Critical severityNVD Advisory· Published Jul 23, 2025· Updated Apr 15, 2026

CVE-2016-15044

Description

A remote code execution vulnerability exists in Kaltura versions prior to 11.1.0-2 due to unsafe deserialization of user-controlled data within the keditorservices module. An unauthenticated remote attacker can exploit this issue by sending a specially crafted serialized PHP object in the kdata GET parameter to the redirectWidgetCmd endpoint. Successful exploitation leads to execution of arbitrary PHP code in the context of the web server process.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/kaltura_unserialize_rce.rbnvd
www.exploit-db.com/exploits/39563nvd
www.exploit-db.com/exploits/40404nvd
www.vulncheck.com/advisories/kaltura-php-object-injection-rcenvd

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.054
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000