CVE-2026-49781
9.8 CRITICALUnauthenticated PHP Object Injection in OttoKit <= 1.1.27 versions
Published: 2026-06-15 · Last updated: 2026-06-15
Severity and scoring
- CVSS
- 9.8 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-502
Description
Unauthenticated PHP Object Injection in OttoKit <= 1.1.27 versions.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-48853 — Deserialization of Untrusted Data and Allocation of Resources Without Limits or Throttling vulnerabilities in elixir-grpc grpc allow unau...
- CVE-2026-9691 — Unauthenticated PHP Object Injection in Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 versions (9.8 CRITICAL)
- CVE-2026-49770 — Unauthenticated PHP Object Injection in WP Travel Engine <= 6.7.12 versions (9.8 CRITICAL)
- CVE-2026-49769 — Unauthenticated PHP Object Injection in wpForo Forum <= 3.1.0 versions (9.8 CRITICAL)
- CVE-2026-49768 — Unauthenticated PHP Object Injection in Happyforms <= 1.26.13 versions (9.8 CRITICAL)