Submeter #768942: Activiti <=7.20 or < 8.8.0 Deserializationinformação

TítuloActiviti <=7.20 or < 8.8.0 Deserialization
DescriçãoA critical remote code execution vulnerability exists in Activiti's process variable serialization system. The application accepts user-controlled Serializable objects via REST or Java APIs, stores them in the database without validation, and subsequently deserializes them using an unrestricted ObjectInputStream. This allows attackers to execute arbitrary code through deserialization gadget chains commonly available in Activiti deployments (Spring Framework, Jakarta Expression Language, Apache Commons Collections).
Fonte⚠️ https://github.com/AnalogyC0de/public_exp/issues/16
Utilizador
 Ana10gy (UID 93358)
Submissão27/02/2026 08h00 (há 1 mês)
Moderação11/03/2026 14h36 (12 days later)
EstadoAceite
Entrada VulDB350396 [Alfresco Activiti até 7.19/8.8.0 Process Variable Serialization System SerializableType.java deserialize/createObjectInputStream Elevação de Privilégios]
Pontos20

VoltarVisão GeralPróximo

Want to know what is going to be exploited?

We predict KEV entries!