CWE-502
Deserialization of Untrusted Data
Description
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-586
CVEs mapped to this weakness (1,721)
page 48 of 87| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-27749 | Hig | 0.51 | 7.8 | 0.00 | Mar 5, 2026 | Avira Internet Security contains a deserialization of untrusted data vulnerability in the System Speedup component. The Avira.SystemSpeedup.RealTimeOptimizer.exe process, which runs with SYSTEM privileges, deserializes data from a file located in C:\\ProgramData using .NET… | ||
| CVE-2026-27830 | Hig | 0.51 | — | 0.01 | Feb 26, 2026 | c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized objects and `javax.naming.Reference` instances. Several c3p0 `ConnectionPoolDataSource` implementations have a property called `userOverridesAsString` which conceptually… | ||
| CVE-2026-26208 | Hig | 0.51 | 7.8 | 0.00 | Feb 13, 2026 | ADB Explorer is a fluent UI for ADB on Windows. Prior to Beta 0.9.26020, ADB Explorer is vulnerable to Insecure Deserialization leading to Remote Code Execution. The application attempts to deserialize the App.txt settings file using Newtonsoft.Json with TypeNameHandling set to… | ||
| CVE-2025-14925 | Hig | 0.51 | 7.8 | 0.00 | Dec 23, 2025 | Hugging Face Accelerate Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Accelerate. User interaction is required to exploit this vulnerability in… | ||
| CVE-2025-14922 | Hig | 0.51 | 7.8 | 0.00 | Dec 23, 2025 | Hugging Face Diffusers CogView4 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Diffusers. User interaction is required to exploit this… | ||
| CVE-2025-41701 | — | Hig | 0.51 | 7.8 | 0.00 | Sep 9, 2025 | An unauthenticated attacker can trick a local user into executing arbitrary commands by opening a deliberately manipulated project file with an affected engineering tool. These arbitrary commands are executed in the user context. | |
| CVE-2025-9365 | Hig | 0.51 | 7.8 | 0.00 | Sep 3, 2025 | Fuji Electric FRENIC-Loader 4 is vulnerable to a deserialization of untrusted data when importing a file through a specified window, which may allow an attacker to execute arbitrary code. | ||
| CVE-2025-40759 | Hig | 0.51 | 7.8 | 0.00 | Aug 12, 2025 | A vulnerability has been identified in SIMATIC S7-PLCSIM V17 (All versions), SIMATIC STEP 7 V17 (All versions < V17 Update 9), SIMATIC STEP 7 V18 (All versions), SIMATIC STEP 7 V19 (All versions < V19 Update 4), SIMATIC STEP 7 V20 (All versions < V20 Update 4), SIMATIC WinCC V17… | ||
| CVE-2025-53416 | Hig | 0.51 | 7.8 | 0.00 | Jun 30, 2025 | Delta Electronics DTN Soft Project File Parsing Deserialization of Untrusted Data Remote Code Execution | ||
| CVE-2025-53415 | Hig | 0.51 | 7.8 | 0.00 | Jun 30, 2025 | Delta Electronics DTM Soft Project File Parsing Deserialization of Untrusted Data Remote Code Execution | ||
| CVE-2025-49127 | Hig | 0.51 | — | 0.00 | Jun 6, 2025 | Kafbat UI is a web user interface for managing Apache Kafka clusters. An unsafe deserialization vulnerability in version 1.0.0 allows any unauthenticated user to execute arbitrary code on the server. Version 1.1.0 fixes the issue. | ||
| CVE-2024-12742 | Hig | 0.51 | 7.8 | 0.05 | Mar 6, 2025 | A deserialization of untrusted data vulnerability exists in NI G Web Development Software that may result in arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted project file. This vulnerability affects G Web… | ||
| CVE-2024-12703 | — | Hig | 0.51 | 7.8 | 0.00 | Jan 17, 2025 | CWE-502: Deserialization of untrusted data vulnerability exists that could lead to loss of confidentiality, integrity and potential remote code execution on workstation when a non-admin authenticated user opens a malicious project file. | |
| CVE-2024-12677 | Hig | 0.51 | 7.8 | 0.00 | Dec 20, 2024 | Delta Electronics DTM Soft deserializes objects, which could allow an attacker to execute arbitrary code. | ||
| CVE-2024-12741 | Hig | 0.51 | 7.8 | 0.04 | Dec 18, 2024 | A deserialization of untrusted data vulnerability exists in NI DAQExpress that may result in remote code execution. Successful exploitation requires an attacker to get a user to open a specially crafted project file. This vulnerability affects DAQExpress 5.1 and prior versions.… | ||
| CVE-2024-49849 | Hig | 0.51 | 7.8 | 0.00 | Dec 10, 2024 | A vulnerability has been identified in SIMATIC S7-PLCSIM V16 (All versions), SIMATIC S7-PLCSIM V17 (All versions), SIMATIC STEP 7 Safety V16 (All versions), SIMATIC STEP 7 Safety V17 (All versions < V17 Update 9), SIMATIC STEP 7 Safety V18 (All versions), SIMATIC STEP 7 Safety… | ||
| CVE-2024-45857 | Hig | 0.51 | 7.8 | 0.00 | Sep 12, 2024 | Deserialization of untrusted data can occur in versions 2.4.0 or newer of the Cleanlab project, enabling a maliciously crafted datalab.pkl file to run arbitrary code on an end user’s system when the data directory is loaded. | ||
| CVE-2024-6675 | Hig | 0.51 | 7.8 | 0.00 | Jul 22, 2024 | A deserialization of untrusted data vulnerability exists in NI VeriStand that may result in remote code execution. Successful exploitation requires an attacker to get a user to open a specially crafted project file. This vulnerability affects VeriStand 2024 Q2 and prior… | ||
| CVE-2022-45147 | Hig | 0.51 | 7.8 | 0.00 | Jul 9, 2024 | A vulnerability has been identified in SIMATIC PCS neo V4.0 (All versions), SIMATIC STEP 7 V16 (All versions), SIMATIC STEP 7 V17 (All versions), SIMATIC STEP 7 V18 (All versions < V18 Update 2). Affected applications do not properly restrict the .NET BinaryFormatter when… | ||
| CVE-2024-37065 | Hig | 0.51 | 7.8 | 0.00 | Jun 4, 2024 | Deserialization of untrusted data can occur in versions 0.6 or newer of the skops python library, enabling a maliciously crafted model to run arbitrary code on an end user's system when loaded. |
- risk 0.51cvss 7.8epss 0.00
Avira Internet Security contains a deserialization of untrusted data vulnerability in the System Speedup component. The Avira.SystemSpeedup.RealTimeOptimizer.exe process, which runs with SYSTEM privileges, deserializes data from a file located in C:\\ProgramData using .NET…
- risk 0.51cvss —epss 0.01
c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized objects and `javax.naming.Reference` instances. Several c3p0 `ConnectionPoolDataSource` implementations have a property called `userOverridesAsString` which conceptually…
- risk 0.51cvss 7.8epss 0.00
ADB Explorer is a fluent UI for ADB on Windows. Prior to Beta 0.9.26020, ADB Explorer is vulnerable to Insecure Deserialization leading to Remote Code Execution. The application attempts to deserialize the App.txt settings file using Newtonsoft.Json with TypeNameHandling set to…
- risk 0.51cvss 7.8epss 0.00
Hugging Face Accelerate Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Accelerate. User interaction is required to exploit this vulnerability in…
- risk 0.51cvss 7.8epss 0.00
Hugging Face Diffusers CogView4 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Diffusers. User interaction is required to exploit this…
- risk 0.51cvss 7.8epss 0.00
An unauthenticated attacker can trick a local user into executing arbitrary commands by opening a deliberately manipulated project file with an affected engineering tool. These arbitrary commands are executed in the user context.
- risk 0.51cvss 7.8epss 0.00
Fuji Electric FRENIC-Loader 4 is vulnerable to a deserialization of untrusted data when importing a file through a specified window, which may allow an attacker to execute arbitrary code.
- risk 0.51cvss 7.8epss 0.00
A vulnerability has been identified in SIMATIC S7-PLCSIM V17 (All versions), SIMATIC STEP 7 V17 (All versions < V17 Update 9), SIMATIC STEP 7 V18 (All versions), SIMATIC STEP 7 V19 (All versions < V19 Update 4), SIMATIC STEP 7 V20 (All versions < V20 Update 4), SIMATIC WinCC V17…
- risk 0.51cvss 7.8epss 0.00
Delta Electronics DTN Soft Project File Parsing Deserialization of Untrusted Data Remote Code Execution
- risk 0.51cvss 7.8epss 0.00
Delta Electronics DTM Soft Project File Parsing Deserialization of Untrusted Data Remote Code Execution
- risk 0.51cvss —epss 0.00
Kafbat UI is a web user interface for managing Apache Kafka clusters. An unsafe deserialization vulnerability in version 1.0.0 allows any unauthenticated user to execute arbitrary code on the server. Version 1.1.0 fixes the issue.
- risk 0.51cvss 7.8epss 0.05
A deserialization of untrusted data vulnerability exists in NI G Web Development Software that may result in arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted project file. This vulnerability affects G Web…
- risk 0.51cvss 7.8epss 0.00
CWE-502: Deserialization of untrusted data vulnerability exists that could lead to loss of confidentiality, integrity and potential remote code execution on workstation when a non-admin authenticated user opens a malicious project file.
- risk 0.51cvss 7.8epss 0.00
Delta Electronics DTM Soft deserializes objects, which could allow an attacker to execute arbitrary code.
- risk 0.51cvss 7.8epss 0.04
A deserialization of untrusted data vulnerability exists in NI DAQExpress that may result in remote code execution. Successful exploitation requires an attacker to get a user to open a specially crafted project file. This vulnerability affects DAQExpress 5.1 and prior versions.…
- risk 0.51cvss 7.8epss 0.00
A vulnerability has been identified in SIMATIC S7-PLCSIM V16 (All versions), SIMATIC S7-PLCSIM V17 (All versions), SIMATIC STEP 7 Safety V16 (All versions), SIMATIC STEP 7 Safety V17 (All versions < V17 Update 9), SIMATIC STEP 7 Safety V18 (All versions), SIMATIC STEP 7 Safety…
- risk 0.51cvss 7.8epss 0.00
Deserialization of untrusted data can occur in versions 2.4.0 or newer of the Cleanlab project, enabling a maliciously crafted datalab.pkl file to run arbitrary code on an end user’s system when the data directory is loaded.
- risk 0.51cvss 7.8epss 0.00
A deserialization of untrusted data vulnerability exists in NI VeriStand that may result in remote code execution. Successful exploitation requires an attacker to get a user to open a specially crafted project file. This vulnerability affects VeriStand 2024 Q2 and prior…
- risk 0.51cvss 7.8epss 0.00
A vulnerability has been identified in SIMATIC PCS neo V4.0 (All versions), SIMATIC STEP 7 V16 (All versions), SIMATIC STEP 7 V17 (All versions), SIMATIC STEP 7 V18 (All versions < V18 Update 2). Affected applications do not properly restrict the .NET BinaryFormatter when…
- risk 0.51cvss 7.8epss 0.00
Deserialization of untrusted data can occur in versions 0.6 or newer of the skops python library, enabling a maliciously crafted model to run arbitrary code on an end user's system when loaded.