CyberSec.Space Logo
Back to CVE Browser

CVE-2016-15044

PENDING
N/A
CVSS Severity Score
EPSS Score0.0390%
EPSS Percentile28.39th
PublishedJul 23, 2025
Last ModifiedApr 15, 2026

Vulnerability Description

A remote code execution vulnerability exists in Kaltura versions prior to 11.1.0-2 due to unsafe deserialization of user-controlled data within the keditorservices module. An unauthenticated remote attacker can exploit this issue by sending a specially crafted serialized PHP object in the kdata GET parameter to the redirectWidgetCmd endpoint. Successful exploitation leads to execution of arbitrary PHP code in the context of the web server process.

Affected Platforms (CPE)

No CPE configurations currently published for this record.

References & Advisories

πŸ”— https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/kaltura_unserialize_rce.rb
πŸ”— https://www.exploit-db.com/exploits/39563
πŸ”— https://www.exploit-db.com/exploits/40404
πŸ”— https://www.vulncheck.com/advisories/kaltura-php-object-injection-rce
πŸ”— https://www.exploit-db.com/exploits/39563

Related Vulnerabilities

CVE-2016-608210.0

IBM BigFix Platform could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free race conditi...

CVE-2016-836310.0

An issue was discovered in Moxa OnCell OnCellG3470A-LTE, AWK-1131A/3131A/4131A Series, AWK-3191 Series, AWK-5232/6232 Series, AWK-...

CVE-2016-1004310.0

An issue was discovered in Radisys MRF Web Panel (SWMS) 9.0.1. The MSM_MACRO_NAME POST parameter in /swms/ms.cgi was discovered to...

CVE-2016-893810.0

IBM UrbanCode Deploy could allow a user to execute code using a specially crafted file upload that would replace code on the serve...