CWE-502
Deserialization of Untrusted Data
Description
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-586
CVEs mapped to this weakness (1,721)
page 46 of 87| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-49826 | Hig | 0.53 | 8.1 | 0.01 | Dec 21, 2023 | Deserialization of Untrusted Data vulnerability in PenciDesign Soledad – Multipurpose, Newspaper, Blog & WooCommerce WordPress Theme.This issue affects Soledad – Multipurpose, Newspaper, Blog & WooCommerce WordPress Theme: from n/a through 8.4.1. | ||
| CVE-2023-4386 | Hig | 0.53 | 8.1 | 0.01 | Oct 20, 2023 | The Essential Blocks plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.0 via deserialization of untrusted input in the get_posts function. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the… | ||
| CVE-2023-4402 | Hig | 0.53 | 8.1 | 0.01 | Oct 20, 2023 | The Essential Blocks plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.0 via deserialization of untrusted input in the get_products function. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in… | ||
| CVE-2022-1415 | Hig | 0.53 | 8.1 | 0.01 | Sep 11, 2023 | A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data. This flaw allows an authenticated attacker to construct malicious serialized objects (usually called gadgets) and achieve code execution on the server. | ||
| CVE-2021-37678 | Cri | 0.53 | 9.3 | 0.00 | Aug 12, 2021 | TensorFlow is an end-to-end open source platform for machine learning. In affected versions TensorFlow and Keras can be tricked to perform arbitrary code execution when deserializing a Keras model from YAML format. The [implementation](https://github.com/tensorflow/tensorflow/blo… | ||
| CVE-2020-15842 | — | Hig | 0.53 | 8.1 | 0.02 | Jul 20, 2020 | Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, because of insecure deserialization. | |
| CVE-2020-5411 | — | Hig | 0.53 | 8.1 | 0.02 | Jun 11, 2020 | When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets". Spring Batch configures Jackson with global default typing… | |
| CVE-2017-3203 | Hig | 0.53 | 8.1 | 0.06 | Jun 11, 2018 | The Java implementations of AMF3 deserializers in Pivotal/Spring Spring-flex derive class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an RMI… | ||
| CVE-2017-3201 | Hig | 0.53 | 8.1 | 0.05 | Jun 11, 2018 | The Java implementation of AMF3 deserializers used in Flamingo amf-serializer by Exadel, version 2.2.0 derives class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to… | ||
| CVE-2017-3200 | — | Hig | 0.53 | 8.1 | 0.06 | Jun 11, 2018 | The Java implementation of AMF3 deserializers used in GraniteDS, version 3.1.1.G, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability depends… | |
| CVE-2017-3199 | — | Hig | 0.53 | 8.1 | 0.06 | Jun 11, 2018 | The Java implementation of GraniteDS, version 3.1.1.GA, AMF3 deserializers derives class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an RMI server… | |
| CVE-2018-10654 | Hig | 0.53 | 8.1 | 0.01 | May 23, 2018 | There is a Hazelcast Library Java Deserialization Vulnerability in Citrix XenMobile Server 10.8 before RP2 and 10.7 before RP3. | ||
| CVE-2018-7891 | Hig | 0.53 | 8.1 | 0.04 | Apr 30, 2018 | The Milestone XProtect Video Management Software (Corporate, Expert, Professional+, Express+, Essential+) 2016 R1 (10.0.a) to 2018 R1 (12.1a) contains .NET Remoting endpoints that are vulnerable to deserialization attacks resulting in remote code execution. | ||
| CVE-2017-1000053 | Hig | 0.53 | 8.1 | 0.02 | Jul 17, 2017 | Elixir Plug before v1.0.4, v1.1.7, v1.2.3 and v1.3.2 is vulnerable to arbitrary code execution in the deserialization functions of Plug.Session. | ||
| CVE-2017-2295 | Hig | 0.53 | 8.2 | 0.02 | Jul 5, 2017 | Versions of Puppet prior to 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change… | ||
| CVE-2026-45034 | cri | 0.52 | — | 0.00 | Jun 8, 2026 | ## Summary CVE-2026-34084 was patched by the helper `File::prohibitWrappers`. The helper calls `parse_url($filename, PHP_URL_SCHEME)` and then checks `is_string($scheme) && strlen($scheme) > 1` to reject stream wrappers such as `phar://`, `php://`, `data://` or `expect://`. The… | ||
| CVE-2026-50076 | Cri | 0.52 | 9.1 | 0.01 | Jun 4, 2026 | Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present… | ||
| CVE-2026-39832 | Cri | 0.52 | 9.1 | 0.00 | May 22, 2026 | When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client… | ||
| CVE-2026-40368 | Hig | 0.52 | 8.0 | 0.02 | May 12, 2026 | Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | ||
| CVE-2026-5426 | Cri | 0.52 | 9.1 | 0.01 | Apr 16, 2026 | Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks |
- risk 0.53cvss 8.1epss 0.01
Deserialization of Untrusted Data vulnerability in PenciDesign Soledad – Multipurpose, Newspaper, Blog & WooCommerce WordPress Theme.This issue affects Soledad – Multipurpose, Newspaper, Blog & WooCommerce WordPress Theme: from n/a through 8.4.1.
- risk 0.53cvss 8.1epss 0.01
The Essential Blocks plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.0 via deserialization of untrusted input in the get_posts function. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the…
- risk 0.53cvss 8.1epss 0.01
The Essential Blocks plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.0 via deserialization of untrusted input in the get_products function. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in…
- risk 0.53cvss 8.1epss 0.01
A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data. This flaw allows an authenticated attacker to construct malicious serialized objects (usually called gadgets) and achieve code execution on the server.
- risk 0.53cvss 9.3epss 0.00
TensorFlow is an end-to-end open source platform for machine learning. In affected versions TensorFlow and Keras can be tricked to perform arbitrary code execution when deserializing a Keras model from YAML format. The [implementation](https://github.com/tensorflow/tensorflow/blo…
- risk 0.53cvss 8.1epss 0.02
Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, because of insecure deserialization.
- risk 0.53cvss 8.1epss 0.02
When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets". Spring Batch configures Jackson with global default typing…
- risk 0.53cvss 8.1epss 0.06
The Java implementations of AMF3 deserializers in Pivotal/Spring Spring-flex derive class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an RMI…
- risk 0.53cvss 8.1epss 0.05
The Java implementation of AMF3 deserializers used in Flamingo amf-serializer by Exadel, version 2.2.0 derives class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to…
- risk 0.53cvss 8.1epss 0.06
The Java implementation of AMF3 deserializers used in GraniteDS, version 3.1.1.G, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability depends…
- risk 0.53cvss 8.1epss 0.06
The Java implementation of GraniteDS, version 3.1.1.GA, AMF3 deserializers derives class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an RMI server…
- risk 0.53cvss 8.1epss 0.01
There is a Hazelcast Library Java Deserialization Vulnerability in Citrix XenMobile Server 10.8 before RP2 and 10.7 before RP3.
- risk 0.53cvss 8.1epss 0.04
The Milestone XProtect Video Management Software (Corporate, Expert, Professional+, Express+, Essential+) 2016 R1 (10.0.a) to 2018 R1 (12.1a) contains .NET Remoting endpoints that are vulnerable to deserialization attacks resulting in remote code execution.
- risk 0.53cvss 8.1epss 0.02
Elixir Plug before v1.0.4, v1.1.7, v1.2.3 and v1.3.2 is vulnerable to arbitrary code execution in the deserialization functions of Plug.Session.
- risk 0.53cvss 8.2epss 0.02
Versions of Puppet prior to 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change…
- risk 0.52cvss —epss 0.00
## Summary CVE-2026-34084 was patched by the helper `File::prohibitWrappers`. The helper calls `parse_url($filename, PHP_URL_SCHEME)` and then checks `is_string($scheme) && strlen($scheme) > 1` to reject stream wrappers such as `phar://`, `php://`, `data://` or `expect://`. The…
- risk 0.52cvss 9.1epss 0.01
Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present…
- risk 0.52cvss 9.1epss 0.00
When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client…
- risk 0.52cvss 8.0epss 0.02
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
- risk 0.52cvss 9.1epss 0.01
Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks