VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 48 of 87
  • CVE-2026-27749HigMar 5, 2026
    risk 0.51cvss 7.8epss 0.00

    Avira Internet Security contains a deserialization of untrusted data vulnerability in the System Speedup component. The Avira.SystemSpeedup.RealTimeOptimizer.exe process, which runs with SYSTEM privileges, deserializes data from a file located in C:\\ProgramData using .NET…

  • CVE-2026-27830HigFeb 26, 2026
    risk 0.51cvss epss 0.01

    c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized objects and `javax.naming.Reference` instances. Several c3p0 `ConnectionPoolDataSource` implementations have a property called `userOverridesAsString` which conceptually…

  • CVE-2026-26208HigFeb 13, 2026
    risk 0.51cvss 7.8epss 0.00

    ADB Explorer is a fluent UI for ADB on Windows. Prior to Beta 0.9.26020, ADB Explorer is vulnerable to Insecure Deserialization leading to Remote Code Execution. The application attempts to deserialize the App.txt settings file using Newtonsoft.Json with TypeNameHandling set to…

  • CVE-2025-14925HigDec 23, 2025
    risk 0.51cvss 7.8epss 0.00

    Hugging Face Accelerate Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Accelerate. User interaction is required to exploit this vulnerability in…

  • CVE-2025-14922HigDec 23, 2025
    risk 0.51cvss 7.8epss 0.00

    Hugging Face Diffusers CogView4 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Diffusers. User interaction is required to exploit this…

  • CVE-2025-41701HigSep 9, 2025
    risk 0.51cvss 7.8epss 0.00

    An unauthenticated attacker can trick a local user into executing arbitrary commands by opening a deliberately manipulated project file with an affected engineering tool. These arbitrary commands are executed in the user context.

  • CVE-2025-9365HigSep 3, 2025
    risk 0.51cvss 7.8epss 0.00

    Fuji Electric FRENIC-Loader 4 is vulnerable to a deserialization of untrusted data when importing a file through a specified window, which may allow an attacker to execute arbitrary code.

  • CVE-2025-40759HigAug 12, 2025
    risk 0.51cvss 7.8epss 0.00

    A vulnerability has been identified in SIMATIC S7-PLCSIM V17 (All versions), SIMATIC STEP 7 V17 (All versions < V17 Update 9), SIMATIC STEP 7 V18 (All versions), SIMATIC STEP 7 V19 (All versions < V19 Update 4), SIMATIC STEP 7 V20 (All versions < V20 Update 4), SIMATIC WinCC V17…

  • CVE-2025-53416HigJun 30, 2025
    risk 0.51cvss 7.8epss 0.00

    Delta Electronics DTN Soft Project File Parsing Deserialization of Untrusted Data Remote Code Execution

  • CVE-2025-53415HigJun 30, 2025
    risk 0.51cvss 7.8epss 0.00

    Delta Electronics DTM Soft Project File Parsing Deserialization of Untrusted Data Remote Code Execution

  • CVE-2025-49127HigJun 6, 2025
    risk 0.51cvss epss 0.00

    Kafbat UI is a web user interface for managing Apache Kafka clusters. An unsafe deserialization vulnerability in version 1.0.0 allows any unauthenticated user to execute arbitrary code on the server. Version 1.1.0 fixes the issue.

  • CVE-2024-12742HigMar 6, 2025
    risk 0.51cvss 7.8epss 0.05

    A deserialization of untrusted data vulnerability exists in NI G Web Development Software that may result in arbitrary code execution.  Successful exploitation requires an attacker to get a user to open a specially crafted project file.  This vulnerability affects G Web…

  • CVE-2024-12703HigJan 17, 2025
    risk 0.51cvss 7.8epss 0.00

    CWE-502: Deserialization of untrusted data vulnerability exists that could lead to loss of confidentiality, integrity and potential remote code execution on workstation when a non-admin authenticated user opens a malicious project file.

  • CVE-2024-12677HigDec 20, 2024
    risk 0.51cvss 7.8epss 0.00

    Delta Electronics DTM Soft deserializes objects, which could allow an attacker to execute arbitrary code.

  • CVE-2024-12741HigDec 18, 2024
    risk 0.51cvss 7.8epss 0.04

    A deserialization of untrusted data vulnerability exists in NI DAQExpress that may result in remote code execution. Successful exploitation requires an attacker to get a user to open a specially crafted project file. This vulnerability affects DAQExpress 5.1 and prior versions.…

  • CVE-2024-49849HigDec 10, 2024
    risk 0.51cvss 7.8epss 0.00

    A vulnerability has been identified in SIMATIC S7-PLCSIM V16 (All versions), SIMATIC S7-PLCSIM V17 (All versions), SIMATIC STEP 7 Safety V16 (All versions), SIMATIC STEP 7 Safety V17 (All versions < V17 Update 9), SIMATIC STEP 7 Safety V18 (All versions), SIMATIC STEP 7 Safety…

  • CVE-2024-45857HigSep 12, 2024
    risk 0.51cvss 7.8epss 0.00

    Deserialization of untrusted data can occur in versions 2.4.0 or newer of the Cleanlab project, enabling a maliciously crafted datalab.pkl file to run arbitrary code on an end user’s system when the data directory is loaded.

  • CVE-2024-6675HigJul 22, 2024
    risk 0.51cvss 7.8epss 0.00

    A deserialization of untrusted data vulnerability exists in NI VeriStand that may result in remote code execution. Successful exploitation requires an attacker to get a user to open a specially crafted project file. This vulnerability affects VeriStand 2024 Q2 and prior…

  • CVE-2022-45147HigJul 9, 2024
    risk 0.51cvss 7.8epss 0.00

    A vulnerability has been identified in SIMATIC PCS neo V4.0 (All versions), SIMATIC STEP 7 V16 (All versions), SIMATIC STEP 7 V17 (All versions), SIMATIC STEP 7 V18 (All versions < V18 Update 2). Affected applications do not properly restrict the .NET BinaryFormatter when…

  • CVE-2024-37065HigJun 4, 2024
    risk 0.51cvss 7.8epss 0.00

    Deserialization of untrusted data can occur in versions 0.6 or newer of the skops python library, enabling a maliciously crafted model to run arbitrary code on an end user's system when loaded.