CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

CWE-913

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (971)

page 24 of 49

CVE	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2025-60234	Hig	0.57	8.8	0.00	Oct 22, 2025	Deserialization of Untrusted Data vulnerability in designthemes Single Property single-property allows Object Injection.This issue affects Single Property: from n/a through <= 2.8.
CVE-2025-60228	Hig	0.57	8.8	0.00	Oct 22, 2025	Deserialization of Untrusted Data vulnerability in designthemes Knowledge Base kbase allows Object Injection.This issue affects Knowledge Base: from n/a through <= 2.9.
CVE-2025-60215	Hig	0.57	8.8	0.00	Oct 22, 2025	Deserialization of Untrusted Data vulnerability in designthemes Kriya kriya allows Object Injection.This issue affects Kriya: from n/a through <= 3.4.
CVE-2025-60212	Hig	0.57	8.8	0.00	Oct 22, 2025	Deserialization of Untrusted Data vulnerability in designthemes VEDA veda allows Object Injection.This issue affects VEDA: from n/a through <= 4.2.
CVE-2025-52740	Hig	0.57	8.8	0.00	Oct 22, 2025	Deserialization of Untrusted Data vulnerability in Hernan Villanueva Boldermail boldermail allows Object Injection.This issue affects Boldermail: from n/a through <= 2.4.0.
CVE-2025-52737	Hig	0.57	8.8	0.00	Oct 22, 2025	Deserialization of Untrusted Data vulnerability in Tijmen Smit WP Store Locator wp-store-locator allows Object Injection.This issue affects WP Store Locator: from n/a through <= 2.2.260.
CVE-2025-32283	Hig	0.57	8.8	0.00	Oct 22, 2025	Deserialization of Untrusted Data vulnerability in designthemes Solar Energy solar allows Object Injection.This issue affects Solar Energy: from n/a through <= 3.5.
CVE-2025-31634	Hig	0.57	8.8	0.00	Oct 22, 2025	Deserialization of Untrusted Data vulnerability in designthemes Insurance insurance allows Object Injection.This issue affects Insurance: from n/a through <= 3.5.
CVE-2025-53303	Hig	0.57	8.8	0.00	Sep 9, 2025	Deserialization of Untrusted Data vulnerability in ThemeMove ThemeMove Core thememove-core allows Object Injection.This issue affects ThemeMove Core: from n/a through <= 1.4.2.
CVE-2025-48101	Hig	0.57	8.8	0.00	Sep 9, 2025	Deserialization of Untrusted Data vulnerability in webdevstudios Constant Contact for WordPress allows Object Injection. This issue affects Constant Contact for WordPress: from n/a through 4.1.1.
CVE-2025-5662	Cri	0.57	9.8	0.02	Sep 2, 2025	A deserialization vulnerability exists in the H2O-3 REST API (POST /99/ImportSQLTable) that affects all versions up to 3.46.0.7. This vulnerability allows remote code execution (RCE) due to improper validation of JDBC connection parameters when using a Key-Value format. The vulnerability is present in the MySQL JDBC Driver version 8.0.19 and JDK version 8u112. The issue is resolved in version 3.46.0.8.
CVE-2025-54742	Hig	0.57	8.8	0.00	Aug 28, 2025	Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.This issue affects WpEvently: from n/a through <= 4.4.8.
CVE-2025-54923	Hig	0.57	—	0.02	Aug 20, 2025	CWE-502: Deserialization of Untrusted Data vulnerability exists that could cause remote code execution and compromise of system integrity when authenticated users send crafted data to a network-exposed service that performs unsafe deserialization.
CVE-2025-54007	Hig	0.57	8.8	0.00	Aug 20, 2025	Deserialization of Untrusted Data vulnerability in PickPlugins Post Grid and Gutenberg Blocks post-grid allows Object Injection.This issue affects Post Grid and Gutenberg Blocks: from n/a through <= 2.3.11.
CVE-2025-53560	Hig	0.57	8.8	0.00	Aug 20, 2025	Deserialization of Untrusted Data vulnerability in rascals Noisa noisa allows Object Injection.This issue affects Noisa: from n/a through <= 2.6.0.
CVE-2025-8145	Hig	0.57	8.8	0.02	Aug 20, 2025	The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the get_lead_fields function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in a Contact Form 7 plugin allows attackers to delete arbitrary files. Additionally, in certain server configurations, Remote Code Execution is possible
CVE-2025-49869	Hig	0.57	8.8	0.00	Aug 14, 2025	Deserialization of Untrusted Data vulnerability in Arraytics Eventin wp-event-solution allows Object Injection.This issue affects Eventin: from n/a through <= 4.0.31.
CVE-2025-50460	Cri	0.57	9.8	0.04	Aug 1, 2025	A remote code execution (RCE) vulnerability exists in the ms-swift project version 3.3.0 due to unsafe deserialization in tests/run.py using yaml.load() from the PyYAML library (versions = 5.3.1). If an attacker can control the content of the YAML configuration file passed to the --run_config parameter, arbitrary code can be executed during deserialization. This can lead to full system compromise. The vulnerability is triggered when a malicious YAML file is loaded, allowing the execution of arbitrary Python commands such as os.system(). It is recommended to upgrade PyYAML to version 5.4 or higher, and to use yaml.safe_load() to mitigate the issue.
CVE-2025-7433	Hig	0.57	8.8	0.00	Jul 17, 2025	A local privilege escalation vulnerability in Sophos Intercept X for Windows with Central Device Encryption 2025.1 and older allows arbitrary code execution.
CVE-2025-31422	Hig	0.57	8.8	0.00	Jul 16, 2025	Deserialization of Untrusted Data vulnerability in designthemes Visual Art \| Gallery WordPress Theme visual-arts allows Object Injection.This issue affects Visual Art \| Gallery WordPress Theme: from n/a through <= 2.4.

CVE-2025-60234HigOct 22, 2025
risk 0.57cvss 8.8epss 0.00
Deserialization of Untrusted Data vulnerability in designthemes Single Property single-property allows Object Injection.This issue affects Single Property: from n/a through <= 2.8.
CVE-2025-60228HigOct 22, 2025
risk 0.57cvss 8.8epss 0.00
Deserialization of Untrusted Data vulnerability in designthemes Knowledge Base kbase allows Object Injection.This issue affects Knowledge Base: from n/a through <= 2.9.
CVE-2025-60215HigOct 22, 2025
risk 0.57cvss 8.8epss 0.00
Deserialization of Untrusted Data vulnerability in designthemes Kriya kriya allows Object Injection.This issue affects Kriya: from n/a through <= 3.4.
CVE-2025-60212HigOct 22, 2025
risk 0.57cvss 8.8epss 0.00
Deserialization of Untrusted Data vulnerability in designthemes VEDA veda allows Object Injection.This issue affects VEDA: from n/a through <= 4.2.
CVE-2025-52740HigOct 22, 2025
risk 0.57cvss 8.8epss 0.00
Deserialization of Untrusted Data vulnerability in Hernan Villanueva Boldermail boldermail allows Object Injection.This issue affects Boldermail: from n/a through <= 2.4.0.
CVE-2025-52737HigOct 22, 2025
risk 0.57cvss 8.8epss 0.00
Deserialization of Untrusted Data vulnerability in Tijmen Smit WP Store Locator wp-store-locator allows Object Injection.This issue affects WP Store Locator: from n/a through <= 2.2.260.
CVE-2025-32283HigOct 22, 2025
risk 0.57cvss 8.8epss 0.00
Deserialization of Untrusted Data vulnerability in designthemes Solar Energy solar allows Object Injection.This issue affects Solar Energy: from n/a through <= 3.5.
CVE-2025-31634HigOct 22, 2025
risk 0.57cvss 8.8epss 0.00
Deserialization of Untrusted Data vulnerability in designthemes Insurance insurance allows Object Injection.This issue affects Insurance: from n/a through <= 3.5.
CVE-2025-53303HigSep 9, 2025
risk 0.57cvss 8.8epss 0.00
Deserialization of Untrusted Data vulnerability in ThemeMove ThemeMove Core thememove-core allows Object Injection.This issue affects ThemeMove Core: from n/a through <= 1.4.2.
CVE-2025-48101HigSep 9, 2025
risk 0.57cvss 8.8epss 0.00
Deserialization of Untrusted Data vulnerability in webdevstudios Constant Contact for WordPress allows Object Injection. This issue affects Constant Contact for WordPress: from n/a through 4.1.1.
CVE-2025-5662CriSep 2, 2025
risk 0.57cvss 9.8epss 0.02
A deserialization vulnerability exists in the H2O-3 REST API (POST /99/ImportSQLTable) that affects all versions up to 3.46.0.7. This vulnerability allows remote code execution (RCE) due to improper validation of JDBC connection parameters when using a Key-Value format. The vulnerability is present in the MySQL JDBC Driver version 8.0.19 and JDK version 8u112. The issue is resolved in version 3.46.0.8.
CVE-2025-54742HigAug 28, 2025
risk 0.57cvss 8.8epss 0.00
Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.This issue affects WpEvently: from n/a through <= 4.4.8.
CVE-2025-54923HigAug 20, 2025
risk 0.57cvss —epss 0.02
CWE-502: Deserialization of Untrusted Data vulnerability exists that could cause remote code execution and compromise of system integrity when authenticated users send crafted data to a network-exposed service that performs unsafe deserialization.
CVE-2025-54007HigAug 20, 2025
risk 0.57cvss 8.8epss 0.00
Deserialization of Untrusted Data vulnerability in PickPlugins Post Grid and Gutenberg Blocks post-grid allows Object Injection.This issue affects Post Grid and Gutenberg Blocks: from n/a through <= 2.3.11.
CVE-2025-53560HigAug 20, 2025
risk 0.57cvss 8.8epss 0.00
Deserialization of Untrusted Data vulnerability in rascals Noisa noisa allows Object Injection.This issue affects Noisa: from n/a through <= 2.6.0.
CVE-2025-8145HigAug 20, 2025
risk 0.57cvss 8.8epss 0.02
The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the get_lead_fields function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in a Contact Form 7 plugin allows attackers to delete arbitrary files. Additionally, in certain server configurations, Remote Code Execution is possible
CVE-2025-49869HigAug 14, 2025
risk 0.57cvss 8.8epss 0.00
Deserialization of Untrusted Data vulnerability in Arraytics Eventin wp-event-solution allows Object Injection.This issue affects Eventin: from n/a through <= 4.0.31.
CVE-2025-50460CriAug 1, 2025
risk 0.57cvss 9.8epss 0.04
A remote code execution (RCE) vulnerability exists in the ms-swift project version 3.3.0 due to unsafe deserialization in tests/run.py using yaml.load() from the PyYAML library (versions = 5.3.1). If an attacker can control the content of the YAML configuration file passed to the --run_config parameter, arbitrary code can be executed during deserialization. This can lead to full system compromise. The vulnerability is triggered when a malicious YAML file is loaded, allowing the execution of arbitrary Python commands such as os.system(). It is recommended to upgrade PyYAML to version 5.4 or higher, and to use yaml.safe_load() to mitigate the issue.
CVE-2025-7433HigJul 17, 2025
risk 0.57cvss 8.8epss 0.00
A local privilege escalation vulnerability in Sophos Intercept X for Windows with Central Device Encryption 2025.1 and older allows arbitrary code execution.
CVE-2025-31422HigJul 16, 2025
risk 0.57cvss 8.8epss 0.00
Deserialization of Untrusted Data vulnerability in designthemes Visual Art | Gallery WordPress Theme visual-arts allows Object Injection.This issue affects Visual Art | Gallery WordPress Theme: from n/a through <= 2.4.