Submit #768942: Activiti <=7.20 or < 8.8.0 Deserializationinfo

Title	Activiti <=7.20 or < 8.8.0 Deserialization
Description	A critical remote code execution vulnerability exists in Activiti's process variable serialization system. The application accepts user-controlled Serializable objects via REST or Java APIs, stores them in the database without validation, and subsequently deserializes them using an unrestricted ObjectInputStream. This allows attackers to execute arbitrary code through deserialization gadget chains commonly available in Activiti deployments (Spring Framework, Jakarta Expression Language, Apache Commons Collections).
Source	⚠️ https://github.com/AnalogyC0de/public_exp/issues/16
User	Ana10gy (UID 93358)
Submission	02/27/2026 08:00 (1 month ago)
Moderation	03/11/2026 14:36 (12 days later)
Status	Accepted
VulDB entry	350396 [Alfresco Activiti up to 7.19/8.8.0 Process Variable Serialization System SerializableType.java deserialize/createObjectInputStream deserialization]
Points	20

Interested in the pricing of exploits?

See the underground prices here!