VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 27 of 87
  • CVE-2018-8013CriMay 24, 2018
    risk 0.58cvss 9.8epss 0.20

    In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in…

  • CVE-2018-7489CriFeb 26, 2018
    risk 0.58cvss 9.8epss 0.21

    FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the…

  • CVE-2017-5641CriDec 28, 2017
    risk 0.58cvss 9.8epss 0.21

    Previous versions of Apache Flex BlazeDS (4.7.2 and earlier) did not restrict which types were allowed for AMF(X) object deserialization by default. During the deserialization process code is executed that for several known types has undesired side-effects. Other, unknown types…

  • CVE-2017-0903CriOct 11, 2017
    risk 0.58cvss 9.8epss 0.16

    RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.

  • CVE-2016-8744HigSep 13, 2017
    risk 0.58cvss 8.8epss 0.04

    Apache Brooklyn uses the SnakeYAML library for parsing YAML inputs. SnakeYAML allows the use of YAML tags to indicate that SnakeYAML should unmarshal data to a Java type. In the default configuration in Brooklyn before 0.10.0, SnakeYAML will allow unmarshalling to any Java type…

  • CVE-2016-8749CriMar 28, 2017
    risk 0.58cvss 9.8epss 0.11

    Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks.

  • CVE-2016-0788CriApr 7, 2016
    risk 0.58cvss 9.8epss 0.12

    The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.

  • CVE-2026-39478HigJun 15, 2026
    risk 0.57cvss 8.8epss 0.00

    Contributor PHP Object Injection in Anti-Malware Security and Brute-Force Firewall <= 4.23.87 versions.

  • CVE-2026-20251HigJun 10, 2026
    risk 0.57cvss 8.8epss 0.01

    In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, and Splunk Secure Gateway versions below 3.10.6, 3.9.20, and 3.8.67, a low-privileged user that does not hold…

  • CVE-2026-53435HigJun 10, 2026
    risk 0.57cvss 8.8epss 0.15

    In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml` submission in a way that allows them to handle HTTP requests afterwards.…

  • CVE-2026-45484HigJun 9, 2026
    risk 0.57cvss 8.8epss 0.02

    Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to elevate privileges over a network.

  • CVE-2026-8365HigJun 9, 2026
    risk 0.57cvss 8.8epss 0.01

    The Blocksy theme for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution via the 'blocksy_meta' REST API field and the V200 database migration in versions up to and including 2.1.35. This is due to insufficient input sanitization in the…

  • CVE-2026-7654HigJun 5, 2026
    risk 0.57cvss 8.8epss 0.01

    The Admin Columns plugin for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution in versions up to and including 7.0.18. This is due to the use of `unserialize()` without an `allowed_classes` restriction in the `IdsToCollection::get_ids_from_string()`…

  • CVE-2026-10042CriMay 29, 2026
    risk 0.57cvss 9.8epss 0.01

    manga-image-translator contains a remote code execution vulnerability in the shared API server mode due to unsafe deserialization of untrusted pickle data in the share.py module, where the /execute/{method_name} and /simple_execute/{method_name} endpoints deserialize…

  • CVE-2025-11993HigMay 29, 2026
    risk 0.57cvss 8.8epss 0.00

    The WooCommerce Infinite Scroll and Ajax Pagination plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.8 via the 'settings' parameter in the 'import_settings' function. This is due to deserialization of untrusted data supplied via…

  • CVE-2026-48207CriMay 21, 2026
    risk 0.57cvss 9.8epss 0.01

    Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is vulnerable if it deserializes attacker-controlled data…

  • CVE-2026-6009HigMay 19, 2026
    risk 0.57cvss epss 0.00

    Java Deserialisation Vulnerability in Jaspersoft Reports Library leads to Remote Code Execution (RCE), potentially allowing code execution on the affected system

  • CVE-2026-41957HigMay 13, 2026
    risk 0.57cvss 8.8epss 0.01

    An authenticated remote code execution vulnerability through undisclosed vectors exists in the BIG-IP and BIG-IQ Configuration utility.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

  • CVE-2026-40357HigMay 12, 2026
    risk 0.57cvss 8.8epss 0.02

    Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

  • CVE-2026-35439HigMay 12, 2026
    risk 0.57cvss 8.8epss 0.02

    Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.