VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 43 of 87
  • CVE-2024-33568HigJun 4, 2024
    risk 0.55cvss 8.5epss 0.01

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Deserialization of Untrusted Data vulnerability in BdThemes Element Pack Pro allows Path Traversal, Object Injection.This issue affects Element Pack Pro: from n/a before 7.19.3.

  • CVE-2024-32603HigApr 18, 2024
    risk 0.55cvss 8.5epss 0.01

    Deserialization of Untrusted Data vulnerability in ThemeKraft WooBuddy.This issue affects WooBuddy: from n/a through 3.4.20.

  • CVE-2024-31094HigMar 31, 2024
    risk 0.55cvss 8.5epss 0.01

    Deserialization of Untrusted Data vulnerability in Filter Custom Fields & Taxonomies Light.This issue affects Filter Custom Fields & Taxonomies Light: from n/a through 1.05.

  • CVE-2024-30222HigMar 28, 2024
    risk 0.55cvss 8.5epss 0.01

    Deserialization of Untrusted Data vulnerability in Repute Infosystems ARMember.This issue affects ARMember: from n/a through 4.0.26.

  • CVE-2024-29136HigMar 19, 2024
    risk 0.55cvss 8.5epss 0.01

    Deserialization of Untrusted Data vulnerability in Themefic Tourfic tourfic.This issue affects Tourfic: from n/a through <= 2.11.17.

  • CVE-2023-42809CriOct 4, 2023
    risk 0.55cvss 9.6epss 0.01

    Redisson is a Java Redis client that uses the Netty framework. Prior to version 3.22.0, some of the messages received from the Redis server contain Java objects that the client deserializes without further validation. Attackers that manage to trick clients into communicating…

  • CVE-2023-36825CriJul 11, 2023
    risk 0.55cvss 9.6epss 0.01

    Orchid is a Laravel package that allows application development of back-office applications, admin/user panels, and dashboards. A vulnerability present starting in version 14.0.0-alpha4 and prior to version 14.5.0 is related to the deserialization of untrusted data from the…

  • CVE-2021-4104HigDec 14, 2021
    risk 0.55cvss 7.5epss 0.81

    JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests…

  • CVE-2021-21341HigMar 23, 2021
    risk 0.55cvss 7.5epss 0.78

    XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting…

  • CVE-2026-33454CriApr 27, 2026
    risk 0.54cvss 9.4epss 0.01

    The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the component (MailHeaderFilterStrategy) only filters the 'out' direction via setOutFilterStartsWith, while it does not configure the 'in' direction via…

  • CVE-2025-34292CriOct 27, 2025
    risk 0.54cvss epss 0.01

    Rox, the software running BeWelcome, contains a PHP object injection vulnerability resulting from deserialization of untrusted data. User-controlled input is passed to PHP's unserialize(): the POST parameter `formkit_memory_recovery` in \\RoxPostHandler::getCallbackAction and…

  • CVE-2023-25581CriOct 10, 2024
    risk 0.54cvss epss 0.02

    pac4j is a security framework for Java. `pac4j-core` prior to version 4.0.0 is affected by a Java deserialization vulnerability. The vulnerability affects systems that store externally controlled values in attributes of the `UserProfile` class from pac4j-core. It can be…

  • CVE-2024-39636HigAug 1, 2024
    risk 0.54cvss 8.3epss 0.00

    Deserialization of Untrusted Data vulnerability in CodeSolz Better Find and Replace.This issue affects Better Find and Replace: from n/a through 1.6.1.

  • CVE-2024-32600HigApr 18, 2024
    risk 0.54cvss 8.3epss 0.00

    Deserialization of Untrusted Data vulnerability in Averta Master Slider.This issue affects Master Slider: from n/a through 3.9.5.

  • CVE-2023-28782HigDec 20, 2023
    risk 0.54cvss 8.3epss 0.01

    Deserialization of Untrusted Data vulnerability in Rocketgenius Inc. Gravity Forms.This issue affects Gravity Forms: from n/a through 2.7.3.

  • CVE-2023-40555HigDec 20, 2023
    risk 0.54cvss 8.3epss 0.00

    Deserialization of Untrusted Data vulnerability in UX-themes Flatsome | Multi-Purpose Responsive WooCommerce Theme.This issue affects Flatsome | Multi-Purpose Responsive WooCommerce Theme: from n/a through 3.17.5.

  • CVE-2023-34027HigDec 19, 2023
    risk 0.54cvss 8.3epss 0.01

    Deserialization of Untrusted Data vulnerability in Rajnish Arora Recently Viewed Products.This issue affects Recently Viewed Products: from n/a through 1.0.0.

  • CVE-2023-37390HigDec 19, 2023
    risk 0.54cvss 8.3epss 0.01

    Deserialization of Untrusted Data vulnerability in Themesflat Themesflat Addons For Elementor.This issue affects Themesflat Addons For Elementor: from n/a through 2.0.0.

  • CVE-2022-41966HigDec 28, 2022
    risk 0.54cvss 8.2epss 0.09

    XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code…

  • CVE-2018-16364HigSep 26, 2018
    risk 0.54cvss 8.1epss 0.15

    A serialization vulnerability in Zoho ManageEngine Applications Manager before build 13740 allows for remote code execution on Windows via a payload on an SMB share.