VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 10 of 87
  • CVE-2025-60225CriOct 22, 2025
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in AncoraThemes BugsPatrol bugspatrol allows Object Injection.This issue affects BugsPatrol: from n/a through <= 1.5.0.

  • CVE-2025-60224CriOct 22, 2025
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in wpshuffle Subscribe to Download subscribe-to-download allows Object Injection.This issue affects Subscribe to Download: from n/a through <= 2.0.9.

  • CVE-2025-60221CriOct 22, 2025
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in captivateaudio Captivate Sync captivatesync-trade allows Object Injection.This issue affects Captivate Sync: from n/a through <= 3.0.3.

  • CVE-2025-60216CriOct 22, 2025
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in BoldThemes Addison addison allows Object Injection.This issue affects Addison: from n/a through < 1.4.8.

  • CVE-2025-60214CriOct 22, 2025
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in BoldThemes Goldenblatt goldenblatt allows Object Injection.This issue affects Goldenblatt: from n/a through < 1.3.0.

  • CVE-2025-60213CriOct 22, 2025
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in Whitebox-Studio Scape scape allows Object Injection.This issue affects Scape: from n/a through <= 1.5.13.

  • CVE-2025-60209CriOct 22, 2025
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in CRM Perks Connector for Gravity Forms and Google Sheets wp-gravity-forms-spreadsheets allows Object Injection.This issue affects Connector for Gravity Forms and Google Sheets: from n/a through <= 1.2.6.

  • CVE-2025-60039CriOct 22, 2025
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in rascals Noisa noisa allows Object Injection.This issue affects Noisa: from n/a through <= 2.6.0.

  • CVE-2025-59007CriOct 22, 2025
    risk 0.64cvss 9.8epss 0.00

    Deserialization of Untrusted Data vulnerability in themesflat TF Woo Product Grid Addon For Elementor tf-woo-product-grid allows Object Injection.This issue affects TF Woo Product Grid Addon For Elementor: from n/a through <= 1.0.1.

  • CVE-2025-49380CriOct 22, 2025
    risk 0.64cvss 9.8epss 0.00

    Deserialization of Untrusted Data vulnerability in wpinstinct WooCommerce Vehicle Parts Finder woo-vehicle-parts-finder allows Object Injection.This issue affects WooCommerce Vehicle Parts Finder: from n/a through <= 3.7.

  • CVE-2025-62515CriOct 17, 2025
    risk 0.64cvss 9.8epss 0.01

    pyquokka is a framework for making data lakes work for time series. In versions 0.3.1 and prior, the FlightServer class directly uses pickle.loads() to deserialize action bodies received from Flight clients without any sanitization or validation in the do_action() method. The…

  • CVE-2025-35051CriOct 9, 2025
    risk 0.64cvss 9.8epss 0.01

    Newforma Project Center Server (NPCS) accepts serialized .NET data via the '/ProjectCenter.rem' endpoint on 9003/tcp, allowing a remote, unauthenticated attacker to execute arbitrary code with 'NT AUTHORITY\NetworkService' privileges. According to the recommended architecture,…

  • CVE-2025-52761CriAug 28, 2025
    risk 0.64cvss 9.8epss 0.00

    Deserialization of Untrusted Data vulnerability in manfcarlo WP Funnel Manager wp-funnel-manager allows Object Injection.This issue affects WP Funnel Manager: from n/a through <= 1.4.0.

  • CVE-2025-54014CriAug 20, 2025
    risk 0.64cvss 9.8epss 0.00

    Deserialization of Untrusted Data vulnerability in QuanticaLabs MediCenter - Health Medical Clinic medicenter allows Object Injection.This issue affects MediCenter - Health Medical Clinic: from n/a through <= 15.1.

  • CVE-2025-53299CriAug 20, 2025
    risk 0.64cvss 9.8epss 0.00

    Deserialization of Untrusted Data vulnerability in ThemeMakers ThemeMakers Visual Content Composer tmm_content_composer allows Object Injection.This issue affects ThemeMakers Visual Content Composer: from n/a through <= 1.5.8.

  • CVE-2025-49890CriAug 20, 2025
    risk 0.64cvss 9.8epss 0.00

    Deserialization of Untrusted Data vulnerability in ThemeREX Organic Beauty organic-beauty allows Object Injection.This issue affects Organic Beauty: from n/a through <= 1.4.6.

  • CVE-2025-49434CriAug 20, 2025
    risk 0.64cvss 9.8epss 0.00

    Deserialization of Untrusted Data vulnerability in axiomthemes Cars4Rent cars4rent allows Object Injection.This issue affects Cars4Rent: from n/a through <= 1.4.2.

  • CVE-2025-54686CriAug 14, 2025
    risk 0.64cvss 9.8epss 0.00

    Deserialization of Untrusted Data vulnerability in scriptsbundle Exertio exertio allows Object Injection.This issue affects Exertio: from n/a through <= 1.3.2.

  • CVE-2025-7384CriAug 13, 2025
    risk 0.64cvss 9.8epss 0.02

    The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.3 via deserialization of untrusted input in the get_lead_detail function. This makes it possible for unauthenticated…

  • CVE-2025-50472CriAug 1, 2025
    risk 0.64cvss 9.8epss 0.01

    The modelscope/ms-swift library thru 2.6.1 is vulnerable to arbitrary code execution through deserialization of untrusted data within the `load_model_meta()` function of the `ModelFileSystemCache()` class. Attackers can execute arbitrary code and commands by crafting a malicious…