VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 19 of 87
  • CVE-2016-1114CriMay 11, 2016
    risk 0.64cvss 9.8epss 0.09

    Adobe ColdFusion 10 before Update 19, 11 before Update 8, and 2016 before Update 1 allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library.

  • CVE-2003-0791CriOct 7, 2003
    risk 0.64cvss 9.8epss 0.02

    The Script.prototype.freeze/thaw functionality in Mozilla 1.4 and earlier allows attackers to execute native methods by modifying the string used as input to the script.thaw JavaScript function, which is then deserialized and executed.

  • CVE-2026-34659CriMay 12, 2026
    risk 0.63cvss 9.6epss 0.01

    Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to execute arbitrary code.…

  • CVE-2026-27303CriApr 14, 2026
    risk 0.63cvss 9.6epss 0.01

    Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must visit a…

  • CVE-2025-15579CriFeb 18, 2026
    risk 0.62cvss epss 0.00

    Deserialization of Untrusted Data vulnerability in OpenText™ Directory Services allows Object Injection.  The vulnerability could lead to remote code execution, denial of service, or privilege escalation. This issue affects Directory Services: before 24.4.16, from 25.1…

  • CVE-2025-1077CriFeb 7, 2025
    risk 0.62cvss epss 0.01

    A security vulnerability has been identified in the IBL Software Engineering Visual Weather and derived products (NAMIS, Aero Weather, Satellite Weather). The vulnerability is present in the Product Delivery Service (PDS) component in specific server configurations where the…

  • CVE-2023-52200CriJan 8, 2024
    risk 0.62cvss 9.6epss 0.00

    Cross-Site Request Forgery (CSRF), Deserialization of Untrusted Data vulnerability in Repute Infosystems ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup.This issue affects ARMember – Membership Plugin, Content Restriction, Member…

  • CVE-2023-51545CriDec 29, 2023
    risk 0.62cvss 9.6epss 0.00

    Cross-Site Request Forgery (CSRF), Deserialization of Untrusted Data vulnerability in ThemeHigh Job Manager & Career – Manage job board listings, and recruitments.This issue affects Job Manager & Career – Manage job board listings, and recruitments: from n/a through 1.4.4.

  • CVE-2023-51414CriDec 29, 2023
    risk 0.62cvss 9.6epss 0.01

    Deserialization of Untrusted Data vulnerability in EnvialoSimple EnvíaloSimple: Email Marketing y Newsletters.This issue affects EnvíaloSimple: Email Marketing y Newsletters: from n/a through 2.1.

  • CVE-2018-17057CriSep 14, 2018
    risk 0.62cvss 9.8epss 0.26

    An issue was discovered in TCPDF before 6.2.22. Attackers can trigger deserialization of arbitrary data via the phar:// wrapper.

  • CVE-2026-44963CriJun 9, 2026
    risk 0.61cvss epss 0.02

    A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user.

  • CVE-2026-34615CriApr 14, 2026
    risk 0.61cvss 9.3epss 0.01

    Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts into a…

  • CVE-2026-3199CriApr 8, 2026
    risk 0.61cvss epss 0.00

    A vulnerability in the task management component of Sonatype Nexus Repository versions 3.22.1 through 3.90.2 allows an authenticated attacker with task creation permissions to execute arbitrary code, bypassing the nexus.scripts.allowCreation security control.

  • CVE-2026-26220CriFeb 17, 2026
    risk 0.61cvss epss 0.01

    LightLLM version 1.1.0 and prior contain an unauthenticated remote code execution vulnerability in PD (prefill-decode) disaggregation mode. The PD master node exposes WebSocket endpoints that receive binary frames and pass the data directly to pickle.loads() without…

  • CVE-2025-34414CriDec 9, 2025
    risk 0.61cvss epss 0.01

    Entrust Instant Financial Issuance (IFI) On Premise software (formerly referred to as CardWizard) versions 5.x, prior to 6.10.5, and prior to 6.11.1 contain an insecure .NET Remoting exposure in the Legacy Remoting Service that is enabled by default. The service registers a TCP…

  • CVE-2025-2566CriJun 24, 2025
    risk 0.61cvss epss 0.01

    Kaleris NAVIS N4 ULC (Ultra Light Client) contains an unsafe Java deserialization vulnerability. An unauthenticated attacker can make specially crafted requests to execute arbitrary code on the server.

  • CVE-2024-3300CriMay 30, 2024
    risk 0.61cvss 9.0epss 0.03

    An unsafe .NET object deserialization vulnerability in DELMIA Apriso Release 2019 through Release 2024 could lead to pre-authentication remote code execution.

  • CVE-2017-17485CriJan 10, 2018
    risk 0.61cvss 9.8epss 0.50

    FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the…

  • CVE-2016-7065HigOct 13, 2016
    risk 0.61cvss 8.8epss 0.12

    The JMX servlet in Red Hat JBoss Enterprise Application Platform (EAP) 4 and 5 allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object.

  • CVE-2026-46725CriMay 19, 2026
    risk 0.60cvss epss 0.02

    The extension passes an attacker-controlled cookie directly to PHP's unserialize() without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3…