VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 25 of 87
  • CVE-2025-47579CriSep 9, 2025
    risk 0.59cvss 9.0epss 0.00

    Deserialization of Untrusted Data vulnerability in ThemeGoods Photography photography allows Object Injection.This issue affects Photography: from n/a through <= 7.7.2.

  • CVE-2025-42980CriJul 8, 2025
    risk 0.59cvss 9.1epss 0.01

    SAP NetWeaver Enterprise Portal Federated Portal Network is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

  • CVE-2025-42966CriJul 8, 2025
    risk 0.59cvss 9.1epss 0.01

    SAP NetWeaver XML Data Archiving Service allows an authenticated attacker with administrative privileges to exploit an insecure Java deserialization vulnerability by sending a specially crafted serialized Java object. This could lead to high impact on confidentiality, integrity,…

  • CVE-2025-42964CriJul 8, 2025
    risk 0.59cvss 9.1epss 0.01

    SAP NetWeaver Enterprise Portal Administration is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

  • CVE-2025-42963CriJul 8, 2025
    risk 0.59cvss 9.1epss 0.01

    A critical vulnerability in SAP NetWeaver Application server for Java Log Viewer enables authenticated administrator users to exploit unsafe Java object deserialization. Successful exploitation can lead to full operating system compromise, granting attackers complete control…

  • CVE-2025-26873CriMar 27, 2025
    risk 0.59cvss 9.0epss 0.00

    Deserialization of Untrusted Data vulnerability in shinetheme Traveler traveler.This issue affects Traveler: from n/a through < 3.2.1.

  • CVE-2024-43252CriAug 19, 2024
    risk 0.59cvss 9.0epss 0.00

    Deserialization of Untrusted Data vulnerability in Crew HRM Crew HRM hr-management.This issue affects Crew HRM: from n/a through <= 1.1.1.

  • CVE-2024-43242CriAug 19, 2024
    risk 0.59cvss 9.0epss 0.01

    Deserialization of Untrusted Data vulnerability in azzaroco Ultimate Membership Pro indeed-membership-pro.This issue affects Ultimate Membership Pro: from n/a through <= 12.7.

  • CVE-2024-4371CriJun 13, 2024
    risk 0.59cvss 9.0epss 0.01

    The CoDesigner WooCommerce Builder for Elementor – Customize Checkout, Shop, Email, Products & More plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.1 via deserialization of untrusted input from the recently_viewed_products…

  • CVE-2024-33553CriApr 29, 2024
    risk 0.59cvss 9.0epss 0.01

    Deserialization of Untrusted Data vulnerability in 8theme XStore Core.This issue affects XStore Core: from n/a through 5.3.5.

  • CVE-2024-30227CriMar 28, 2024
    risk 0.59cvss 9.0epss 0.01

    Deserialization of Untrusted Data vulnerability in INFINITUM FORM Geo Controller.This issue affects Geo Controller: from n/a through 8.6.4.

  • CVE-2024-30226CriMar 28, 2024
    risk 0.59cvss 9.0epss 0.01

    Deserialization of Untrusted Data vulnerability in WPDeveloper BetterDocs.This issue affects BetterDocs: from n/a through 3.3.3.

  • CVE-2024-30223CriMar 28, 2024
    risk 0.59cvss 9.0epss 0.01

    Deserialization of Untrusted Data vulnerability in Repute Infosystems ARMember.This issue affects ARMember: from n/a through 4.0.26.

  • CVE-2023-52202CriJan 8, 2024
    risk 0.59cvss 9.1epss 0.01

    Deserialization of Untrusted Data vulnerability in SVNLabs Softwares HTML5 MP3 Player with Folder Feedburner Playlist Free.This issue affects HTML5 MP3 Player with Folder Feedburner Playlist Free: from n/a through 2.8.0.

  • CVE-2023-52205CriJan 8, 2024
    risk 0.59cvss 9.1epss 0.01

    Deserialization of Untrusted Data vulnerability in SVNLabs Softwares HTML5 SoundCloud Player with Playlist Free.This issue affects HTML5 SoundCloud Player with Playlist Free: from n/a through 2.8.0.

  • CVE-2023-52207CriJan 8, 2024
    risk 0.59cvss 9.1epss 0.01

    Deserialization of Untrusted Data vulnerability in SVNLabs Softwares HTML5 MP3 Player with Playlist Free.This issue affects HTML5 MP3 Player with Playlist Free: from n/a through 3.0.0.

  • CVE-2023-49777CriDec 31, 2023
    risk 0.59cvss 9.1epss 0.01

    Deserialization of Untrusted Data vulnerability in YITH YITH WooCommerce Product Add-Ons.This issue affects YITH WooCommerce Product Add-Ons: from n/a through 4.3.0.

  • CVE-2023-45146CriOct 18, 2023
    risk 0.59cvss 9.0epss 0.01

    XXL-RPC is a high performance, distributed RPC framework. With it, a TCP server can be set up using the Netty framework and the Hessian serialization mechanism. When such a configuration is used, attackers may be able to connect to the server and provide malicious serialized…

  • CVE-2021-29508CriMay 11, 2021
    risk 0.59cvss 9.1epss 0.02

    Due to how Wire handles type information in its serialization format, malicious payloads can be passed to a deserializer. e.g. using a surrogate on the sender end, an attacker can pass information about a different type for the receiving end. And by doing so allowing the…

  • CVE-2020-8840CriFeb 10, 2020
    risk 0.59cvss 9.8epss 0.27

    FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.