QwikSec

Security Database

CVE

CWE

Training

CVE-2016-15044

Published: Jul 23, 2025

Modified: May 15, 2026

PUBLISHED

Description

A remote code execution vulnerability exists in Kaltura versions prior to 11.1.0-2 due to unsafe deserialization of user-controlled data within the keditorservices module. An unauthenticated remote attacker can exploit this issue by sending a specially crafted serialized PHP object in the kdata GET parameter to the redirectWidgetCmd endpoint. Successful exploitation leads to execution of arbitrary PHP code in the context of the web server process.

Vendor	Product	Versions
Kaltura	Video Platform	affected `0 - < 11.1.0-2`

Weaknesses (CWE)

References

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/kaltura_unserialize_rce.rb

exploit

https://www.exploit-db.com/exploits/39563

exploit

https://www.exploit-db.com/exploits/40404

exploit

https://www.vulncheck.com/advisories/kaltura-php-object-injection-rce

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.