CWE-502
Deserialization of Untrusted Data
Description
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-586
CVEs mapped to this weakness (1,721)
page 32 of 87| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-64353 | Hig | 0.57 | 8.8 | 0.00 | Oct 31, 2025 | Deserialization of Untrusted Data vulnerability in Chouby Polylang polylang allows Object Injection.This issue affects Polylang: from n/a through <= 3.7.3. | ||
| CVE-2025-62008 | Hig | 0.57 | 8.8 | 0.00 | Oct 22, 2025 | Deserialization of Untrusted Data vulnerability in acowebs Product Table For WooCommerce product-table-for-woocommerce.This issue affects Product Table For WooCommerce: from n/a through <= 1.2.4. | ||
| CVE-2025-60234 | Hig | 0.57 | 8.8 | 0.00 | Oct 22, 2025 | Deserialization of Untrusted Data vulnerability in designthemes Single Property single-property allows Object Injection.This issue affects Single Property: from n/a through <= 2.8. | ||
| CVE-2025-60228 | Hig | 0.57 | 8.8 | 0.00 | Oct 22, 2025 | Deserialization of Untrusted Data vulnerability in designthemes Knowledge Base kbase allows Object Injection.This issue affects Knowledge Base: from n/a through <= 2.9. | ||
| CVE-2025-60215 | Hig | 0.57 | 8.8 | 0.00 | Oct 22, 2025 | Deserialization of Untrusted Data vulnerability in designthemes Kriya kriya allows Object Injection.This issue affects Kriya: from n/a through <= 3.4. | ||
| CVE-2025-60212 | Hig | 0.57 | 8.8 | 0.00 | Oct 22, 2025 | Deserialization of Untrusted Data vulnerability in designthemes VEDA veda allows Object Injection.This issue affects VEDA: from n/a through <= 4.2. | ||
| CVE-2025-52740 | Hig | 0.57 | 8.8 | 0.00 | Oct 22, 2025 | Deserialization of Untrusted Data vulnerability in Hernan Villanueva Boldermail boldermail allows Object Injection.This issue affects Boldermail: from n/a through <= 2.4.0. | ||
| CVE-2025-52737 | Hig | 0.57 | 8.8 | 0.00 | Oct 22, 2025 | Deserialization of Untrusted Data vulnerability in Tijmen Smit WP Store Locator wp-store-locator allows Object Injection.This issue affects WP Store Locator: from n/a through <= 2.2.260. | ||
| CVE-2025-32283 | Hig | 0.57 | 8.8 | 0.01 | Oct 22, 2025 | Deserialization of Untrusted Data vulnerability in designthemes Solar Energy solar allows Object Injection.This issue affects Solar Energy: from n/a through <= 3.5. | ||
| CVE-2025-31634 | Hig | 0.57 | 8.8 | 0.01 | Oct 22, 2025 | Deserialization of Untrusted Data vulnerability in designthemes Insurance insurance allows Object Injection.This issue affects Insurance: from n/a through <= 3.5. | ||
| CVE-2025-49655 | Cri | 0.57 | 9.8 | 0.01 | Oct 17, 2025 | Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end user’s system when loaded… | ||
| CVE-2025-53303 | Hig | 0.57 | 8.8 | 0.00 | Sep 9, 2025 | Deserialization of Untrusted Data vulnerability in ThemeMove ThemeMove Core thememove-core allows Object Injection.This issue affects ThemeMove Core: from n/a through <= 1.4.2. | ||
| CVE-2025-48101 | Hig | 0.57 | 8.8 | 0.00 | Sep 9, 2025 | Deserialization of Untrusted Data vulnerability in webdevstudios Constant Contact for WordPress allows Object Injection. This issue affects Constant Contact for WordPress: from n/a through 4.1.1. | ||
| CVE-2025-5662 | Cri | 0.57 | 9.8 | 0.01 | Sep 2, 2025 | A deserialization vulnerability exists in the H2O-3 REST API (POST /99/ImportSQLTable) that affects all versions up to 3.46.0.7. This vulnerability allows remote code execution (RCE) due to improper validation of JDBC connection parameters when using a Key-Value format. The… | ||
| CVE-2025-54742 | Hig | 0.57 | 8.8 | 0.00 | Aug 28, 2025 | Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.This issue affects WpEvently: from n/a through <= 4.4.8. | ||
| CVE-2025-54923 | — | Hig | 0.57 | — | 0.01 | Aug 20, 2025 | CWE-502: Deserialization of Untrusted Data vulnerability exists that could cause remote code execution and compromise of system integrity when authenticated users send crafted data to a network-exposed service that performs unsafe deserialization. | |
| CVE-2025-54007 | Hig | 0.57 | 8.8 | 0.00 | Aug 20, 2025 | Deserialization of Untrusted Data vulnerability in PickPlugins Post Grid and Gutenberg Blocks post-grid allows Object Injection.This issue affects Post Grid and Gutenberg Blocks: from n/a through <= 2.3.11. | ||
| CVE-2025-53560 | Hig | 0.57 | 8.8 | 0.00 | Aug 20, 2025 | Deserialization of Untrusted Data vulnerability in rascals Noisa noisa allows Object Injection.This issue affects Noisa: from n/a through <= 2.6.0. | ||
| CVE-2025-8145 | Hig | 0.57 | 8.8 | 0.00 | Aug 20, 2025 | The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the get_lead_fields function. This makes it possible for unauthenticated attackers to inject a PHP… | ||
| CVE-2025-49869 | Hig | 0.57 | 8.8 | 0.00 | Aug 14, 2025 | Deserialization of Untrusted Data vulnerability in Arraytics Eventin wp-event-solution allows Object Injection.This issue affects Eventin: from n/a through <= 4.0.31. |
- risk 0.57cvss 8.8epss 0.00
Deserialization of Untrusted Data vulnerability in Chouby Polylang polylang allows Object Injection.This issue affects Polylang: from n/a through <= 3.7.3.
- risk 0.57cvss 8.8epss 0.00
Deserialization of Untrusted Data vulnerability in acowebs Product Table For WooCommerce product-table-for-woocommerce.This issue affects Product Table For WooCommerce: from n/a through <= 1.2.4.
- risk 0.57cvss 8.8epss 0.00
Deserialization of Untrusted Data vulnerability in designthemes Single Property single-property allows Object Injection.This issue affects Single Property: from n/a through <= 2.8.
- risk 0.57cvss 8.8epss 0.00
Deserialization of Untrusted Data vulnerability in designthemes Knowledge Base kbase allows Object Injection.This issue affects Knowledge Base: from n/a through <= 2.9.
- risk 0.57cvss 8.8epss 0.00
Deserialization of Untrusted Data vulnerability in designthemes Kriya kriya allows Object Injection.This issue affects Kriya: from n/a through <= 3.4.
- risk 0.57cvss 8.8epss 0.00
Deserialization of Untrusted Data vulnerability in designthemes VEDA veda allows Object Injection.This issue affects VEDA: from n/a through <= 4.2.
- risk 0.57cvss 8.8epss 0.00
Deserialization of Untrusted Data vulnerability in Hernan Villanueva Boldermail boldermail allows Object Injection.This issue affects Boldermail: from n/a through <= 2.4.0.
- risk 0.57cvss 8.8epss 0.00
Deserialization of Untrusted Data vulnerability in Tijmen Smit WP Store Locator wp-store-locator allows Object Injection.This issue affects WP Store Locator: from n/a through <= 2.2.260.
- risk 0.57cvss 8.8epss 0.01
Deserialization of Untrusted Data vulnerability in designthemes Solar Energy solar allows Object Injection.This issue affects Solar Energy: from n/a through <= 3.5.
- risk 0.57cvss 8.8epss 0.01
Deserialization of Untrusted Data vulnerability in designthemes Insurance insurance allows Object Injection.This issue affects Insurance: from n/a through <= 3.5.
- risk 0.57cvss 9.8epss 0.01
Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end user’s system when loaded…
- risk 0.57cvss 8.8epss 0.00
Deserialization of Untrusted Data vulnerability in ThemeMove ThemeMove Core thememove-core allows Object Injection.This issue affects ThemeMove Core: from n/a through <= 1.4.2.
- risk 0.57cvss 8.8epss 0.00
Deserialization of Untrusted Data vulnerability in webdevstudios Constant Contact for WordPress allows Object Injection. This issue affects Constant Contact for WordPress: from n/a through 4.1.1.
- risk 0.57cvss 9.8epss 0.01
A deserialization vulnerability exists in the H2O-3 REST API (POST /99/ImportSQLTable) that affects all versions up to 3.46.0.7. This vulnerability allows remote code execution (RCE) due to improper validation of JDBC connection parameters when using a Key-Value format. The…
- risk 0.57cvss 8.8epss 0.00
Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.This issue affects WpEvently: from n/a through <= 4.4.8.
- risk 0.57cvss —epss 0.01
CWE-502: Deserialization of Untrusted Data vulnerability exists that could cause remote code execution and compromise of system integrity when authenticated users send crafted data to a network-exposed service that performs unsafe deserialization.
- risk 0.57cvss 8.8epss 0.00
Deserialization of Untrusted Data vulnerability in PickPlugins Post Grid and Gutenberg Blocks post-grid allows Object Injection.This issue affects Post Grid and Gutenberg Blocks: from n/a through <= 2.3.11.
- risk 0.57cvss 8.8epss 0.00
Deserialization of Untrusted Data vulnerability in rascals Noisa noisa allows Object Injection.This issue affects Noisa: from n/a through <= 2.6.0.
- risk 0.57cvss 8.8epss 0.00
The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the get_lead_fields function. This makes it possible for unauthenticated attackers to inject a PHP…
- risk 0.57cvss 8.8epss 0.00
Deserialization of Untrusted Data vulnerability in Arraytics Eventin wp-event-solution allows Object Injection.This issue affects Eventin: from n/a through <= 4.0.31.