CWE-502
Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
CVE-2025-54638 (GCVE-0-2025-54638)
Vulnerability from cvelistv5 – Published: 2025-08-06 02:35 – Updated: 2025-08-06 19:41
VLAI
Summary
Issue of inconsistent read/write serialization in the ad module.
Impact: Successful exploitation of this vulnerability may affect the availability of the ad service.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
1 reference
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54638",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-06T19:41:22.981449Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-06T19:41:43.740Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HarmonyOS",
"vendor": "Huawei",
"versions": [
{
"status": "affected",
"version": "5.1.0"
},
{
"status": "affected",
"version": "5.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Issue of inconsistent read/write serialization in the ad module.\u003cbr\u003eImpact: Successful exploitation of this vulnerability may affect the availability of the ad service."
}
],
"value": "Issue of inconsistent read/write serialization in the ad module.\nImpact: Successful exploitation of this vulnerability may affect the availability of the ad service."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-06T02:35:18.531Z",
"orgId": "25ac1063-e409-4190-8079-24548c77ea2e",
"shortName": "huawei"
},
"references": [
{
"url": "https://consumer.huawei.com/en/support/bulletin/2025/8/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "25ac1063-e409-4190-8079-24548c77ea2e",
"assignerShortName": "huawei",
"cveId": "CVE-2025-54638",
"datePublished": "2025-08-06T02:35:18.531Z",
"dateReserved": "2025-07-28T03:55:34.531Z",
"dateUpdated": "2025-08-06T19:41:43.740Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54639 (GCVE-0-2025-54639)
Vulnerability from cvelistv5 – Published: 2025-08-06 02:38 – Updated: 2025-08-06 19:40
VLAI
Summary
ParcelMismatch vulnerability in attribute deserialization.
Impact: Successful exploitation of this vulnerability may cause playback control screen display exceptions.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
1 reference
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54639",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-06T19:40:15.184706Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-06T19:40:47.074Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HarmonyOS",
"vendor": "Huawei",
"versions": [
{
"status": "affected",
"version": "5.1.0"
},
{
"status": "affected",
"version": "5.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "ParcelMismatch vulnerability in attribute deserialization.\u003cbr\u003eImpact: Successful exploitation of this vulnerability may cause playback control screen display exceptions."
}
],
"value": "ParcelMismatch vulnerability in attribute deserialization.\nImpact: Successful exploitation of this vulnerability may cause playback control screen display exceptions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-06T02:38:25.798Z",
"orgId": "25ac1063-e409-4190-8079-24548c77ea2e",
"shortName": "huawei"
},
"references": [
{
"url": "https://consumer.huawei.com/en/support/bulletin/2025/8/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "25ac1063-e409-4190-8079-24548c77ea2e",
"assignerShortName": "huawei",
"cveId": "CVE-2025-54639",
"datePublished": "2025-08-06T02:38:25.798Z",
"dateReserved": "2025-07-28T03:55:34.531Z",
"dateUpdated": "2025-08-06T19:40:47.074Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54640 (GCVE-0-2025-54640)
Vulnerability from cvelistv5 – Published: 2025-08-06 02:40 – Updated: 2025-08-06 19:39
VLAI
Summary
ParcelMismatch vulnerability in attribute deserialization.
Impact: Successful exploitation of this vulnerability may cause playback control screen display exceptions.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
1 reference
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54640",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-06T19:30:05.266943Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-06T19:39:45.795Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HarmonyOS",
"vendor": "Huawei",
"versions": [
{
"status": "affected",
"version": "5.1.0"
},
{
"status": "affected",
"version": "5.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "ParcelMismatch vulnerability in attribute deserialization.\u003cbr\u003eImpact: Successful exploitation of this vulnerability may cause playback control screen display exceptions."
}
],
"value": "ParcelMismatch vulnerability in attribute deserialization.\nImpact: Successful exploitation of this vulnerability may cause playback control screen display exceptions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-06T02:40:00.628Z",
"orgId": "25ac1063-e409-4190-8079-24548c77ea2e",
"shortName": "huawei"
},
"references": [
{
"url": "https://consumer.huawei.com/en/support/bulletin/2025/8/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "25ac1063-e409-4190-8079-24548c77ea2e",
"assignerShortName": "huawei",
"cveId": "CVE-2025-54640",
"datePublished": "2025-08-06T02:40:00.628Z",
"dateReserved": "2025-07-28T03:55:34.531Z",
"dateUpdated": "2025-08-06T19:39:45.795Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54686 (GCVE-0-2025-54686)
Vulnerability from cvelistv5 – Published: 2025-08-14 10:34 – Updated: 2026-04-28 16:13
VLAI
Title
WordPress Exertio Theme <= 1.3.2 - PHP Object Injection Vulnerability
Summary
Deserialization of Untrusted Data vulnerability in scriptsbundle Exertio exertio allows Object Injection.This issue affects Exertio: from n/a through <= 1.3.2.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Theme/e… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| scriptsbundle | Exertio |
Affected:
0 , ≤ 1.3.2
(custom)
|
Date Public
2026-04-01 16:43
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54686",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-14T14:46:39.242621Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-14T14:48:20.718Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "exertio",
"product": "Exertio",
"vendor": "scriptsbundle",
"versions": [
{
"changes": [
{
"at": "1.3.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.3.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aiden | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:43:02.133Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in scriptsbundle Exertio exertio allows Object Injection.\u003cp\u003eThis issue affects Exertio: from n/a through \u003c= 1.3.2.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in scriptsbundle Exertio exertio allows Object Injection.This issue affects Exertio: from n/a through \u003c= 1.3.2."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "Object Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:13:34.984Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Theme/exertio/vulnerability/wordpress-exertio-theme-1-3-2-php-object-injection-vulnerability?_s_id=cve"
}
],
"title": "WordPress Exertio Theme \u003c= 1.3.2 - PHP Object Injection Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-54686",
"datePublished": "2025-08-14T10:34:48.233Z",
"dateReserved": "2025-07-28T10:55:49.523Z",
"dateUpdated": "2026-04-28T16:13:34.984Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-54719 (GCVE-0-2025-54719)
Vulnerability from cvelistv5 – Published: 2025-11-06 15:54 – Updated: 2026-04-28 18:45
VLAI
Title
WordPress Yogi - Health Beauty & Yoga Theme <= 2.9.2 - Deserialization of untrusted data Vulnerability
Summary
Deserialization of Untrusted Data vulnerability in NooTheme Yogi - Health Beauty & Yoga noo-yogi allows Object Injection.This issue affects Yogi - Health Beauty & Yoga: from n/a through <= 2.9.2.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Theme/n… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| NooTheme | Yogi - Health Beauty & Yoga |
Affected:
0 , ≤ 2.9.2
(custom)
|
Date Public
2026-04-01 15:59
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54719",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T18:07:07.390356Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T18:45:10.216Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "noo-yogi",
"product": "Yogi - Health Beauty \u0026 Yoga",
"vendor": "NooTheme",
"versions": [
{
"changes": [
{
"at": "2.9.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.9.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T15:59:27.858Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in NooTheme Yogi - Health Beauty \u0026 Yoga noo-yogi allows Object Injection.\u003cp\u003eThis issue affects Yogi - Health Beauty \u0026 Yoga: from n/a through \u003c= 2.9.2.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in NooTheme Yogi - Health Beauty \u0026 Yoga noo-yogi allows Object Injection.This issue affects Yogi - Health Beauty \u0026 Yoga: from n/a through \u003c= 2.9.2."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "Object Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:13:35.864Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Theme/noo-yogi/vulnerability/wordpress-yogi-health-beauty-yoga-theme-2-9-2-deserialization-of-untrusted-data-vulnerability?_s_id=cve"
}
],
"title": "WordPress Yogi - Health Beauty \u0026 Yoga Theme \u003c= 2.9.2 - Deserialization of untrusted data Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-54719",
"datePublished": "2025-11-06T15:54:15.371Z",
"dateReserved": "2025-07-28T10:56:24.796Z",
"dateUpdated": "2026-04-28T18:45:10.216Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-54723 (GCVE-0-2025-54723)
Vulnerability from cvelistv5 – Published: 2025-12-18 07:21 – Updated: 2026-04-28 18:45
VLAI
Title
WordPress DentiCare Theme < 1.4.3 - PHP Object Injection Vulnerability
Summary
Deserialization of Untrusted Data vulnerability in BoldThemes DentiCare denticare allows Object Injection.This issue affects DentiCare: from n/a through < 1.4.3.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Theme/d… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| BoldThemes | DentiCare |
Affected:
0 , ≤ 1.4.3
(custom)
|
Date Public
2026-04-01 15:59
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54723",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-18T18:24:23.103202Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T18:45:29.360Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "denticare",
"product": "DentiCare",
"vendor": "BoldThemes",
"versions": [
{
"changes": [
{
"at": "1.4.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.4.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bonds | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T15:59:27.155Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in BoldThemes DentiCare denticare allows Object Injection.\u003cp\u003eThis issue affects DentiCare: from n/a through \u003c 1.4.3.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in BoldThemes DentiCare denticare allows Object Injection.This issue affects DentiCare: from n/a through \u003c 1.4.3."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "Object Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:13:35.844Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Theme/denticare/vulnerability/wordpress-denticare-theme-1-4-3-php-object-injection-vulnerability?_s_id=cve"
}
],
"title": "WordPress DentiCare Theme \u003c 1.4.3 - PHP Object Injection Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-54723",
"datePublished": "2025-12-18T07:21:49.313Z",
"dateReserved": "2025-07-28T10:56:24.797Z",
"dateUpdated": "2026-04-28T18:45:29.360Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-54742 (GCVE-0-2025-54742)
Vulnerability from cvelistv5 – Published: 2025-08-28 12:37 – Updated: 2026-04-28 16:13
VLAI
Title
WordPress WpEvently Plugin <= 4.4.8 - PHP Object Injection Vulnerability
Summary
Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.This issue affects WpEvently: from n/a through <= 4.4.8.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| magepeopleteam | WpEvently |
Affected:
0 , ≤ 4.4.8
(custom)
|
Date Public
2026-04-01 16:42
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54742",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-28T13:25:52.217648Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T13:26:21.650Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "mage-eventpress",
"product": "WpEvently",
"vendor": "magepeopleteam",
"versions": [
{
"changes": [
{
"at": "4.4.9",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.4.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ananda Dhakal (Patchstack)"
}
],
"datePublic": "2026-04-01T16:42:03.440Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.\u003cp\u003eThis issue affects WpEvently: from n/a through \u003c= 4.4.8.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.This issue affects WpEvently: from n/a through \u003c= 4.4.8."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "Object Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:13:36.761Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/mage-eventpress/vulnerability/wordpress-wpevently-plugin-4-4-8-php-object-injection-vulnerability?_s_id=cve"
}
],
"title": "WordPress WpEvently Plugin \u003c= 4.4.8 - PHP Object Injection Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-54742",
"datePublished": "2025-08-28T12:37:40.246Z",
"dateReserved": "2025-07-28T10:56:41.543Z",
"dateUpdated": "2026-04-28T16:13:36.761Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-54886 (GCVE-0-2025-54886)
Vulnerability from cvelistv5 – Published: 2025-08-08 00:03 – Updated: 2025-08-08 16:54
VLAI
Title
skops: Card.get_model does not block arbitrary code execution
Summary
skops is a Python library which helps users share and ship their scikit-learn based models. In versions 0.12.0 and below, the Card.get_model does not contain any logic to prevent arbitrary code execution. The Card.get_model function supports both joblib and skops for model loading. When loading .skops models, it uses skops' secure loading with trusted type validation, raising errors for untrusted types unless explicitly allowed. However, when non-.zip file formats are provided, the function silently falls back to joblib without warning. Unlike skops, joblib allows arbitrary code execution during loading, bypassing security measures and potentially enabling malicious code execution. This issue is fixed in version 0.13.0.
Severity
8.4 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/skops-dev/skops/security/advis… | x_refsource_CONFIRM |
| https://github.com/skops-dev/skops/commit/29d61ea… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54886",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-08T16:53:18.605087Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-08T16:54:00.636Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "skops",
"vendor": "skops-dev",
"versions": [
{
"status": "affected",
"version": "\u003c 0.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "skops is a Python library which helps users share and ship their scikit-learn based models. In versions 0.12.0 and below, the Card.get_model does not contain any logic to prevent arbitrary code execution. The Card.get_model function supports both joblib and skops for model loading. When loading .skops models, it uses skops\u0027 secure loading with trusted type validation, raising errors for untrusted types unless explicitly allowed. However, when non-.zip file formats are provided, the function silently falls back to joblib without warning. Unlike skops, joblib allows arbitrary code execution during loading, bypassing security measures and potentially enabling malicious code execution. This issue is fixed in version 0.13.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-08T00:03:45.318Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/skops-dev/skops/security/advisories/GHSA-378x-6p4f-8jgm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/skops-dev/skops/security/advisories/GHSA-378x-6p4f-8jgm"
},
{
"name": "https://github.com/skops-dev/skops/commit/29d61ea8a92f2bde6830e8f32cc72a1a87211cda",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/skops-dev/skops/commit/29d61ea8a92f2bde6830e8f32cc72a1a87211cda"
}
],
"source": {
"advisory": "GHSA-378x-6p4f-8jgm",
"discovery": "UNKNOWN"
},
"title": "skops: Card.get_model does not block arbitrary code execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54886",
"datePublished": "2025-08-08T00:03:45.318Z",
"dateReserved": "2025-07-31T17:23:33.476Z",
"dateUpdated": "2025-08-08T16:54:00.636Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54897 (GCVE-0-2025-54897)
Vulnerability from cvelistv5 – Published: 2025-09-09 17:00 – Updated: 2026-02-26 17:49
VLAI
Title
Microsoft SharePoint Remote Code Execution Vulnerability
Summary
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://msrc.microsoft.com/update-guide/vulnerabi… | vendor-advisorypatch |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Microsoft | Microsoft SharePoint Enterprise Server 2016 |
Affected:
16.0.0 , < 16.0.5517.1000
(custom)
|
|
| Microsoft | Microsoft SharePoint Server 2019 |
Affected:
16.0.0 , < 16.0.10417.20047
(custom)
|
|
| Microsoft | Microsoft SharePoint Server Subscription Edition |
Affected:
16.0.0 , < 16.0.19127.20100
(custom)
|
Date Public
2025-09-09 07:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54897",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-10T03:55:52.585685Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T17:49:00.263Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"platforms": [
"x64-based Systems"
],
"product": "Microsoft SharePoint Enterprise Server 2016",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "16.0.5517.1000",
"status": "affected",
"version": "16.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64-based Systems"
],
"product": "Microsoft SharePoint Server 2019",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "16.0.10417.20047",
"status": "affected",
"version": "16.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64-based Systems"
],
"product": "Microsoft SharePoint Server Subscription Edition",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "16.0.19127.20100",
"status": "affected",
"version": "16.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*",
"versionEndExcluding": "16.0.5517.1000",
"versionStartIncluding": "16.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*",
"versionEndExcluding": "16.0.10417.20047",
"versionStartIncluding": "16.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*",
"versionEndExcluding": "16.0.19127.20100",
"versionStartIncluding": "16.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2025-09-09T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T16:00:19.610Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Microsoft SharePoint Remote Code Execution Vulnerability",
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54897"
}
],
"title": "Microsoft SharePoint Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2025-54897",
"datePublished": "2025-09-09T17:00:53.664Z",
"dateReserved": "2025-07-31T18:54:19.611Z",
"dateUpdated": "2026-02-26T17:49:00.263Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-54920 (GCVE-0-2025-54920)
Vulnerability from cvelistv5 – Published: 2026-03-14 09:01 – Updated: 2026-03-17 12:45
VLAI
Title
Apache Spark: Spark History Server Code Execution Vulnerability
Summary
This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue.
Summary
Apache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to overly permissive Jackson deserialization of event log data. This allows an attacker with access to the Spark event logs directory to inject malicious JSON payloads that trigger deserialization of arbitrary classes, enabling command execution on the host running the Spark History Server.
Details
The vulnerability arises because the Spark History Server uses Jackson polymorphic deserialization with @JsonTypeInfo.Id.CLASS on SparkListenerEvent objects, allowing an attacker to specify arbitrary class names in the event JSON. This behavior permits instantiating unintended classes, such as org.apache.hive.jdbc.HiveConnection, which can perform network calls or other malicious actions during deserialization.
The attacker can exploit this by injecting crafted JSON content into the Spark event log files, which the History Server then deserializes on startup or when loading event logs. For example, the attacker can force the History Server to open a JDBC connection to a remote attacker-controlled server, demonstrating remote command injection capability.
Proof of Concept:
1. Run Spark with event logging enabled, writing to a writable directory (spark-logs).
2. Inject the following JSON at the beginning of an event log file:
{
"Event": "org.apache.hive.jdbc.HiveConnection",
"uri": "jdbc:hive2://<IP>:<PORT>/",
"info": {
"hive.metastore.uris": "thrift://<IP>:<PORT>"
}
}
3. Start the Spark History Server with logs pointing to the modified directory.
4. The Spark History Server initiates a JDBC connection to the attacker’s server, confirming the injection.
Impact
An attacker with write access to Spark event logs can execute arbitrary code on the server running the History Server, potentially compromising the entire system.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
5 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Spark |
Affected:
0 , < 3.5.7
(semver)
Affected: 4.0.0 , < 4.0.1 (semver) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-03-14T09:12:25.119Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/13/4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-54920",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-17T03:55:33.419437Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-17T12:45:29.903Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://mvnrepository.com/artifact/org.apache.spark/spark-core",
"defaultStatus": "unaffected",
"packageName": "org.apache.spark:spark-core_2.13, org.apache.spark:spark-core_2.12",
"product": "Apache Spark",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.5.7",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.0.1",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alexandre Pujol (Linagora)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue.\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003cb\u003eSummary\u003c/b\u003e\u003c/p\u003e\u003cp\u003eApache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to overly permissive Jackson deserialization of event log data. This allows an attacker with access to the Spark event logs directory to inject malicious JSON payloads that trigger deserialization of arbitrary classes, enabling command execution on the host running the Spark History Server.\u003cbr\u003e\u003c/p\u003e\u003cp\u003e\u003cb\u003e\u003cbr\u003e\u003c/b\u003e\u003c/p\u003e\u003cp\u003e\u003cb\u003eDetails\u003c/b\u003e\u003c/p\u003e\u003cp\u003eThe vulnerability arises because the Spark History Server uses Jackson polymorphic deserialization with \u003ccode\u003e@JsonTypeInfo.Id.CLASS\u003c/code\u003e on \u003ccode\u003eSparkListenerEvent\u003c/code\u003e objects, allowing an attacker to specify arbitrary class names in the event JSON. This behavior permits instantiating unintended classes, such as \u003ccode\u003eorg.apache.hive.jdbc.HiveConnection\u003c/code\u003e, which can perform network calls or other malicious actions during deserialization.\u003c/p\u003e\n\u003cp\u003eThe attacker can exploit this by injecting crafted JSON content into the Spark event log files, which the History Server then deserializes on startup or when loading event logs. For example, the attacker can force the History Server to open a JDBC connection to a remote attacker-controlled server, demonstrating remote command injection capability.\u003c/p\u003e\u003cbr\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eProof of Concept:\u003c/strong\u003e\u003c/p\u003e1. Run Spark with event logging enabled, writing to a writable directory (\u003ccode\u003espark-logs\u003c/code\u003e).\u003cp\u003e\u003c/p\u003e\u003cp\u003e2. Inject the following JSON at the beginning of an event log file:\n\u003c/p\u003e\u003cpre\u003e\u003cdiv\u003e\u003cdiv\u003e{\u003c/div\u003e\u003cdiv\u003e\u003ccode\u003e \"Event\": \"org.apache.hive.jdbc.HiveConnection\",\n \"uri\": \"jdbc:hive2://\u0026lt;IP\u0026gt;:\u0026lt;PORT\u0026gt;/\",\n \"info\": {\n \"hive.metastore.uris\": \"thrift://\u0026lt;IP\u0026gt;:\u0026lt;PORT\u0026gt;\"\n }\n}\u003c/code\u003e\u003c/div\u003e\u003c/div\u003e\u003c/pre\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e3. Start the Spark History Server with logs pointing to the modified directory.\u003c/p\u003e\u003cp\u003e4. The Spark History Server initiates a JDBC connection to the attacker\u2019s server, confirming the injection.\u003cbr\u003e\u003c/p\u003e\n\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e\u003cbr\u003e\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eImpact\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAn attacker with write access to Spark event logs can execute arbitrary code on the server running the History Server, potentially compromising the entire system.\u003c/p\u003e\n\u003cp\u003e\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue.\n\n\n\n\n\nSummary\n\nApache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to overly permissive Jackson deserialization of event log data. This allows an attacker with access to the Spark event logs directory to inject malicious JSON payloads that trigger deserialization of arbitrary classes, enabling command execution on the host running the Spark History Server.\n\n\n\n\n\nDetails\n\nThe vulnerability arises because the Spark History Server uses Jackson polymorphic deserialization with @JsonTypeInfo.Id.CLASS on SparkListenerEvent objects, allowing an attacker to specify arbitrary class names in the event JSON. This behavior permits instantiating unintended classes, such as org.apache.hive.jdbc.HiveConnection, which can perform network calls or other malicious actions during deserialization.\n\n\nThe attacker can exploit this by injecting crafted JSON content into the Spark event log files, which the History Server then deserializes on startup or when loading event logs. For example, the attacker can force the History Server to open a JDBC connection to a remote attacker-controlled server, demonstrating remote command injection capability.\n\n\n\n\n\n\nProof of Concept:\n\n1. Run Spark with event logging enabled, writing to a writable directory (spark-logs).\n\n2. Inject the following JSON at the beginning of an event log file:\n\n\n{\n\n \"Event\": \"org.apache.hive.jdbc.HiveConnection\",\n \"uri\": \"jdbc:hive2://\u003cIP\u003e:\u003cPORT\u003e/\",\n \"info\": {\n \"hive.metastore.uris\": \"thrift://\u003cIP\u003e:\u003cPORT\u003e\"\n }\n}\n\n\n\n\n\n\n\n3. Start the Spark History Server with logs pointing to the modified directory.\n\n4. The Spark History Server initiates a JDBC connection to the attacker\u2019s server, confirming the injection.\n\n\n\n\n\n\n\n\n\n\nImpact\n\nAn attacker with write access to Spark event logs can execute arbitrary code on the server running the History Server, potentially compromising the entire system."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-14T09:01:50.486Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/spark/pull/51312"
},
{
"tags": [
"patch"
],
"url": "https://github.com/apache/spark/pull/51323"
},
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/SPARK-52381"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/4y9n0nfj7m68o2hpmoxgc0y7dm1lo02s"
}
],
"source": {
"defect": [
"SPARK-52381"
],
"discovery": "UNKNOWN"
},
"title": "Apache Spark: Spark History Server Code Execution Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-54920",
"datePublished": "2026-03-14T09:01:50.486Z",
"dateReserved": "2025-08-01T01:09:45.224Z",
"dateUpdated": "2026-03-17T12:45:29.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phases: Architecture and Design, Implementation
Description:
- If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
Mitigation
Phase: Implementation
Description:
- When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.
Mitigation
Phase: Implementation
Description:
- Explicitly define a final object() to prevent deserialization.
Mitigation
Phases: Architecture and Design, Implementation
Description:
- Make fields transient to protect them from deserialization.
- An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Mitigation
Phase: Implementation
Description:
- Avoid having unnecessary types or gadgets (a sequence of instances and method invocations that can self-execute during the deserialization process, often found in libraries) available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.
Mitigation
Phases: Architecture and Design, Implementation
Description:
- Employ cryptography of the data or code for protection. However, it's important to note that it would still be client-side security. This is risky because if the client is compromised then the security implemented on the client (the cryptography) can be bypassed.
Mitigation ID: MIT-29
Phase: Operation
Strategy: Firewall
Description:
- Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-586: Object Injection
An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.