Отправить #768942: Activiti <=7.20 or < 8.8.0 DeserializationИнформация

Название	Activiti <=7.20 or < 8.8.0 Deserialization
Описание	A critical remote code execution vulnerability exists in Activiti's process variable serialization system. The application accepts user-controlled Serializable objects via REST or Java APIs, stores them in the database without validation, and subsequently deserializes them using an unrestricted ObjectInputStream. This allows attackers to execute arbitrary code through deserialization gadget chains commonly available in Activiti deployments (Spring Framework, Jakarta Expression Language, Apache Commons Collections).
Источник	⚠️ https://github.com/AnalogyC0de/public_exp/issues/16
Пользователь	Ana10gy (UID 93358)
Представление	27.02.2026 08:00 (1 месяц назад)
Модерация	11.03.2026 14:36 (12 days later)
Статус	принято
Запись VulDB	350396 [Alfresco Activiti до 7.19/8.8.0 Process Variable Serialization System SerializableType.java deserialize/createObjectInputStream эскалация привилегий]
Баллы	20

Might our Artificial Intelligence support you?

Check our Alexa App!