is vulnerable to a deserialization of untrusted data, which may allow an attacker to execute arbitrary code."
}
],
"value": "The affected product is vulnerable to a deserialization of untrusted data, which may allow an attacker to execute arbitrary code."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of untrusted data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T07:20:59.492Z",
"orgId": "759f5e80-c8e1-4224-bead-956d7b33c98b",
"shortName": "Deltaww"
},
"references": [
{
"url": "https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00010_DTMSoft%20Project%20File%20Parsing%20Deserialization%20of%20Untrusted%20Data%20Remote%20Code%20(CVE-2026-12578)_v1.0.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "DTMSoft - Deserialization of Untrusted Data Vulnerability",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Users are recommended to take the following mitigation measures:\n\u003cbr\u003e\u003cul\u003e\u003cli\u003eDo not open unsolicited project files: Do not open or import unsolicited project files, untrusted Internet links, or unexpected attachments from emails, network shares, or USB drives. Always verify the source of the file before opening it.\n\u003c/li\u003e\u003cli\u003eAvoid running as administrator: Do not use the \"Run as Administrator\" option when launching the software. Running the software with standard user privileges effectively limits the damage of potential malicious code.\n\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e"
}
],
"value": "Users are recommended to take the following mitigation measures:\n\n * Do not open unsolicited project files: Do not open or import unsolicited project files, untrusted Internet links, or unexpected attachments from emails, network shares, or USB drives. Always verify the source of the file before opening it.\n\n * Avoid running as administrator: Do not use the \"Run as Administrator\" option when launching the software. Running the software with standard user privileges effectively limits the damage of potential malicious code."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "759f5e80-c8e1-4224-bead-956d7b33c98b",
"assignerShortName": "Deltaww",
"cveId": "CVE-2026-12578",
"datePublished": "2026-06-30T07:20:59.492Z",
"dateReserved": "2026-06-18T05:22:58.068Z",
"dateUpdated": "2026-06-30T12:50:13.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12569 (GCVE-0-2026-12569)
Vulnerability from cvelistv5 – Published: 2026-06-18 00:11 – Updated: 2026-06-30 17:34| URL | Tags |
|---|---|
| https://www.ptc.com/en/support/article/CS473270 | vendor-advisorymitigationpermissions-required |
| https://www.cisa.gov/known-exploited-vulnerabilit… | government-resource |
| Vendor | Product | Version | |
|---|---|---|---|
| PTC | Windchill PDMLink |
Affected:
0 , ≤ 11.0 M030
(semver)
Affected: 11.1 M020 Affected: 11.2.1.0 Affected: 12.0.2.0 Affected: 12.1.2.0 Affected: 13.0.2.0 Affected: 13.1.0.0 Affected: 13.1.1.0 Affected: 13.1.2.0 Affected: 13.1.3.0 |
|
| PTC | FlexPLM |
Affected:
0 , ≤ 11.0 M030
(semver)
Affected: 11.1 M020 Affected: 11.2.1.0 Affected: 12.0.0.0 Affected: 12.0.2.0 Affected: 12.1.2.0 Affected: 12.1.3.0 Affected: 13.0.2.0 Affected: 13.0.3.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12569",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T03:56:12.541322Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2026-06-25",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-12569"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T17:34:13.458Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-12569"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Windchill PDMLink",
"vendor": "PTC",
"versions": [
{
"lessThanOrEqual": "11.0 M030",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "affected",
"version": "11.1 M020"
},
{
"status": "affected",
"version": "11.2.1.0"
},
{
"status": "affected",
"version": "12.0.2.0"
},
{
"status": "affected",
"version": "12.1.2.0"
},
{
"status": "affected",
"version": "13.0.2.0"
},
{
"status": "affected",
"version": "13.1.0.0"
},
{
"status": "affected",
"version": "13.1.1.0"
},
{
"status": "affected",
"version": "13.1.2.0"
},
{
"status": "affected",
"version": "13.1.3.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "FlexPLM",
"vendor": "PTC",
"versions": [
{
"lessThanOrEqual": "11.0 M030",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "affected",
"version": "11.1 M020"
},
{
"status": "affected",
"version": "11.2.1.0"
},
{
"status": "affected",
"version": "12.0.0.0"
},
{
"status": "affected",
"version": "12.0.2.0"
},
{
"status": "affected",
"version": "12.1.2.0"
},
{
"status": "affected",
"version": "12.1.3.0"
},
{
"status": "affected",
"version": "13.0.2.0"
},
{
"status": "affected",
"version": "13.0.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data.\u0026nbsp;\u003cdiv\u003e\u003cul\u003e\u003cli\u003eThis advisory also applies to all CPS versions\u003c/li\u003e\u003cli\u003eThe identified vulnerability also impacts Windchill and FlexPLM releases prior to 11.0 M030\u003c/li\u003e\u003c/ul\u003e\u003c/div\u003e"
}
],
"value": "A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data.\u00a0 * This advisory also applies to all CPS versions\n * The identified vulnerability also impacts Windchill and FlexPLM releases prior to 11.0 M030"
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
},
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153 Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "RED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/AU:Y/R:U/V:C/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper input validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of untrusted data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T00:11:35.241Z",
"orgId": "0b655efc-079c-4cb9-9e8d-164871239f4e",
"shortName": "PTC"
},
"references": [
{
"tags": [
"vendor-advisory",
"mitigation",
"permissions-required"
],
"url": "https://www.ptc.com/en/support/article/CS473270"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Remote Code Execution (RCE) vulnerability in Windchill PDMlink",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "0b655efc-079c-4cb9-9e8d-164871239f4e",
"assignerShortName": "PTC",
"cveId": "CVE-2026-12569",
"datePublished": "2026-06-18T00:11:35.241Z",
"dateReserved": "2026-06-18T00:02:58.904Z",
"dateUpdated": "2026-06-30T17:34:13.458Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12481 (GCVE-0-2026-12481)
Vulnerability from cvelistv5 – Published: 2026-07-03 20:36 – Updated: 2026-07-06 15:15- CWE-502 - Deserialization of Untrusted Data
| Vendor | Product | Version | |
|---|---|---|---|
| keras-team | keras-team/keras |
Affected:
unspecified , ≤ latest
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12481",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T15:15:34.297007Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T15:15:46.244Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://huntr.com/bounties/59ceaed1-c8a3-4135-8f94-169ade02823d"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "keras-team/keras",
"vendor": "keras-team",
"versions": [
{
"lessThanOrEqual": "latest",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in keras-team/keras version 3.14.0 allows for arbitrary code execution due to improper handling of deserialization in the `Lambda` layer. Specifically, the `_raise_for_lambda_deserialization()` function fails to enforce the safe-mode guard when `safe_mode` is set to `None`, which is the default value when `from_config()` is called outside of a `SafeModeScope` context. This logic error conflates `None` (unset/default-deny) with `False` (explicitly disabled), bypassing the guard and allowing attacker-controlled `marshal` bytecode to be deserialized. Affected call sites include `keras.layers.deserialize(config)`, `keras.models.clone_model(model)`, and any direct invocation of `Lambda.from_config(config)` without an enclosing `SafeModeScope(True)`. This vulnerability can be exploited to achieve arbitrary OS-level code execution in the context of the server or user process."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-03T20:36:05.003Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/59ceaed1-c8a3-4135-8f94-169ade02823d"
}
],
"source": {
"advisory": "59ceaed1-c8a3-4135-8f94-169ade02823d",
"discovery": "EXTERNAL"
},
"title": "Deserialization of Untrusted Data in keras-team/keras"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2026-12481",
"datePublished": "2026-07-03T20:36:05.003Z",
"dateReserved": "2026-06-17T01:06:48.759Z",
"dateUpdated": "2026-07-06T15:15:46.244Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12256 (GCVE-0-2026-12256)
Vulnerability from cvelistv5 – Published: 2026-06-16 20:57 – Updated: 2026-06-17 10:44- CWE-502 - Deserialization of Untrusted Data
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/theme/a… | vdb-entry |
| Vendor | Product | Version | |
|---|---|---|---|
| ThemeFusion | Avada |
Affected:
n/a , ≤ 3.15.3
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12256",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T10:29:03.591684Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T10:44:37.897Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/themes",
"defaultStatus": "unaffected",
"packageName": "avada",
"product": "Avada",
"vendor": "ThemeFusion",
"versions": [
{
"changes": [
{
"at": "3.15.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.15.3",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "daroo | Patchstack Bug Bounty Program"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Contributor PHP Object Injection in Avada \u003c= 3.15.3 versions."
}
],
"value": "Contributor PHP Object Injection in Avada \u003c= 3.15.3 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T20:57:21.069Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/theme/avada/vulnerability/wordpress-avada-theme-3-15-3-php-object-injection-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress Avada Theme to the latest available version (at least 3.15.4)."
}
],
"value": "Update the WordPress Avada Theme to the latest available version (at least 3.15.4)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Avada theme \u003c= 3.15.3 - PHP Object Injection vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-12256",
"datePublished": "2026-06-16T20:57:21.069Z",
"dateReserved": "2026-06-15T08:56:12.050Z",
"dateUpdated": "2026-06-17T10:44:37.897Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12240 (GCVE-0-2026-12240)
Vulnerability from cvelistv5 – Published: 2026-06-30 06:52 – Updated: 2026-06-30 15:58- CWE-502 - Deserialization of Untrusted Data
| Vendor | Product | Version | |
|---|---|---|---|
| qlstudio | Export User Data |
Affected:
0 , ≤ 2.2.6
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12240",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-30T14:20:29.740567Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T15:58:52.543Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Export User Data",
"vendor": "qlstudio",
"versions": [
{
"lessThanOrEqual": "2.2.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Webbernaut"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Export User Data plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the unserialize function in all versions up to, and including, 2.2.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Successful exploitation requires an administrator to trigger a user data export while a subscriber-level (or higher) user has stored a crafted serialized XLSXWriter object payload as their display name."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T06:52:40.964Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/39f12ff1-63ee-4131-a708-49633f22ccd4?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/export-user-data/tags/2.2.6/library/core/helper.php#L171"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-29T18:15:59.000Z",
"value": "Disclosed"
}
],
"title": "Export User Data \u003c= 2.2.6 - Authenticated (Subscriber+) PHP Object Injection to Arbitrary File Deletion via display_name Field"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-12240",
"datePublished": "2026-06-30T06:52:40.964Z",
"dateReserved": "2026-06-15T05:02:04.582Z",
"dateUpdated": "2026-06-30T15:58:52.543Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12191 (GCVE-0-2026-12191)
Vulnerability from cvelistv5 – Published: 2026-06-14 23:00 – Updated: 2026-06-15 21:48| URL | Tags |
|---|---|
| https://vuldb.com/vuln/370837 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/370837/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-12191 | third-party-advisory |
| https://vuldb.com/submit/825699 | third-party-advisory |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12191",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T21:47:58.984431Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T21:48:54.567Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:comma_ai:openpilot:*:*:*:*:*:*:*:*"
],
"modules": [
"Pickle Module"
],
"product": "Openpilot",
"vendor": "Comma AI",
"versions": [
{
"status": "affected",
"version": "0.11"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "khellwan (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Comma AI Openpilot 0.11. This issue affects the function pickle.load/pickle.loads of the file selfdrive/modeld/modeld.py of the component Pickle Module. The manipulation results in deserialization. The attack is only possible with local access. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.8,
"vectorString": "AV:L/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "Deserialization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T23:00:08.503Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-370837 | Comma AI Openpilot Pickle modeld.py pickle.loads deserialization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/370837"
},
{
"name": "VDB-370837 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/370837/cti"
},
{
"name": "CVE-2026-12191 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-12191"
},
{
"name": "Submit #825699 | Comma AI Openpilot 0.11 Deserialization",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/825699"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-14T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-14T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-14T08:48:54.000Z",
"value": "VulDB entry last update"
}
],
"title": "Comma AI Openpilot Pickle modeld.py pickle.loads deserialization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-12191",
"datePublished": "2026-06-14T23:00:08.503Z",
"dateReserved": "2026-06-14T06:43:50.623Z",
"dateUpdated": "2026-06-15T21:48:54.567Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12115 (GCVE-0-2026-12115)
Vulnerability from cvelistv5 – Published: 2026-06-17 09:30 – Updated: 2026-06-17 10:36- CWE-502 - Deserialization of Untrusted Data
| Vendor | Product | Version | |
|---|---|---|---|
| wpcalc | Counter Box – Add Countdowns, Timers & Dynamic Counters to WordPress |
Affected:
0 , ≤ 2.0.13
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12115",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T10:36:27.607909Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T10:36:36.992Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Counter Box \u2013 Add Countdowns, Timers \u0026 Dynamic Counters to WordPress",
"vendor": "wpcalc",
"versions": [
{
"lessThanOrEqual": "2.0.13",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Duc Long"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Counter Box \u2013 Add Countdowns, Timers \u0026 Dynamic Counters to WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.0.13 via deserialization of untrusted input . This makes it possible for authenticated attackers, with administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. Deserialization is triggered automatically upon the post-import redirect that renders the list table, and again when any item is opened for editing, requiring no additional navigation beyond the import action itself."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T09:30:58.692Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3498c871-9404-4d12-9609-16fecf218b30?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/counter-box/tags/2.0.13/classes/Admin/DBManager.php#L168"
},
{
"url": "https://plugins.trac.wordpress.org/browser/counter-box/tags/2.0.13/classes/Admin/ImporterExporter.php#L101"
},
{
"url": "https://plugins.trac.wordpress.org/browser/counter-box/tags/2.0.13/classes/Admin/ListTable.php#L53"
},
{
"url": "https://plugins.trac.wordpress.org/browser/counter-box/tags/2.0.13/classes/Admin/Settings.php#L155"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3570995%40counter-box\u0026new=3570995%40counter-box\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-13T10:37:19.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-16T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Counter Box \u003c= 2.0.13 - Authenticated (Administrator+) PHP Object Injection via Import"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-12115",
"datePublished": "2026-06-17T09:30:58.692Z",
"dateReserved": "2026-06-12T14:46:23.642Z",
"dateUpdated": "2026-06-17T10:36:36.992Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
Mitigation
When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.
Mitigation
Explicitly define a final object() to prevent deserialization.
Mitigation
- Make fields transient to protect them from deserialization.
- An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Mitigation
Avoid having unnecessary types or gadgets (a sequence of instances and method invocations that can self-execute during the deserialization process, often found in libraries) available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.
Mitigation
Employ cryptography of the data or code for protection. However, it's important to note that it would still be client-side security. This is risky because if the client is compromised then the security implemented on the client (the cryptography) can be bypassed.
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-586: Object Injection
An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.