VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 20 of 87
  • CVE-2026-44126CriMay 8, 2026
    risk 0.60cvss epss 0.00

    SEPPmail Secure Email Gateway before version 15.0.4 insecurely deserializes untrusted data, which can be reached from the new GINA UI and may allow unauthenticated remote attackers to execute code via a crafted serialized object.

  • CVE-2026-41586CriMay 7, 2026
    risk 0.60cvss epss 0.00

    Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. From versions 1.0.0 to 2.2.26, Channel.java implements readObject() and exposes deSerializeChannel() which call ObjectInputStream.readObject() on…

  • CVE-2025-15610CriApr 15, 2026
    risk 0.60cvss epss 0.00

    The .NET Remoting framework used by OpenText Fax (RightFax) includes known security vulnerabilities that could be exploited if the service is exposed in environments where the remoting ports are accessible.

  • CVE-2025-71260HigMar 19, 2026
    risk 0.60cvss 8.8epss 0.34

    BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a deserialization of untrusted data vulnerability in the ASP.NET servlet's VIEWSTATE handling that allows authenticated attackers to execute arbitrary code. Attackers can supply crafted serialized objects to the…

  • CVE-2026-26215CriFeb 11, 2026
    risk 0.60cvss epss 0.01

    manga-image-translator version beta-0.3 and prior in shared API mode contains an unsafe deserialization vulnerability that can lead to unauthenticated remote code execution. The FastAPI endpoints /simple_execute/{method} and /execute/{method} deserialize attacker-controlled…

  • CVE-2026-23746CriJan 15, 2026
    risk 0.60cvss epss 0.01

    Entrust Instant Financial Issuance (IFI) On Premise software (formerly referred to as CardWizard) versions 5.x, prior to 6.10.5, and prior to 6.11.1 contain an insecure .NET Remoting exposure in the SmartCardController service (DCG.SmartCardControllerService.exe). The service…

  • CVE-2025-66571CriDec 4, 2025
    risk 0.60cvss epss 0.01

    UNA CMS versions 9.0.0-RC1 - 14.0.0-RC4 contain a PHP object injection vulnerability in BxBaseMenuSetAclLevel.php where the profile_id POST parameter is passed to PHP unserialize() without proper handling, allowing remote, unauthenticated attackers to inject arbitrary PHP…

  • CVE-2024-12029CriMar 20, 2025
    risk 0.60cvss 9.8epss 0.05

    A remote code execution vulnerability exists in invoke-ai/invokeai versions 5.3.1 through 5.4.2 via the /api/v2/models/install API. The vulnerability arises from unsafe deserialization of model files using torch.load without proper validation. Attackers can exploit this by…

  • CVE-2017-7525CriFeb 6, 2018
    risk 0.60cvss 9.8epss 0.38

    A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

  • CVE-2016-6793CriJul 17, 2017
    risk 0.60cvss 9.1epss 0.08

    The DiskFileItem class in Apache Wicket 6.x before 6.25.0 and 1.5.x before 1.5.17 allows remote attackers to cause a denial of service (infinite loop) and write to, move, and delete files with the permissions of DiskFileItem, and if running on a Java VM before 1.3.1, execute…

  • CVE-2016-0792HigApr 7, 2016
    risk 0.60cvss 8.8epss 0.83

    Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

  • CVE-2026-45051criJun 24, 2026
    risk 0.59cvss epss

    ## Summary **Description** A deserialization of untrusted data vulnerability (CWE-502) exists in OpenAM's WebAuthn authentication module. Under certain conditions, this may allow an attacker to achieve arbitrary code execution in the context of the application server. This…

  • CVE-2026-46495criJun 22, 2026
    risk 0.59cvss epss

    ## Summary **Description** A Deserialization of Untrusted Data (CWE-502) issue in OpenDJ's JMX RMI connector allows an unauthenticated remote attacker to deserialize arbitrary Java objects on the server. The vulnerability exists because the platform reads and processes…

  • CVE-2026-9319CriJun 1, 2026
    risk 0.59cvss 9.0epss 0.00

    IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to potential remote code execution due to deserialization of untrusted data via JAX-WS endpoints with WS-Security.

  • CVE-2025-69690CriMay 8, 2026
    risk 0.59cvss 9.1epss 0.01

    Netgate pfSense CE 2.7.2 allows code execution by using the module installer with a backup file with a serialized PHP object containing the post_reboot_commands property. NOTE: the Supplier disputes this because this installer is only available to admins and they are…

  • CVE-2025-42928CriDec 9, 2025
    risk 0.59cvss 9.1epss 0.08

    Under certain conditions, a high privileged user could exploit a deserialization vulnerability in SAP jConnect to launch remote code execution. The system may be vulnerable when specially crafted input is used to exploit the vulnerability resulting in high impact on…

  • CVE-2025-47579CriSep 9, 2025
    risk 0.59cvss 9.0epss 0.00

    Deserialization of Untrusted Data vulnerability in ThemeGoods Photography photography allows Object Injection.This issue affects Photography: from n/a through <= 7.7.2.

  • CVE-2025-42980CriJul 8, 2025
    risk 0.59cvss 9.1epss 0.01

    SAP NetWeaver Enterprise Portal Federated Portal Network is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

  • CVE-2025-42966CriJul 8, 2025
    risk 0.59cvss 9.1epss 0.01

    SAP NetWeaver XML Data Archiving Service allows an authenticated attacker with administrative privileges to exploit an insecure Java deserialization vulnerability by sending a specially crafted serialized Java object. This could lead to high impact on confidentiality, integrity,…

  • CVE-2025-42964CriJul 8, 2025
    risk 0.59cvss 9.1epss 0.01

    SAP NetWeaver Enterprise Portal Administration is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.