CWE-502
Deserialization of Untrusted Data
Description
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-586
CVEs mapped to this weakness (1,721)
page 27 of 87| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-8013 | — | Cri | 0.58 | 9.8 | 0.20 | May 24, 2018 | In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in… | |
| CVE-2018-7489 | — | Cri | 0.58 | 9.8 | 0.21 | Feb 26, 2018 | FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the… | |
| CVE-2017-5641 | Cri | 0.58 | 9.8 | 0.21 | Dec 28, 2017 | Previous versions of Apache Flex BlazeDS (4.7.2 and earlier) did not restrict which types were allowed for AMF(X) object deserialization by default. During the deserialization process code is executed that for several known types has undesired side-effects. Other, unknown types… | ||
| CVE-2017-0903 | Cri | 0.58 | 9.8 | 0.16 | Oct 11, 2017 | RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution. | ||
| CVE-2016-8744 | Hig | 0.58 | 8.8 | 0.04 | Sep 13, 2017 | Apache Brooklyn uses the SnakeYAML library for parsing YAML inputs. SnakeYAML allows the use of YAML tags to indicate that SnakeYAML should unmarshal data to a Java type. In the default configuration in Brooklyn before 0.10.0, SnakeYAML will allow unmarshalling to any Java type… | ||
| CVE-2016-8749 | Cri | 0.58 | 9.8 | 0.11 | Mar 28, 2017 | Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks. | ||
| CVE-2016-0788 | Cri | 0.58 | 9.8 | 0.12 | Apr 7, 2016 | The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener. | ||
| CVE-2026-39478 | Hig | 0.57 | 8.8 | 0.00 | Jun 15, 2026 | Contributor PHP Object Injection in Anti-Malware Security and Brute-Force Firewall <= 4.23.87 versions. | ||
| CVE-2026-20251 | Hig | 0.57 | 8.8 | 0.01 | Jun 10, 2026 | In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, and Splunk Secure Gateway versions below 3.10.6, 3.9.20, and 3.8.67, a low-privileged user that does not hold… | ||
| CVE-2026-53435 | Hig | 0.57 | 8.8 | 0.15 | Jun 10, 2026 | In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml` submission in a way that allows them to handle HTTP requests afterwards.… | ||
| CVE-2026-45484 | Hig | 0.57 | 8.8 | 0.02 | Jun 9, 2026 | Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to elevate privileges over a network. | ||
| CVE-2026-8365 | Hig | 0.57 | 8.8 | 0.01 | Jun 9, 2026 | The Blocksy theme for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution via the 'blocksy_meta' REST API field and the V200 database migration in versions up to and including 2.1.35. This is due to insufficient input sanitization in the… | ||
| CVE-2026-7654 | Hig | 0.57 | 8.8 | 0.01 | Jun 5, 2026 | The Admin Columns plugin for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution in versions up to and including 7.0.18. This is due to the use of `unserialize()` without an `allowed_classes` restriction in the `IdsToCollection::get_ids_from_string()`… | ||
| CVE-2026-10042 | Cri | 0.57 | 9.8 | 0.01 | May 29, 2026 | manga-image-translator contains a remote code execution vulnerability in the shared API server mode due to unsafe deserialization of untrusted pickle data in the share.py module, where the /execute/{method_name} and /simple_execute/{method_name} endpoints deserialize… | ||
| CVE-2025-11993 | Hig | 0.57 | 8.8 | 0.00 | May 29, 2026 | The WooCommerce Infinite Scroll and Ajax Pagination plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.8 via the 'settings' parameter in the 'import_settings' function. This is due to deserialization of untrusted data supplied via… | ||
| CVE-2026-48207 | Cri | 0.57 | 9.8 | 0.01 | May 21, 2026 | Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is vulnerable if it deserializes attacker-controlled data… | ||
| CVE-2026-6009 | Hig | 0.57 | — | 0.00 | May 19, 2026 | Java Deserialisation Vulnerability in Jaspersoft Reports Library leads to Remote Code Execution (RCE), potentially allowing code execution on the affected system | ||
| CVE-2026-41957 | Hig | 0.57 | 8.8 | 0.01 | May 13, 2026 | An authenticated remote code execution vulnerability through undisclosed vectors exists in the BIG-IP and BIG-IQ Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | ||
| CVE-2026-40357 | Hig | 0.57 | 8.8 | 0.02 | May 12, 2026 | Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | ||
| CVE-2026-35439 | Hig | 0.57 | 8.8 | 0.02 | May 12, 2026 | Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. |
- risk 0.58cvss 9.8epss 0.20
In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in…
- risk 0.58cvss 9.8epss 0.21
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the…
- risk 0.58cvss 9.8epss 0.21
Previous versions of Apache Flex BlazeDS (4.7.2 and earlier) did not restrict which types were allowed for AMF(X) object deserialization by default. During the deserialization process code is executed that for several known types has undesired side-effects. Other, unknown types…
- risk 0.58cvss 9.8epss 0.16
RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.
- risk 0.58cvss 8.8epss 0.04
Apache Brooklyn uses the SnakeYAML library for parsing YAML inputs. SnakeYAML allows the use of YAML tags to indicate that SnakeYAML should unmarshal data to a Java type. In the default configuration in Brooklyn before 0.10.0, SnakeYAML will allow unmarshalling to any Java type…
- risk 0.58cvss 9.8epss 0.11
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks.
- risk 0.58cvss 9.8epss 0.12
The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.
- risk 0.57cvss 8.8epss 0.00
Contributor PHP Object Injection in Anti-Malware Security and Brute-Force Firewall <= 4.23.87 versions.
- risk 0.57cvss 8.8epss 0.01
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, and Splunk Secure Gateway versions below 3.10.6, 3.9.20, and 3.8.67, a low-privileged user that does not hold…
- risk 0.57cvss 8.8epss 0.15
In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml` submission in a way that allows them to handle HTTP requests afterwards.…
- risk 0.57cvss 8.8epss 0.02
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to elevate privileges over a network.
- risk 0.57cvss 8.8epss 0.01
The Blocksy theme for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution via the 'blocksy_meta' REST API field and the V200 database migration in versions up to and including 2.1.35. This is due to insufficient input sanitization in the…
- risk 0.57cvss 8.8epss 0.01
The Admin Columns plugin for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution in versions up to and including 7.0.18. This is due to the use of `unserialize()` without an `allowed_classes` restriction in the `IdsToCollection::get_ids_from_string()`…
- risk 0.57cvss 9.8epss 0.01
manga-image-translator contains a remote code execution vulnerability in the shared API server mode due to unsafe deserialization of untrusted pickle data in the share.py module, where the /execute/{method_name} and /simple_execute/{method_name} endpoints deserialize…
- risk 0.57cvss 8.8epss 0.00
The WooCommerce Infinite Scroll and Ajax Pagination plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.8 via the 'settings' parameter in the 'import_settings' function. This is due to deserialization of untrusted data supplied via…
- risk 0.57cvss 9.8epss 0.01
Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is vulnerable if it deserializes attacker-controlled data…
- risk 0.57cvss —epss 0.00
Java Deserialisation Vulnerability in Jaspersoft Reports Library leads to Remote Code Execution (RCE), potentially allowing code execution on the affected system
- risk 0.57cvss 8.8epss 0.01
An authenticated remote code execution vulnerability through undisclosed vectors exists in the BIG-IP and BIG-IQ Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
- risk 0.57cvss 8.8epss 0.02
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
- risk 0.57cvss 8.8epss 0.02
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.