VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 29 of 87
  • CVE-2026-34877CriApr 2, 2026
    risk 0.57cvss 9.8epss 0.00

    An issue was discovered in Mbed TLS versions from 2.19.0 up to 3.6.5, Mbed TLS 4.0.0. Insufficient protection of serialized SSL context or session structures allows an attacker who can modify the serialized structures to induce memory corruption, leading to arbitrary code…

  • CVE-2026-24164HigMar 31, 2026
    risk 0.57cvss 8.8epss 0.00

    NVIDIA BioNeMo contains a vulnerability where a user could cause a deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering.

  • CVE-2026-33728CriMar 27, 2026
    risk 0.57cvss 9.8epss 0.01

    dd-trace-java is a Datadog APM client for Java. In versions of dd-trace-java 0.40.0 through prior to 1.60.2, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker…

  • CVE-2026-33701CriMar 27, 2026
    risk 0.57cvss 9.8epss 0.01

    OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK…

  • CVE-2026-32513HigMar 25, 2026
    risk 0.57cvss 8.8epss 0.00

    Deserialization of Untrusted Data vulnerability in Miguel Useche JS Archive List jquery-archive-list-widget allows Object Injection.This issue affects JS Archive List: from n/a through <= 6.1.7.

  • CVE-2026-27045HigMar 25, 2026
    risk 0.57cvss 8.8epss 0.00

    Deserialization of Untrusted Data vulnerability in sbthemes WooCommerce Infinite Scroll sb-woocommerce-infinite-scroll allows Object Injection.This issue affects WooCommerce Infinite Scroll: from n/a through <= 1.6.2.

  • CVE-2026-25400HigMar 25, 2026
    risk 0.57cvss 8.8epss 0.00

    Deserialization of Untrusted Data vulnerability in thememount Apicona apicona allows Object Injection.This issue affects Apicona: from n/a through <= 24.1.0.

  • CVE-2026-25360HigMar 25, 2026
    risk 0.57cvss 8.8epss 0.00

    Deserialization of Untrusted Data vulnerability in rascals Vex vex allows Object Injection.This issue affects Vex: from n/a through < 1.2.9.

  • CVE-2026-25359HigMar 25, 2026
    risk 0.57cvss 8.8epss 0.00

    Deserialization of Untrusted Data vulnerability in rascals Pendulum pendulum allows Object Injection.This issue affects Pendulum: from n/a through < 3.1.5.

  • CVE-2026-25358HigMar 25, 2026
    risk 0.57cvss 8.8epss 0.00

    Deserialization of Untrusted Data vulnerability in rascals Meloo meloo allows Object Injection.This issue affects Meloo: from n/a through < 2.8.2.

  • CVE-2026-24981HigMar 25, 2026
    risk 0.57cvss 8.8epss 0.00

    Deserialization of Untrusted Data vulnerability in NooTheme Visionary Core noo-visionary-core allows Object Injection.This issue affects Visionary Core: from n/a through <= 1.4.9.

  • CVE-2026-24978HigMar 25, 2026
    risk 0.57cvss 8.8epss 0.00

    Deserialization of Untrusted Data vulnerability in NooTheme Jobica Core jobica-core allows Object Injection.This issue affects Jobica Core: from n/a through <= 1.4.1.

  • CVE-2026-24976HigMar 25, 2026
    risk 0.57cvss 8.8epss 0.00

    Deserialization of Untrusted Data vulnerability in NooTheme Organici Library noo-organici-library allows Object Injection.This issue affects Organici Library: from n/a through <= 2.1.2.

  • CVE-2026-24974HigMar 25, 2026
    risk 0.57cvss 8.8epss 0.00

    Deserialization of Untrusted Data vulnerability in NooTheme CitiLights noo-citilights allows Object Injection.This issue affects CitiLights: from n/a through <= 3.7.1.

  • CVE-2026-25445HigMar 19, 2026
    risk 0.57cvss 8.8epss 0.00

    Deserialization of Untrusted Data vulnerability in Membership Software WishList Member X allows Object Injection.This issue affects WishList Member X: from n/a through 3.29.0.

  • CVE-2026-32355HigMar 13, 2026
    risk 0.57cvss 8.8epss 0.00

    Deserialization of Untrusted Data vulnerability in Crocoblock JetEngine jet-engine allows Object Injection.This issue affects JetEngine: from n/a through < 3.8.4.1.

  • CVE-2026-3060CriMar 12, 2026
    risk 0.57cvss 9.8epss 0.01

    SGLang' encoder parallel disaggregation system is vulnerable to unauthenticated remote code execution through the disaggregation module, which deserializes untrusted data using pickle.loads() without authentication.

  • CVE-2026-3059CriMar 12, 2026
    risk 0.57cvss 9.8epss 0.02

    SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker, which deserializes untrusted data using pickle.loads() without authentication.

  • CVE-2026-2599CriMar 5, 2026
    risk 0.57cvss 9.8epss 0.01

    The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.7 via deserialization of untrusted input in the 'download_csv' function. This makes it possible for unauthenticated…

  • CVE-2026-27379HigMar 5, 2026
    risk 0.57cvss 8.8epss 0.00

    Deserialization of Untrusted Data vulnerability in NextScripts NextScripts social-networks-auto-poster-facebook-twitter-g allows Object Injection.This issue affects NextScripts: from n/a through <= 4.4.7.