VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 23 of 87
  • CVE-2026-7654HigJun 5, 2026
    risk 0.57cvss 8.8epss 0.01

    The Admin Columns plugin for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution in versions up to and including 7.0.18. This is due to the use of `unserialize()` without an `allowed_classes` restriction in the `IdsToCollection::get_ids_from_string()`…

  • CVE-2026-10042CriMay 29, 2026
    risk 0.57cvss 9.8epss 0.01

    manga-image-translator contains a remote code execution vulnerability in the shared API server mode due to unsafe deserialization of untrusted pickle data in the share.py module, where the /execute/{method_name} and /simple_execute/{method_name} endpoints deserialize…

  • CVE-2025-11993HigMay 29, 2026
    risk 0.57cvss 8.8epss 0.00

    The WooCommerce Infinite Scroll and Ajax Pagination plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.8 via the 'settings' parameter in the 'import_settings' function. This is due to deserialization of untrusted data supplied via…

  • CVE-2026-48207CriMay 21, 2026
    risk 0.57cvss 9.8epss 0.01

    Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is vulnerable if it deserializes attacker-controlled data…

  • CVE-2026-6009HigMay 19, 2026
    risk 0.57cvss epss 0.00

    Java Deserialisation Vulnerability in Jaspersoft Reports Library leads to Remote Code Execution (RCE), potentially allowing code execution on the affected system

  • CVE-2026-41957HigMay 13, 2026
    risk 0.57cvss 8.8epss 0.01

    An authenticated remote code execution vulnerability through undisclosed vectors exists in the BIG-IP and BIG-IQ Configuration utility.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

  • CVE-2026-40357HigMay 12, 2026
    risk 0.57cvss 8.8epss 0.02

    Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

  • CVE-2026-35439HigMay 12, 2026
    risk 0.57cvss 8.8epss 0.02

    Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

  • CVE-2026-33112HigMay 12, 2026
    risk 0.57cvss 8.8epss 0.02

    Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

  • CVE-2026-33110HigMay 12, 2026
    risk 0.57cvss 8.8epss 0.02

    Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

  • CVE-2026-31224HigMay 12, 2026
    risk 0.57cvss 8.8epss 0.00

    The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability (CWE-502) in the MultitaskClassifier.load() method of the MultitaskClassifier class. The method loads model weight files using torch.load() without enabling the security-restrictive…

  • CVE-2026-31223HigMay 12, 2026
    risk 0.57cvss 8.8epss 0.00

    The snorkel library thru v0.10.0 contains a critical insecure deserialization vulnerability (CWE-502) in the BaseLabeler.load() method of the BaseLabeler class. The method loads serialized labeler models using the unsafe pickle.load() function on user-supplied file paths without…

  • CVE-2026-31222HigMay 12, 2026
    risk 0.57cvss 8.8epss 0.00

    The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability (CWE-502) in the Trainer.load() method of the Trainer class. The method loads model checkpoint files using torch.load() without enabling the security-restrictive weights_only=True parameter. This…

  • CVE-2026-31214CriMay 12, 2026
    risk 0.57cvss 9.8epss 0.00

    The torch-checkpoint-shrink.py script in the ml-engineering project in commit 0099885db36a8f06556efe1faf552518852cb1e0 (2025-20-27) contains an insecure deserialization vulnerability (CWE-502). The script uses torch.load() to process PyTorch checkpoint files (.pt) without…

  • CVE-2026-34084CriMay 5, 2026
    risk 0.57cvss 9.8epss 0.01

    PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0, when the filename argument to IOFactory::load() is user-controlled, an attacker can…

  • CVE-2026-42473CriMay 1, 2026
    risk 0.57cvss 9.8epss 0.00

    Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The session and cache handlers use unserialize() on data from the filesystem in the FileHandler object.

  • CVE-2026-42472CriMay 1, 2026
    risk 0.57cvss 9.8epss 0.00

    Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The session and cache handlers use unserialize() on data from Redis in the RedisHandler object.

  • CVE-2026-42779CriMay 1, 2026
    risk 0.57cvss 9.8epss 0.01

    The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at…

  • CVE-2026-42778CriMay 1, 2026
    risk 0.57cvss 9.8epss 0.01

    The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was…

  • CVE-2026-41409CriApr 27, 2026
    risk 0.57cvss 9.8epss 0.00

    The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed. Affected versions are…