VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 3 of 87
  • CVE-2018-15959CriSep 25, 2018
    risk 0.66cvss 9.8epss 0.26

    Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution.

  • CVE-2018-15958CriSep 25, 2018
    risk 0.66cvss 9.8epss 0.26

    Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution.

  • CVE-2018-15957CriSep 25, 2018
    risk 0.66cvss 9.8epss 0.28

    Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution.

  • CVE-2016-8519CriFeb 15, 2018
    risk 0.66cvss 9.8epss 0.28

    A remote code execution vulnerability in HPE Operations Orchestration Community edition and Enterprise edition prior to v10.70 was found.

  • CVE-2017-7504CriMay 19, 2017
    risk 0.66cvss 9.8epss 0.29

    HTTPServerILServlet.java in JMS over HTTP Invocation Layer of the JbossMQ implementation, which is enabled by default in Red Hat Jboss Application Server <= Jboss 4.X does not restrict the classes for which it performs deserialization, which allows remote attackers to execute…

  • CVE-2026-41104CriMay 22, 2026
    risk 0.65cvss 10.0epss 0.01

    Deserialization of untrusted data in Microsoft Planetary Computer Pro allows an unauthorized attacker to disclose information over a network.

  • CVE-2026-33819CriApr 23, 2026
    risk 0.65cvss 10.0epss 0.01

    Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.

  • CVE-2026-24815CriJan 27, 2026
    risk 0.65cvss epss 0.00

    Unrestricted Upload of File with Dangerous Type, Deserialization of Untrusted Data vulnerability in datavane tis (tis-plugin/src/main/java/com/qlangtech/tis/extension/impl modules). This vulnerability is associated with program files XmlFile.Java. This issue affects tis: before…

  • CVE-2025-14931CriDec 23, 2025
    risk 0.65cvss 10.0epss 0.01

    Hugging Face smolagents Remote Python Executor Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face smolagents. Authentication is not required to…

  • CVE-2025-10363CriOct 6, 2025
    risk 0.65cvss epss 0.01

    Deserialization of Untrusted Data vulnerability in Topal Solutions AG Topal Finanzbuchhaltung on Windows allows Remote Code Execution.This issue affects at least Topal Finanzbuchhaltung: 10.1.5.20 and is fixed in version 11.2.12.00

  • CVE-2025-58384CriSep 26, 2025
    risk 0.65cvss 10.0epss 0.01

    In DOXENSE WATCHDOC before 6.1.1.5332, Deserialization of Untrusted Data can lead to remote code execution through the .NET Remoting library in the Watchdoc administration interface.

  • CVE-2025-42944CriSep 9, 2025
    risk 0.65cvss 10.0epss 0.03

    Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. The deserialization of such untrusted Java objects could lead to arbitrary OS command…

  • CVE-2025-6507CriSep 1, 2025
    risk 0.65cvss 9.8epss 0.13

    A vulnerability in the h2oai/h2o-3 repository allows attackers to exploit deserialization of untrusted data, potentially leading to arbitrary code execution and reading of system files. This issue affects the latest master branch version 3.47.0.99999. The vulnerability arises…

  • CVE-2024-13980CriAug 27, 2025
    risk 0.65cvss epss 0.01

    H3C Intelligent Management Center (IMC) versions up to and including E0632H07 contains a remote command execution vulnerability in the /byod/index.xhtml endpoint. Improper handling of JSF ViewState allows unauthenticated attackers to craft POST requests with forged…

  • CVE-2025-34153CriAug 13, 2025
    risk 0.65cvss epss 0.01

    Hyland OnBase versions prior to 17.0.2.87 (other versions may be affected) are vulnerable to unauthenticated remote code execution via insecure deserialization on the .NET Remoting TCP channel. The service registers a listener on port 6031 with the URI endpoint TimerServer,…

  • CVE-2025-34060CriJul 1, 2025
    risk 0.65cvss epss 0.01

    A PHP objection injection vulnerability exists in the Monero Project’s Laravel-based forum software due to unsafe handling of untrusted input in the /get/image/ endpoint. The application passes a user-supplied link parameter directly to file_get_contents() without validation.…

  • CVE-2025-48200CriMay 21, 2025
    risk 0.65cvss 10.0epss 0.01

    The sr_feuser_register extension through 12.4.8 for TYPO3 allows Remote Code Execution.

  • CVE-2024-50507CriOct 30, 2024
    risk 0.65cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in Daschmi DS.DownloadList dsdownloadlist allows Object Injection.This issue affects DS.DownloadList: from n/a through <= 1.3.

  • CVE-2024-30225CriMar 28, 2024
    risk 0.65cvss 10.0epss 0.01

    Deserialization of Untrusted Data vulnerability in WPENGINE, INC. WP Migrate.This issue affects WP Migrate: from n/a through 2.6.10.

  • CVE-2024-30224CriMar 28, 2024
    risk 0.65cvss 10.0epss 0.01

    Deserialization of Untrusted Data vulnerability in Wholesale Team WholesaleX.This issue affects WholesaleX: from n/a through 1.3.2.