CVE-2016-15044
Kaltura < 11.1.0-2 PHP Object Injection RCE
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
A remote code execution vulnerability exists in Kaltura versions prior to 11.1.0-2 due to unsafe deserialization of user-controlled data within the keditorservices module. An unauthenticated remote attacker can exploit this issue by sending a specially crafted serialized PHP object in the kdata GET parameter to the redirectWidgetCmd endpoint. Successful exploitation leads to execution of arbitrary PHP code in the context of the web server process.
| CWE | CWE-502 CWE-94 |
| Vendor | kaltura |
| Product | video platform |
| Published | Jul 23, 2025 |
| Last Updated | Apr 7, 2026 |
Stay Ahead of the Next One
Get instant alerts for kaltura video platform
Be the first to know when new unknown vulnerabilities affecting kaltura video platform are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Kaltura / Video Platform
* < 11.1.0-2
References
raw.githubusercontent.com: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/kaltura_unserialize_rce.rb exploit-db.com: https://www.exploit-db.com/exploits/39563 exploit-db.com: https://www.exploit-db.com/exploits/40404 vulncheck.com: https://www.vulncheck.com/advisories/kaltura-php-object-injection-rce
Credits
Security-Assessment.com