CWE-502
Deserialization of Untrusted Data
Description
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-586
CVEs mapped to this weakness (1,721)
page 43 of 87| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-33568 | Hig | 0.55 | 8.5 | 0.01 | Jun 4, 2024 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Deserialization of Untrusted Data vulnerability in BdThemes Element Pack Pro allows Path Traversal, Object Injection.This issue affects Element Pack Pro: from n/a before 7.19.3. | ||
| CVE-2024-32603 | Hig | 0.55 | 8.5 | 0.01 | Apr 18, 2024 | Deserialization of Untrusted Data vulnerability in ThemeKraft WooBuddy.This issue affects WooBuddy: from n/a through 3.4.20. | ||
| CVE-2024-31094 | Hig | 0.55 | 8.5 | 0.01 | Mar 31, 2024 | Deserialization of Untrusted Data vulnerability in Filter Custom Fields & Taxonomies Light.This issue affects Filter Custom Fields & Taxonomies Light: from n/a through 1.05. | ||
| CVE-2024-30222 | Hig | 0.55 | 8.5 | 0.01 | Mar 28, 2024 | Deserialization of Untrusted Data vulnerability in Repute Infosystems ARMember.This issue affects ARMember: from n/a through 4.0.26. | ||
| CVE-2024-29136 | Hig | 0.55 | 8.5 | 0.01 | Mar 19, 2024 | Deserialization of Untrusted Data vulnerability in Themefic Tourfic tourfic.This issue affects Tourfic: from n/a through <= 2.11.17. | ||
| CVE-2023-42809 | Cri | 0.55 | 9.6 | 0.01 | Oct 4, 2023 | Redisson is a Java Redis client that uses the Netty framework. Prior to version 3.22.0, some of the messages received from the Redis server contain Java objects that the client deserializes without further validation. Attackers that manage to trick clients into communicating… | ||
| CVE-2023-36825 | Cri | 0.55 | 9.6 | 0.01 | Jul 11, 2023 | Orchid is a Laravel package that allows application development of back-office applications, admin/user panels, and dashboards. A vulnerability present starting in version 14.0.0-alpha4 and prior to version 14.5.0 is related to the deserialization of untrusted data from the… | ||
| CVE-2021-4104 | Hig | 0.55 | 7.5 | 0.81 | Dec 14, 2021 | JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests… | ||
| CVE-2021-21341 | Hig | 0.55 | 7.5 | 0.78 | Mar 23, 2021 | XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting… | ||
| CVE-2026-33454 | Cri | 0.54 | 9.4 | 0.01 | Apr 27, 2026 | The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the component (MailHeaderFilterStrategy) only filters the 'out' direction via setOutFilterStartsWith, while it does not configure the 'in' direction via… | ||
| CVE-2025-34292 | Cri | 0.54 | — | 0.01 | Oct 27, 2025 | Rox, the software running BeWelcome, contains a PHP object injection vulnerability resulting from deserialization of untrusted data. User-controlled input is passed to PHP's unserialize(): the POST parameter `formkit_memory_recovery` in \\RoxPostHandler::getCallbackAction and… | ||
| CVE-2023-25581 | Cri | 0.54 | — | 0.02 | Oct 10, 2024 | pac4j is a security framework for Java. `pac4j-core` prior to version 4.0.0 is affected by a Java deserialization vulnerability. The vulnerability affects systems that store externally controlled values in attributes of the `UserProfile` class from pac4j-core. It can be… | ||
| CVE-2024-39636 | Hig | 0.54 | 8.3 | 0.00 | Aug 1, 2024 | Deserialization of Untrusted Data vulnerability in CodeSolz Better Find and Replace.This issue affects Better Find and Replace: from n/a through 1.6.1. | ||
| CVE-2024-32600 | Hig | 0.54 | 8.3 | 0.00 | Apr 18, 2024 | Deserialization of Untrusted Data vulnerability in Averta Master Slider.This issue affects Master Slider: from n/a through 3.9.5. | ||
| CVE-2023-28782 | Hig | 0.54 | 8.3 | 0.01 | Dec 20, 2023 | Deserialization of Untrusted Data vulnerability in Rocketgenius Inc. Gravity Forms.This issue affects Gravity Forms: from n/a through 2.7.3. | ||
| CVE-2023-40555 | Hig | 0.54 | 8.3 | 0.00 | Dec 20, 2023 | Deserialization of Untrusted Data vulnerability in UX-themes Flatsome | Multi-Purpose Responsive WooCommerce Theme.This issue affects Flatsome | Multi-Purpose Responsive WooCommerce Theme: from n/a through 3.17.5. | ||
| CVE-2023-34027 | Hig | 0.54 | 8.3 | 0.01 | Dec 19, 2023 | Deserialization of Untrusted Data vulnerability in Rajnish Arora Recently Viewed Products.This issue affects Recently Viewed Products: from n/a through 1.0.0. | ||
| CVE-2023-37390 | Hig | 0.54 | 8.3 | 0.01 | Dec 19, 2023 | Deserialization of Untrusted Data vulnerability in Themesflat Themesflat Addons For Elementor.This issue affects Themesflat Addons For Elementor: from n/a through 2.0.0. | ||
| CVE-2022-41966 | Hig | 0.54 | 8.2 | 0.09 | Dec 28, 2022 | XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code… | ||
| CVE-2018-16364 | Hig | 0.54 | 8.1 | 0.15 | Sep 26, 2018 | A serialization vulnerability in Zoho ManageEngine Applications Manager before build 13740 allows for remote code execution on Windows via a payload on an SMB share. |
- risk 0.55cvss 8.5epss 0.01
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Deserialization of Untrusted Data vulnerability in BdThemes Element Pack Pro allows Path Traversal, Object Injection.This issue affects Element Pack Pro: from n/a before 7.19.3.
- risk 0.55cvss 8.5epss 0.01
Deserialization of Untrusted Data vulnerability in ThemeKraft WooBuddy.This issue affects WooBuddy: from n/a through 3.4.20.
- risk 0.55cvss 8.5epss 0.01
Deserialization of Untrusted Data vulnerability in Filter Custom Fields & Taxonomies Light.This issue affects Filter Custom Fields & Taxonomies Light: from n/a through 1.05.
- risk 0.55cvss 8.5epss 0.01
Deserialization of Untrusted Data vulnerability in Repute Infosystems ARMember.This issue affects ARMember: from n/a through 4.0.26.
- risk 0.55cvss 8.5epss 0.01
Deserialization of Untrusted Data vulnerability in Themefic Tourfic tourfic.This issue affects Tourfic: from n/a through <= 2.11.17.
- risk 0.55cvss 9.6epss 0.01
Redisson is a Java Redis client that uses the Netty framework. Prior to version 3.22.0, some of the messages received from the Redis server contain Java objects that the client deserializes without further validation. Attackers that manage to trick clients into communicating…
- risk 0.55cvss 9.6epss 0.01
Orchid is a Laravel package that allows application development of back-office applications, admin/user panels, and dashboards. A vulnerability present starting in version 14.0.0-alpha4 and prior to version 14.5.0 is related to the deserialization of untrusted data from the…
- risk 0.55cvss 7.5epss 0.81
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests…
- risk 0.55cvss 7.5epss 0.78
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting…
- risk 0.54cvss 9.4epss 0.01
The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the component (MailHeaderFilterStrategy) only filters the 'out' direction via setOutFilterStartsWith, while it does not configure the 'in' direction via…
- risk 0.54cvss —epss 0.01
Rox, the software running BeWelcome, contains a PHP object injection vulnerability resulting from deserialization of untrusted data. User-controlled input is passed to PHP's unserialize(): the POST parameter `formkit_memory_recovery` in \\RoxPostHandler::getCallbackAction and…
- risk 0.54cvss —epss 0.02
pac4j is a security framework for Java. `pac4j-core` prior to version 4.0.0 is affected by a Java deserialization vulnerability. The vulnerability affects systems that store externally controlled values in attributes of the `UserProfile` class from pac4j-core. It can be…
- risk 0.54cvss 8.3epss 0.00
Deserialization of Untrusted Data vulnerability in CodeSolz Better Find and Replace.This issue affects Better Find and Replace: from n/a through 1.6.1.
- risk 0.54cvss 8.3epss 0.00
Deserialization of Untrusted Data vulnerability in Averta Master Slider.This issue affects Master Slider: from n/a through 3.9.5.
- risk 0.54cvss 8.3epss 0.01
Deserialization of Untrusted Data vulnerability in Rocketgenius Inc. Gravity Forms.This issue affects Gravity Forms: from n/a through 2.7.3.
- risk 0.54cvss 8.3epss 0.00
Deserialization of Untrusted Data vulnerability in UX-themes Flatsome | Multi-Purpose Responsive WooCommerce Theme.This issue affects Flatsome | Multi-Purpose Responsive WooCommerce Theme: from n/a through 3.17.5.
- risk 0.54cvss 8.3epss 0.01
Deserialization of Untrusted Data vulnerability in Rajnish Arora Recently Viewed Products.This issue affects Recently Viewed Products: from n/a through 1.0.0.
- risk 0.54cvss 8.3epss 0.01
Deserialization of Untrusted Data vulnerability in Themesflat Themesflat Addons For Elementor.This issue affects Themesflat Addons For Elementor: from n/a through 2.0.0.
- risk 0.54cvss 8.2epss 0.09
XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code…
- risk 0.54cvss 8.1epss 0.15
A serialization vulnerability in Zoho ManageEngine Applications Manager before build 13740 allows for remote code execution on Windows via a payload on an SMB share.