VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 2 of 87
  • CVE-2017-5792CriFeb 15, 2018
    risk 0.69cvss 9.8epss 0.35

    A Remote Code Execution vulnerability in HPE Intelligent Management Center (iMC) PLAT version 7.3 E0504P2 was found.

  • CVE-2017-9805HigKEVSep 15, 2017
    risk 0.69cvss 8.1epss 0.99

    The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.

  • CVE-2018-15691CriAug 30, 2018
    risk 0.68cvss 9.8epss 0.17

    Insecure deserialization of a specially crafted serialized object, in CA Release Automation 6.5 and earlier, allows attackers to potentially execute arbitrary code.

  • CVE-2018-9843CriApr 12, 2018
    risk 0.68cvss 9.8epss 0.17

    The REST API in CyberArk Password Vault Web Access before 9.9.5 and 10.x before 10.1 allows remote attackers to execute arbitrary code via a serialized .NET object in an Authorization HTTP header.

  • CVE-2017-17672CriDec 14, 2017
    risk 0.68cvss 9.8epss 0.15

    In vBulletin through 5.3.x, there is an unauthenticated deserialization vulnerability that leads to arbitrary file deletion and, under certain circumstances, code execution, because of unsafe usage of PHP's unserialize() in vB_Library_Template's cacheTemplates() function, which…

  • CVE-2017-11153CriAug 8, 2017
    risk 0.68cvss 9.8epss 0.19

    Deserialization vulnerability in synophoto_csPhotoMisc.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to gain administrator privileges via a crafted serialized payload.

  • CVE-2025-62368CriOct 28, 2025
    risk 0.67cvss 9.0epss 0.01

    Taiga is an open source project management platform. In versions 6.8.3 and earlier, a remote code execution vulnerability exists in the Taiga API due to unsafe deserialization of untrusted data. This issue is fixed in version 6.9.0.

  • CVE-2024-56058CriDec 18, 2024
    risk 0.67cvss 9.8epss 0.02

    Deserialization of Untrusted Data vulnerability in denniskravetstns VRPConnector vrpconnector allows Object Injection.This issue affects VRPConnector: from n/a through <= 2.0.1.

  • CVE-2024-8353CriSep 28, 2024
    risk 0.67cvss 9.8epss 0.29

    The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1 via deserialization of untrusted input via several parameters like 'give_title' and 'card_address'. This makes it…

  • CVE-2017-12558CriFeb 15, 2018
    risk 0.67cvss 9.8epss 0.38

    A Remote Code Execution vulnerability in HPE intelligent Management Center (iMC) PLAT version IMC Plat 7.3 E0504P2 and earlier was found.

  • CVE-2017-12556CriFeb 15, 2018
    risk 0.67cvss 9.8epss 0.38

    A Remote Code Execution vulnerability in HPE intelligent Management Center (iMC) PLAT version IMC Plat 7.3 E0504P2 and earlier was found.

  • CVE-2017-11284CriDec 1, 2017
    risk 0.67cvss 9.8epss 0.43

    Adobe ColdFusion has an Untrusted Data Deserialization vulnerability. This affects Update 4 and earlier versions for ColdFusion 2016, and Update 12 and earlier versions for ColdFusion 11.

  • CVE-2017-11283CriDec 1, 2017
    risk 0.67cvss 9.8epss 0.43

    Adobe ColdFusion has an Untrusted Data Deserialization vulnerability. This affects Update 4 and earlier versions for ColdFusion 2016, and Update 12 and earlier versions for ColdFusion 11.

  • CVE-2017-14702CriSep 30, 2017
    risk 0.67cvss 9.8epss 0.08

    ERS Data System 1.8.1.0 allows remote attackers to execute arbitrary code, related to "com.branaghgroup.ecers.update.UpdateRequest" object deserialization.

  • CVE-2017-4914CriJun 7, 2017
    risk 0.67cvss 9.8epss 0.09

    VMware vSphere Data Protection (VDP) 6.1.x, 6.0.x, 5.8.x, and 5.5.x contains a deserialization issue. Exploitation of this issue may allow a remote attacker to execute commands on the appliance.

  • CVE-2015-8103CriNov 25, 2015
    risk 0.67cvss 9.8epss 0.87

    The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in…

  • CVE-2013-1465CriFeb 8, 2013
    risk 0.67cvss 9.8epss 0.07

    The Cubecart::_basket method in classes/cubecart.class.php in CubeCart 5.0.0 through 5.2.0 allows remote attackers to unserialize arbitrary PHP objects via a crafted shipping parameter, as demonstrated by modifying the application configuration using the Config object.

  • CVE-2025-34067CriJul 2, 2025
    risk 0.66cvss epss 0.19

    An unauthenticated remote command execution vulnerability exists in the applyCT component of the Hikvision Integrated Security Management Platform due to the use of a vulnerable version of the Fastjson library. The endpoint /bic/ssoService/v1/applyCT deserializes untrusted user…

  • CVE-2024-52430CriNov 18, 2024
    risk 0.66cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in bublick Lis Video Gallery lis-video-gallery allows Object Injection.This issue affects Lis Video Gallery: from n/a through <= 0.2.1.

  • CVE-2018-15965CriSep 25, 2018
    risk 0.66cvss 9.8epss 0.26

    Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution.