CVE-2016-15044
A remote code execution vulnerability exists in Kaltura versions prior to 11.1.0-2 due to unsafe deserialization of user-controlled data wit
CVSS
—
No CVSS
EPSS
1.4%
p70
KEV
—
Exploit Today
21
0-100
Published: Jul 23, 2025 · Last modified: Jul 15, 2026 · CWE-94 · CWE-502
1.4%EPSS · 30 days1.4%
2026-06-302026-07-16
A remote code execution vulnerability exists in Kaltura versions prior to 11.1.0-2 due to unsafe deserialization of user-controlled data within the keditorservices module. An unauthenticated remote attacker can exploit this issue by sending a specially crafted serialized PHP object in the kdata GET parameter to the redirectWidgetCmd endpoint. Successful exploitation leads to execution of arbitrary PHP code in the context of the web server process.
- raw.githubusercontent.comhttps://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/kaltura_unserialize_rce.rb
- www.exploit-db.comhttps://www.exploit-db.com/exploits/39563
- www.exploit-db.comhttps://www.exploit-db.com/exploits/40404
- www.vulncheck.comhttps://www.vulncheck.com/advisories/kaltura-php-object-injection-rce
- www.exploit-db.comhttps://www.exploit-db.com/exploits/39563
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2025-32489.8 CRI100.0%
KEV—80Langflow Missing Authentication Vulnerability2dCVE-2021-422379.8 CRI99.9%
KEV—80Sitecore XP Remote Command Execution Vulnerability8dCVE-2026-341978.8 HIG99.9%
KEV—80Apache ActiveMQ Improper Input Validation Vulnerability2dCVE-2026-456598.8 HIG86.8%
KEV—76Microsoft SharePoint Server Deserialization of Untrusted Data Vulnerability15dCVE-2026-154107.2 HIG71.1%
KEV—71SonicWall SMA1000 Appliances Code Injection Vulnerability1dCVE-2026-125699.8 CRI66.0%
KEV—70PTC Windchill and FlexPLM Improper Input Validation Vulnerability17d