CWE-502
Deserialization of Untrusted Data
BaseDraftLikelihood: Medium
Description
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-586
CVEs mapped to this weakness (858)
page 2 of 43| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-14931 | Cri | 0.65 | 10.0 | 0.05 | Dec 23, 2025 | Hugging Face smolagents Remote Python Executor Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face smolagents. Authentication is not required to exploit this vulnerability. The specific flaw exists within the parsing of pickle data. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28312. | |
| CVE-2025-10363 | Cri | 0.65 | — | 0.02 | Oct 6, 2025 | Deserialization of Untrusted Data vulnerability in Topal Solutions AG Topal Finanzbuchhaltung on Windows allows Remote Code Execution.This issue affects at least Topal Finanzbuchhaltung: 10.1.5.20 and is fixed in version 11.2.12.00 | |
| CVE-2025-58384 | Cri | 0.65 | 10.0 | 0.02 | Sep 26, 2025 | In DOXENSE WATCHDOC before 6.1.1.5332, Deserialization of Untrusted Data can lead to remote code execution through the .NET Remoting library in the Watchdoc administration interface. | |
| CVE-2025-42944 | Cri | 0.65 | 10.0 | 0.00 | Sep 9, 2025 | Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. The deserialization of such untrusted Java objects could lead to arbitrary OS command execution, posing a high impact to the application's confidentiality, integrity, and availability. | |
| CVE-2024-13980 | Cri | 0.65 | — | 0.03 | Aug 27, 2025 | H3C Intelligent Management Center (IMC) versions up to and including E0632H07 contains a remote command execution vulnerability in the /byod/index.xhtml endpoint. Improper handling of JSF ViewState allows unauthenticated attackers to craft POST requests with forged javax.faces.ViewState parameters, potentially leading to arbitrary command execution. This flaw does not require authentication and may be exploited without session cookies. An affected version range is undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-08-28 UTC. | |
| CVE-2025-34153 | Cri | 0.65 | — | 0.01 | Aug 13, 2025 | Hyland OnBase versions prior to 17.0.2.87 (other versions may be affected) are vulnerable to unauthenticated remote code execution via insecure deserialization on the .NET Remoting TCP channel. The service registers a listener on port 6031 with the URI endpoint TimerServer, implemented in Hyland.Core.Timers.dll. This endpoint deserializes untrusted input using the .NET BinaryFormatter, allowing attackers to execute arbitrary code under the context of NT AUTHORITY\SYSTEM. | |
| CVE-2025-34060 | Cri | 0.65 | — | 0.02 | Jul 1, 2025 | A PHP objection injection vulnerability exists in the Monero Project’s Laravel-based forum software due to unsafe handling of untrusted input in the /get/image/ endpoint. The application passes a user-supplied link parameter directly to file_get_contents() without validation. MIME type checks using PHP’s finfo can be bypassed via crafted stream filter chains that prepend spoofed headers, allowing access to internal Laravel configuration files. An attacker can extract the APP_KEY from config/app.php, forge encrypted cookies, and trigger unsafe unserialize() calls, leading to reliable remote code execution. | |
| CVE-2025-48200 | Cri | 0.65 | 10.0 | 0.02 | May 21, 2025 | The sr_feuser_register extension through 12.4.8 for TYPO3 allows Remote Code Execution. | |
| CVE-2024-50507 | Cri | 0.65 | 9.8 | 0.22 | Oct 30, 2024 | Deserialization of Untrusted Data vulnerability in Daschmi DS.DownloadList dsdownloadlist allows Object Injection.This issue affects DS.DownloadList: from n/a through <= 1.3. | |
| CVE-2024-30225 | Cri | 0.65 | 10.0 | 0.01 | Mar 28, 2024 | Deserialization of Untrusted Data vulnerability in WPENGINE, INC. WP Migrate.This issue affects WP Migrate: from n/a through 2.6.10. | |
| CVE-2024-30224 | Cri | 0.65 | 10.0 | 0.01 | Mar 28, 2024 | Deserialization of Untrusted Data vulnerability in Wholesale Team WholesaleX.This issue affects WholesaleX: from n/a through 1.3.2. | |
| CVE-2024-25100 | Cri | 0.65 | 10.0 | 0.01 | Feb 12, 2024 | Deserialization of Untrusted Data vulnerability in WP Swings Coupon Referral Program allows Object Injection.This issue affects Coupon Referral Program: from n/a before 1.8.4. | |
| CVE-2023-6933 | Hig | 0.65 | 8.8 | 0.93 | Feb 5, 2024 | The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.4 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | |
| CVE-2023-52225 | Cri | 0.65 | 10.0 | 0.01 | Jan 8, 2024 | Deserialization of Untrusted Data vulnerability in Tagbox Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics.This issue affects Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics: from n/a through 3.1. | |
| CVE-2023-52218 | Cri | 0.65 | 10.0 | 0.01 | Jan 8, 2024 | Deserialization of Untrusted Data vulnerability in Anton Bond Woocommerce Tranzila Payment Gateway.This issue affects Woocommerce Tranzila Payment Gateway: from n/a through 1.0.8. | |
| CVE-2023-52181 | Cri | 0.65 | 10.0 | 0.00 | Dec 31, 2023 | Deserialization of Untrusted Data vulnerability in Presslabs Theme per user.This issue affects Theme per user: from n/a through 1.0.1. | |
| CVE-2023-51505 | Cri | 0.65 | 10.0 | 0.01 | Dec 29, 2023 | Deserialization of Untrusted Data vulnerability in realmag777 Active Products Tables for WooCommerce. Professional products tables for WooCommerce store.This issue affects Active Products Tables for WooCommerce. Professional products tables for WooCommerce store : from n/a through 1.0.6. | |
| CVE-2023-49778 | Cri | 0.65 | 10.0 | 0.01 | Dec 21, 2023 | Deserialization of Untrusted Data vulnerability in Hakan Demiray Sayfa Sayac.This issue affects Sayfa Sayac: from n/a through 2.6. | |
| CVE-2023-49773 | Cri | 0.65 | 10.0 | 0.00 | Dec 20, 2023 | Deserialization of Untrusted Data vulnerability in Tim Brattberg BCorp Shortcodes.This issue affects BCorp Shortcodes: from n/a through 0.23. | |
| CVE-2023-49772 | Cri | 0.65 | 10.0 | 0.00 | Dec 20, 2023 | Deserialization of Untrusted Data vulnerability in Phpbits Creative Studio Genesis Simple Love.This issue affects Genesis Simple Love: from n/a through 2.0. |