CWE-502
Deserialization of Untrusted Data
Description
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-586
CVEs mapped to this weakness (1,721)
page 47 of 87| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-49375 | Cri | 0.52 | 9.0 | 0.01 | Jan 14, 2025 | Open source machine learning framework. A vulnerability has been identified in Rasa that enables an attacker who has the ability to load a maliciously crafted model remotely into a Rasa instance to achieve Remote Code Execution. The prerequisites for this are: 1. The HTTP API… | ||
| CVE-2024-32030 | Hig | 0.52 | 8.1 | 0.34 | Jun 19, 2024 | Kafka UI is an Open-Source Web UI for Apache Kafka Management. Kafka UI API allows users to connect to different Kafka brokers by specifying their network address and port. As a separate feature, it also provides the ability to monitor the performance of Kafka brokers by… | ||
| CVE-2024-4044 | Hig | 0.52 | 7.8 | 0.15 | May 14, 2024 | A deserialization of untrusted data vulnerability exists in common code used by FlexLogger and InstrumentStudio that may result in remote code execution. Successful exploitation requires an attacker to get a user to open a specially crafted project file. This vulnerability… | ||
| CVE-2024-30229 | Hig | 0.52 | 8.0 | 0.01 | Mar 28, 2024 | Deserialization of Untrusted Data vulnerability in StellarWP GiveWP give.This issue affects GiveWP: from n/a through <= 3.4.2. | ||
| CVE-2024-24926 | Hig | 0.52 | 7.5 | 0.01 | Feb 12, 2024 | Deserialization of Untrusted Data vulnerability in UnitedThemes Brooklyn | Creative Multi-Purpose Responsive WordPress Theme.This issue affects Brooklyn | Creative Multi-Purpose Responsive WordPress Theme: from n/a through 4.9.7.6. | ||
| CVE-2024-24590 | — | Hig | 0.52 | 8.0 | 0.02 | Feb 6, 2024 | Deserialization of untrusted data can occur in versions 0.17.0 to 1.14.2 of the client SDK of Allegro AI’s ClearML platform, enabling a maliciously uploaded artifact to run arbitrary code on an end user’s system when interacted with. | |
| CVE-2022-39256 | Cri | 0.52 | 9.0 | 0.01 | Sep 27, 2022 | Orckestra C1 CMS is a .NET based Web Content Management System. A vulnerability in versions prior to 6.13 allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS. Authentication is required to exploit this vulnerability. The authenticated… | ||
| CVE-2026-24228 | Hig | 0.51 | 7.8 | 0.00 | Jun 16, 2026 | NVIDIA NeMo Framework for Linux contains a vulnerability where an attacker may cause deserialization of untrusted data. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, data tampering, and information disclosure. | ||
| CVE-2026-12191 | Hig | 0.51 | 7.8 | 0.00 | Jun 14, 2026 | A vulnerability was found in Comma AI Openpilot 0.11. This issue affects the function pickle.load/pickle.loads of the file selfdrive/modeld/modeld.py of the component Pickle Module. The manipulation results in deserialization. The attack is only possible with local access. The… | ||
| CVE-2026-25551 | Hig | 0.51 | 7.8 | 0.00 | Jun 4, 2026 | Seagull Software BarTender 2021 R1 through 12.0.1 contains an insecure deserialization vulnerability that allows low-privileged local users to escalate privileges. The DataServiceSingleton .NET Remoting endpoint is bound to localhost on TCP port 7375 via BtSystem.Service.exe,… | ||
| CVE-2026-24237 | Hig | 0.51 | 7.8 | 0.00 | Jun 2, 2026 | NVIDIA NVTabular contains a vulnerability where an attacker could cause improper deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, data tampering, and information disclosure. | ||
| CVE-2026-24221 | Hig | 0.51 | 7.8 | 0.00 | Jun 2, 2026 | NVIDIA NVTabular contains a vulnerability where an attacker could cause improper deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, data tampering and information disclosure. | ||
| CVE-2026-24162 | Hig | 0.51 | 7.8 | 0.00 | May 26, 2026 | NVIDIA Transformers4Rec for Linux contains a vulnerability where an attacker could cause improper deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, data tampering, and information disclosure. | ||
| CVE-2026-24216 | Hig | 0.51 | 7.8 | 0.00 | May 20, 2026 | NVIDIA BioNemo for Linux contains a vulnerability where a user could cause a deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering. | ||
| CVE-2024-53326 | Hig | 0.51 | 7.3 | 0.00 | May 8, 2026 | LINQPad before 5.52.01 Pro edition is vulnerable to Unsafe Deserialization in LINQPad.AutoRefManager::PopulateFromCache(), leading to code execution. | ||
| CVE-2026-7584 | Hig | 0.51 | 7.8 | 0.00 | May 1, 2026 | The LabOne Q serialization framework uses a class-loading mechanism (import_cls) to dynamically import and instantiate Python classes during deserialization. Prior to the fix, this mechanism accepted arbitrary fully-qualified class names from the serialized data without any… | ||
| CVE-2026-32192 | Hig | 0.51 | 7.8 | 0.02 | Apr 14, 2026 | Deserialization of untrusted data in Azure Monitor Agent allows an authorized attacker to elevate privileges locally. | ||
| CVE-2026-32184 | Hig | 0.51 | 7.8 | 0.02 | Apr 14, 2026 | Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an authorized attacker to elevate privileges locally. | ||
| CVE-2026-24165 | Hig | 0.51 | 7.8 | 0.00 | Mar 31, 2026 | NVIDIA BioNeMo contains a vulnerability where a user could cause a deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering. | ||
| CVE-2026-4416 | Hig | 0.51 | 7.8 | 0.00 | Mar 30, 2026 | The Performance Library component of Gigabyte Control Center has an Insecure Deserialization vulnerability. Authenticated local attackers can send a malicious serialized payload to the EasyTune Engine service, resulting in privilege escalation. |
- risk 0.52cvss 9.0epss 0.01
Open source machine learning framework. A vulnerability has been identified in Rasa that enables an attacker who has the ability to load a maliciously crafted model remotely into a Rasa instance to achieve Remote Code Execution. The prerequisites for this are: 1. The HTTP API…
- risk 0.52cvss 8.1epss 0.34
Kafka UI is an Open-Source Web UI for Apache Kafka Management. Kafka UI API allows users to connect to different Kafka brokers by specifying their network address and port. As a separate feature, it also provides the ability to monitor the performance of Kafka brokers by…
- risk 0.52cvss 7.8epss 0.15
A deserialization of untrusted data vulnerability exists in common code used by FlexLogger and InstrumentStudio that may result in remote code execution. Successful exploitation requires an attacker to get a user to open a specially crafted project file. This vulnerability…
- risk 0.52cvss 8.0epss 0.01
Deserialization of Untrusted Data vulnerability in StellarWP GiveWP give.This issue affects GiveWP: from n/a through <= 3.4.2.
- risk 0.52cvss 7.5epss 0.01
Deserialization of Untrusted Data vulnerability in UnitedThemes Brooklyn | Creative Multi-Purpose Responsive WordPress Theme.This issue affects Brooklyn | Creative Multi-Purpose Responsive WordPress Theme: from n/a through 4.9.7.6.
- risk 0.52cvss 8.0epss 0.02
Deserialization of untrusted data can occur in versions 0.17.0 to 1.14.2 of the client SDK of Allegro AI’s ClearML platform, enabling a maliciously uploaded artifact to run arbitrary code on an end user’s system when interacted with.
- risk 0.52cvss 9.0epss 0.01
Orckestra C1 CMS is a .NET based Web Content Management System. A vulnerability in versions prior to 6.13 allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS. Authentication is required to exploit this vulnerability. The authenticated…
- risk 0.51cvss 7.8epss 0.00
NVIDIA NeMo Framework for Linux contains a vulnerability where an attacker may cause deserialization of untrusted data. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, data tampering, and information disclosure.
- risk 0.51cvss 7.8epss 0.00
A vulnerability was found in Comma AI Openpilot 0.11. This issue affects the function pickle.load/pickle.loads of the file selfdrive/modeld/modeld.py of the component Pickle Module. The manipulation results in deserialization. The attack is only possible with local access. The…
- risk 0.51cvss 7.8epss 0.00
Seagull Software BarTender 2021 R1 through 12.0.1 contains an insecure deserialization vulnerability that allows low-privileged local users to escalate privileges. The DataServiceSingleton .NET Remoting endpoint is bound to localhost on TCP port 7375 via BtSystem.Service.exe,…
- risk 0.51cvss 7.8epss 0.00
NVIDIA NVTabular contains a vulnerability where an attacker could cause improper deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, data tampering, and information disclosure.
- risk 0.51cvss 7.8epss 0.00
NVIDIA NVTabular contains a vulnerability where an attacker could cause improper deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, data tampering and information disclosure.
- risk 0.51cvss 7.8epss 0.00
NVIDIA Transformers4Rec for Linux contains a vulnerability where an attacker could cause improper deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, data tampering, and information disclosure.
- risk 0.51cvss 7.8epss 0.00
NVIDIA BioNemo for Linux contains a vulnerability where a user could cause a deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering.
- risk 0.51cvss 7.3epss 0.00
LINQPad before 5.52.01 Pro edition is vulnerable to Unsafe Deserialization in LINQPad.AutoRefManager::PopulateFromCache(), leading to code execution.
- risk 0.51cvss 7.8epss 0.00
The LabOne Q serialization framework uses a class-loading mechanism (import_cls) to dynamically import and instantiate Python classes during deserialization. Prior to the fix, this mechanism accepted arbitrary fully-qualified class names from the serialized data without any…
- risk 0.51cvss 7.8epss 0.02
Deserialization of untrusted data in Azure Monitor Agent allows an authorized attacker to elevate privileges locally.
- risk 0.51cvss 7.8epss 0.02
Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an authorized attacker to elevate privileges locally.
- risk 0.51cvss 7.8epss 0.00
NVIDIA BioNeMo contains a vulnerability where a user could cause a deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering.
- risk 0.51cvss 7.8epss 0.00
The Performance Library component of Gigabyte Control Center has an Insecure Deserialization vulnerability. Authenticated local attackers can send a malicious serialized payload to the EasyTune Engine service, resulting in privilege escalation.