VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 46 of 87
  • CVE-2023-49826HigDec 21, 2023
    risk 0.53cvss 8.1epss 0.01

    Deserialization of Untrusted Data vulnerability in PenciDesign Soledad – Multipurpose, Newspaper, Blog & WooCommerce WordPress Theme.This issue affects Soledad – Multipurpose, Newspaper, Blog & WooCommerce WordPress Theme: from n/a through 8.4.1.

  • CVE-2023-4386HigOct 20, 2023
    risk 0.53cvss 8.1epss 0.01

    The Essential Blocks plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.0 via deserialization of untrusted input in the get_posts function. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the…

  • CVE-2023-4402HigOct 20, 2023
    risk 0.53cvss 8.1epss 0.01

    The Essential Blocks plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.0 via deserialization of untrusted input in the get_products function. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in…

  • CVE-2022-1415HigSep 11, 2023
    risk 0.53cvss 8.1epss 0.01

    A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data. This flaw allows an authenticated attacker to construct malicious serialized objects (usually called gadgets) and achieve code execution on the server.

  • CVE-2021-37678CriAug 12, 2021
    risk 0.53cvss 9.3epss 0.00

    TensorFlow is an end-to-end open source platform for machine learning. In affected versions TensorFlow and Keras can be tricked to perform arbitrary code execution when deserializing a Keras model from YAML format. The [implementation](https://github.com/tensorflow/tensorflow/blo…

  • CVE-2020-15842HigJul 20, 2020
    risk 0.53cvss 8.1epss 0.02

    Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, because of insecure deserialization.

  • CVE-2020-5411HigJun 11, 2020
    risk 0.53cvss 8.1epss 0.02

    When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets". Spring Batch configures Jackson with global default typing…

  • CVE-2017-3203HigJun 11, 2018
    risk 0.53cvss 8.1epss 0.06

    The Java implementations of AMF3 deserializers in Pivotal/Spring Spring-flex derive class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an RMI…

  • CVE-2017-3201HigJun 11, 2018
    risk 0.53cvss 8.1epss 0.05

    The Java implementation of AMF3 deserializers used in Flamingo amf-serializer by Exadel, version 2.2.0 derives class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to…

  • CVE-2017-3200HigJun 11, 2018
    risk 0.53cvss 8.1epss 0.06

    The Java implementation of AMF3 deserializers used in GraniteDS, version 3.1.1.G, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability depends…

  • CVE-2017-3199HigJun 11, 2018
    risk 0.53cvss 8.1epss 0.06

    The Java implementation of GraniteDS, version 3.1.1.GA, AMF3 deserializers derives class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an RMI server…

  • CVE-2018-10654HigMay 23, 2018
    risk 0.53cvss 8.1epss 0.01

    There is a Hazelcast Library Java Deserialization Vulnerability in Citrix XenMobile Server 10.8 before RP2 and 10.7 before RP3.

  • CVE-2018-7891HigApr 30, 2018
    risk 0.53cvss 8.1epss 0.04

    The Milestone XProtect Video Management Software (Corporate, Expert, Professional+, Express+, Essential+) 2016 R1 (10.0.a) to 2018 R1 (12.1a) contains .NET Remoting endpoints that are vulnerable to deserialization attacks resulting in remote code execution.

  • CVE-2017-1000053HigJul 17, 2017
    risk 0.53cvss 8.1epss 0.02

    Elixir Plug before v1.0.4, v1.1.7, v1.2.3 and v1.3.2 is vulnerable to arbitrary code execution in the deserialization functions of Plug.Session.

  • CVE-2017-2295HigJul 5, 2017
    risk 0.53cvss 8.2epss 0.02

    Versions of Puppet prior to 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change…

  • CVE-2026-45034criJun 8, 2026
    risk 0.52cvss epss 0.00

    ## Summary CVE-2026-34084 was patched by the helper `File::prohibitWrappers`. The helper calls `parse_url($filename, PHP_URL_SCHEME)` and then checks `is_string($scheme) && strlen($scheme) > 1` to reject stream wrappers such as `phar://`, `php://`, `data://` or `expect://`. The…

  • CVE-2026-50076CriJun 4, 2026
    risk 0.52cvss 9.1epss 0.01

    Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present…

  • CVE-2026-39832CriMay 22, 2026
    risk 0.52cvss 9.1epss 0.00

    When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client…

  • CVE-2026-40368HigMay 12, 2026
    risk 0.52cvss 8.0epss 0.02

    Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

  • CVE-2026-5426CriApr 16, 2026
    risk 0.52cvss 9.1epss 0.01

    Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks