VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 1 of 87
  • CVE-2017-12149CriKEVOct 4, 2017
    risk 0.92cvss 9.8epss 0.91

    In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute…

  • CVE-2018-2628CriKEVApr 19, 2018
    risk 0.87cvss 9.8epss 0.99

    Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with…

  • CVE-2015-7450CriKEVJan 2, 2016
    risk 0.87cvss 9.8epss 0.98

    Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the InvokerTransformer class in the…

  • CVE-2017-3066CriKEVApr 27, 2017
    risk 0.86cvss 9.8epss 0.91

    Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a Java deserialization vulnerability in the Apache BlazeDS library. Successful exploitation could lead to arbitrary code execution.

  • CVE-2015-4852CriKEVNov 18, 2015
    risk 0.86cvss 9.8epss 0.96

    The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache…

  • CVE-2018-4939CriKEVMay 19, 2018
    risk 0.81cvss 9.8epss 0.63

    Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable Deserialization of Untrusted Data vulnerability. Successful exploitation could lead to arbitrary code execution.

  • CVE-2018-0824HigKEVMay 9, 2018
    risk 0.78cvss 8.8epss 0.73

    A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects, aka "Microsoft COM for Windows Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server…

  • CVE-2023-21529HigKEVFeb 14, 2023
    risk 0.77cvss 8.8epss 0.62

    Microsoft Exchange Server Remote Code Execution Vulnerability

  • CVE-2018-0147CriKEVMar 8, 2018
    risk 0.77cvss 9.8epss 0.19

    A vulnerability in Java deserialization used by Cisco Secure Access Control System (ACS) prior to release 5.8 patch 9 could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. The vulnerability is due to insecure deserialization of…

  • CVE-2026-45247CriKEVMay 26, 2026
    risk 0.76cvss 9.8epss 0.28

    Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit…

  • CVE-2026-20963CriKEVJan 13, 2026
    risk 0.76cvss 9.8epss 0.31

    Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network.

  • CVE-2024-55556CriJan 7, 2025
    risk 0.74cvss 9.8epss 0.44

    A vulnerability in Crater Invoice allows an unauthenticated attacker with knowledge of the APP_KEY to achieve remote command execution on the server by manipulating the laravel_session cookie, exploiting arbitrary deserialization through the encrypted session data. The…

  • CVE-2017-12557CriFeb 15, 2018
    risk 0.73cvss 9.8epss 0.80

    A Remote Code Execution vulnerability in HPE intelligent Management Center (iMC) PLAT version IMC Plat 7.3 E0504P2 and earlier was found.

  • CVE-2017-5941CriFeb 9, 2017
    risk 0.72cvss 9.8epss 0.61

    An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the unserialize() function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE).

  • CVE-2012-0911CriJul 12, 2012
    risk 0.72cvss 9.8epss 0.63

    TikiWiki CMS/Groupware before 6.7 LTS and before 8.4 allows remote attackers to execute arbitrary PHP code via a crafted serialized object in the (1) cookieName to lib/banners/bannerlib.php; (2) printpages or (3) printstructures parameter to (a) tiki-print_multi_pages.php or (b)…

  • CVE-2017-5645CriApr 17, 2017
    risk 0.71cvss 9.8epss 0.89

    In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

  • CVE-2016-15044CriJul 23, 2025
    risk 0.70cvss epss 0.01

    A remote code execution vulnerability exists in Kaltura versions prior to 11.1.0-2 due to unsafe deserialization of user-controlled data within the keditorservices module. An unauthenticated remote attacker can exploit this issue by sending a specially crafted serialized PHP…

  • CVE-2024-52433CriNov 18, 2024
    risk 0.70cvss 9.8epss 0.03

    Deserialization of Untrusted Data vulnerability in Mindstien Technologies My Geo Posts Free my-geo-posts-free allows Object Injection.This issue affects My Geo Posts Free: from n/a through <= 1.2.

  • CVE-2015-7501CriNov 9, 2017
    risk 0.70cvss 9.8epss 0.83

    Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform…

  • CVE-2025-25034CriJun 20, 2025
    risk 0.69cvss epss 0.03

    A PHP object injection vulnerability exists in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 due to improper validation of PHP serialized input in the SugarRestSerialize.php script. The vulnerable code fails to sanitize the rest_data parameter before…