VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 42 of 87
  • CVE-2023-6933HigFeb 5, 2024
    risk 0.56cvss 8.8epss 0.68

    The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.4 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the…

  • CVE-2023-6267HigJan 25, 2024
    risk 0.56cvss 8.6epss 0.01

    A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed (deserialized) prior to the security constraints being evaluated and applied. This does not happen with…

  • CVE-2021-39152HigAug 23, 2021
    risk 0.56cvss 8.5epss 0.11

    XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime…

  • CVE-2021-39150HigAug 23, 2021
    risk 0.56cvss 8.5epss 0.03

    XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime…

  • CVE-2021-39154HigAug 23, 2021
    risk 0.56cvss 8.5epss 0.05

    XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed…

  • CVE-2021-39153HigAug 23, 2021
    risk 0.56cvss 8.5epss 0.04

    XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream, if using the version out of the box…

  • CVE-2021-39151HigAug 23, 2021
    risk 0.56cvss 8.5epss 0.05

    XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed…

  • CVE-2021-39149HigAug 23, 2021
    risk 0.56cvss 8.5epss 0.05

    XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed…

  • CVE-2021-39148HigAug 23, 2021
    risk 0.56cvss 8.5epss 0.05

    XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed…

  • CVE-2021-39147HigAug 23, 2021
    risk 0.56cvss 8.5epss 0.05

    XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed…

  • CVE-2021-39146HigAug 23, 2021
    risk 0.56cvss 8.5epss 0.14

    XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed…

  • CVE-2021-39145HigAug 23, 2021
    risk 0.56cvss 8.5epss 0.04

    XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed…

  • CVE-2021-39139HigAug 23, 2021
    risk 0.56cvss 8.5epss 0.04

    XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the…

  • CVE-2018-15576HigAug 24, 2018
    risk 0.56cvss 8.1epss 0.10

    An issue was discovered in EasyLogin Pro through 1.3.0. Encryptor.php contains an unserialize call that can be exploited for remote code execution in the decrypt function, if the attacker knows the key.

  • CVE-2026-10721HigJun 10, 2026
    risk 0.55cvss epss 0.00

    Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the  in Permission, Cache, and Search components. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the…

  • CVE-2026-7888HigJun 3, 2026
    risk 0.55cvss epss 0.00

    Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components that lack the allowed_classes restriction. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious…

  • CVE-2026-9330HigJun 1, 2026
    risk 0.55cvss 8.5epss 0.00

    IBM WebSphere Application Server 9.0, and 8.5 is affected by an improper validation of user-supplied data during deserialization using the SAML Web Single Sign-On component. This could result in remote code execution via a crafted HTTP request when combined with a suitable…

  • CVE-2026-3071HigFeb 26, 2026
    risk 0.55cvss 8.4epss 0.00

    Deserialization of untrusted data in the LanguageModel class of Flair from versions 0.4.1 to latest are vulnerable to arbitrary code execution when loading a malicious model.

  • CVE-2025-47292CriMay 14, 2025
    risk 0.55cvss epss 0.01

    Cap Collectif is an online decision making platform that integrates several tools. Before commit 812f2a7d271b76deab1175bdaf2be0b8102dd198, the `DebateAlternateArgumentsResolver` deserializes a `Cursor`, allowing any classes and which can be controlled by unauthenticated user.…

  • CVE-2024-3468HigJun 12, 2024
    risk 0.55cvss epss 0.00

    There is a vulnerability in AVEVA PI Web API that could allow malicious code to execute on the PI Web API environment under the privileges of an interactive user that was socially engineered to use API XML import functionality with content supplied by an attacker.