VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 21 of 87
  • CVE-2025-42963CriJul 8, 2025
    risk 0.59cvss 9.1epss 0.01

    A critical vulnerability in SAP NetWeaver Application server for Java Log Viewer enables authenticated administrator users to exploit unsafe Java object deserialization. Successful exploitation can lead to full operating system compromise, granting attackers complete control…

  • CVE-2025-26873CriMar 27, 2025
    risk 0.59cvss 9.0epss 0.00

    Deserialization of Untrusted Data vulnerability in shinetheme Traveler traveler.This issue affects Traveler: from n/a through < 3.2.1.

  • CVE-2024-43252CriAug 19, 2024
    risk 0.59cvss 9.0epss 0.00

    Deserialization of Untrusted Data vulnerability in Crew HRM Crew HRM hr-management.This issue affects Crew HRM: from n/a through <= 1.1.1.

  • CVE-2024-43242CriAug 19, 2024
    risk 0.59cvss 9.0epss 0.01

    Deserialization of Untrusted Data vulnerability in azzaroco Ultimate Membership Pro indeed-membership-pro.This issue affects Ultimate Membership Pro: from n/a through <= 12.7.

  • CVE-2024-4371CriJun 13, 2024
    risk 0.59cvss 9.0epss 0.01

    The CoDesigner WooCommerce Builder for Elementor – Customize Checkout, Shop, Email, Products & More plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.1 via deserialization of untrusted input from the recently_viewed_products…

  • CVE-2024-33553CriApr 29, 2024
    risk 0.59cvss 9.0epss 0.01

    Deserialization of Untrusted Data vulnerability in 8theme XStore Core.This issue affects XStore Core: from n/a through 5.3.5.

  • CVE-2024-30227CriMar 28, 2024
    risk 0.59cvss 9.0epss 0.01

    Deserialization of Untrusted Data vulnerability in INFINITUM FORM Geo Controller.This issue affects Geo Controller: from n/a through 8.6.4.

  • CVE-2024-30226CriMar 28, 2024
    risk 0.59cvss 9.0epss 0.01

    Deserialization of Untrusted Data vulnerability in WPDeveloper BetterDocs.This issue affects BetterDocs: from n/a through 3.3.3.

  • CVE-2024-30223CriMar 28, 2024
    risk 0.59cvss 9.0epss 0.01

    Deserialization of Untrusted Data vulnerability in Repute Infosystems ARMember.This issue affects ARMember: from n/a through 4.0.26.

  • CVE-2023-52202CriJan 8, 2024
    risk 0.59cvss 9.1epss 0.01

    Deserialization of Untrusted Data vulnerability in SVNLabs Softwares HTML5 MP3 Player with Folder Feedburner Playlist Free.This issue affects HTML5 MP3 Player with Folder Feedburner Playlist Free: from n/a through 2.8.0.

  • CVE-2023-52205CriJan 8, 2024
    risk 0.59cvss 9.1epss 0.01

    Deserialization of Untrusted Data vulnerability in SVNLabs Softwares HTML5 SoundCloud Player with Playlist Free.This issue affects HTML5 SoundCloud Player with Playlist Free: from n/a through 2.8.0.

  • CVE-2023-52207CriJan 8, 2024
    risk 0.59cvss 9.1epss 0.01

    Deserialization of Untrusted Data vulnerability in SVNLabs Softwares HTML5 MP3 Player with Playlist Free.This issue affects HTML5 MP3 Player with Playlist Free: from n/a through 3.0.0.

  • CVE-2023-49777CriDec 31, 2023
    risk 0.59cvss 9.1epss 0.01

    Deserialization of Untrusted Data vulnerability in YITH YITH WooCommerce Product Add-Ons.This issue affects YITH WooCommerce Product Add-Ons: from n/a through 4.3.0.

  • CVE-2019-17571CriDec 20, 2019
    risk 0.59cvss 9.8epss 0.69

    Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects…

  • CVE-2018-8349HigAug 15, 2018
    risk 0.59cvss 8.8epss 0.23

    A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects, aka "Microsoft COM for Windows Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server…

  • CVE-2017-2292CriJun 30, 2017
    risk 0.59cvss 9.0epss 0.02

    Versions of MCollective prior to 2.10.4 deserialized YAML from agents without calling safe_load, allowing the potential for arbitrary code execution on the server. The fix for this is to call YAML.safe_load on input. This has been tested in all Puppet-supplied MCollective…

  • CVE-2016-3415CriJan 18, 2017
    risk 0.59cvss 9.1epss 0.02

    Zimbra Collaboration before 8.7.0 allows remote attackers to conduct deserialization attacks via unspecified vectors, aka bug 102276.

  • CVE-2026-43633CriMay 19, 2026
    risk 0.58cvss 10.0epss 0.01

    HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and Node.js that allows unauthenticated remote attackers to achieve root-level code execution. Attackers can inject crafted…

  • CVE-2026-33439CriApr 7, 2026
    risk 0.58cvss 9.8epss 0.10

    Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the…

  • CVE-2024-49699HigJan 21, 2025
    risk 0.58cvss 8.8epss 0.01

    Deserialization of Untrusted Data vulnerability in reputeinfosystems ARPrice arprice allows Object Injection.This issue affects ARPrice: from n/a through <= 4.1.3.